How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
it's against the rules when Microsoft starts flaming back!
Theory of flight?! I'll teach you the theory of fist!!
If any old fool can do it, let's see you try.
I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]
As opposed to what? A graphical IP address? A string IP address? A musical IP address?
I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.
theefer
Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Of course, with IE's spoofing vulnerabilties, you may not really be at firefox.org.
Unknown host pong.
What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".
And even if I press no, I *still* get spyware. Why? IE Sucks.
Hey, I have a solution! Firefox can present a dialog box on the first installation that asks, "Do you want to run with better security than Microsoft Internet Explorer?" with only one button labeled "Yes".
Beat that person. Beat them with a metal stick.
Not a Twitter sockpuppet... but I wish I was.
Time for another name change. Just call it "teh intarwebs".
Here. Let me start my own flamewar.
t .htm
"I wanted to download Microsoft's Internet Explorer, so using Firefox I popped across to Google and searched for:
'Microsoft Internet Explorer'
The 3rd link told me:
Internet Explorer Home
https://www.microsoft.com/windows/ie/defaul
Ok. I'll go there!
Up pops the message:
'Unable to verify www.microsoft.com as a trusted site'
Ok. I'll examine this certificate. Lets see who it is signed by... ah. Microsoft. Fine. As I'm testing this off a Knoppix-style CD and USB memory stick I'll accept this self-signed certificate. Seems all a bit snakeoil to me.
Once I do accept this this I immediately get redirected to another page - something ending with "mspx". Thats not where I clicked! I guess I have to trust it for now though and just carry on.
Over on the left is a "downloads" link, so I go there. I'm presented with a downloads page, where I have to go to another page of languages. I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"
I close my browser and grin.
He's claiming, in public, that his company's monopoly browser is presenting warnings that should cause users of that browser (the default on the monopoly operating system) to believe that installing Firefox (which is recommended, remember, by the Dept. of Homeland Security's CERT as being more secure) is inherently insecure and dangerous.
That sounds like at least an antitrust violation, and probably fraud on top of it. Maybe a PATRIOT Act violation, as well.
Don't blame me; I'm never given mod points.
While you are 100% correct there is a simple work around. Often when I install Firefox or Mozilla for someone I rename the desktop shortcut "The Internet" or "The Web" (people who don't know what Firefox is tend to use shortcuts a lot).
On top of that is some education on IE's faults, the scum of the net, and to note that the Firefox icon is much cooler than a dumb, swooshy "E"
This approach has worked pretty well for me so far.
In one extreme case I did rename the Firefox icon 'Internet Explorer' for an exceedingly uncooperative user. Once it was called 'Internet Explorer' she didn't care anymore. I'm sure some poor SOB in tech support has a hell of a time with her though.
"None of us are as dumb as all of us." - meeting mantra
I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"
If you were actually a native Israeli, you'd know the language is called Hebrew, or, in the actual language, ivrit (ayin-vet-resh-yud).
(If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.)
---
Mod me down, you fucking twits. Go ahead. I dare you.
(I read with sigs off.)
Specifically, this is the hostperm.1 file in your profile directory.
Am I the only one to read this as hotsperm?
On an offtopic note, when is Slashdot going to allow hebrew in comments?
Right after they fix the HTML to work properly in the Firefox browser we're all praising in this thread.
...once and for all, digital signatures do NOTHING. Once a user wants to install something, they will click 'yes' to whatever it takes. We all get a million warnings a day that we click 'yes' to with no ill effects, so what's one more? Call it "the boy who cried wolf" syndrome.
We wouldn't *need* all these warnings in the first place if MS hadn't allowed two extremely popular programs (IE and OE) to run executables with no user intervention. If they would have stuck with the ORIGINAL design--"Code canNOT run until you tell it to"--we'd all be better off. Run all the JS on a web page you want, but NO ONE can run code that affects the LOCAL MACHINE until told to. But no, stupid fucking MS, who didn't even *know* netowrks existed until Win 3.11, jumps into the game with the assumption that "Hey, you're on a network? Well then, you're probably at work, so the network's probably safe." Maybe we can fix the problem by putting up signs on the Redmond campus: "Strangers have the best candy!" and see if that thins the herd some.
How many old-timers here remember telling their new-to-the-net friends "You can *read* any email you want and NOTHING BAD CAN HAPPEN, but always be sure before clicking an attachment!"? And then we had to go and revise that statement.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.