Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?
Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!
Type "1" in Google and hit I'm feeling lucky. Hint: It's not the IE page. Please don't mod me off topic.
It happened with Linux (the kernel itself). A security exploit was entered. It's worth pointing out, however, that this exploit never made it into any kernel release or build, as it was noticed practically instantly by Linus and others and immediate steps taken. The only reason we know about it at all is because of the open development process.
While it is somewhat problematic for individual users to perform certainly corporate users could download and verify their own distro copy and distribute to their own users from that. It's more important to understand what the application does and that can only be achieved by examining or at least verifying the code and all of it's APIs.
Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.
Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.
It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.
Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.
Visit a secure .mil site some time.
It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.
Simple Machines in Higher Dimensions
The problem is IE is set at default to install third party plugings, which was handy before spyware and adware came along.
When I try to install extensions or anything else to firefox, I first have to add the site to my trusted sites list.
Knowing what I am installing and where it comes from means more then some signature I can't read.
Other platforms do not use Microsoft's propritary technology ("Authenticode") for signing binaries. They use MD5sums. MD5Sums are available for firefox (ftp://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/1.0/MD5SUMS) all firefox releases.
Moreover, they give you this little thing called the SOURCE CODE that let's you be pretty darn sure what you're running. Read the code, and compile it yourself, or trust others to look at the code and check MD5 signatures.
I've studied computer security at the graduate level, so I have some background in this stuff.
;-)
When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)
On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.
So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).
The moral of the story is, when you study computer security too much, you become really paranoid about everything
This guy's information is so distorted its not even funny. That blank diaglog that he blamed on Firefox is cause by McAffee Activescan. It scans for certain types of overflows and sometimes things set it off when there is no overflow, it has no information to put in the dialogue since no overflow exists. It is being patched and supposedly getting updated soon, but thats a problem with a completely different software suite and he blamed it on Mozilla. What a moron. Besides, his whole argument is based on signing code. I'll go buy a cert, grab a copy of the latest virus, sign it, and send it to any one I know using IE. They'll all see the nice little dialogue saying that its perfectly okay to not only download, but run right away because its signed. He acts like signing code is magic. What a bunch of bull.
Regards,
Steve
That's been fixed for several versions. If the site is not whitelisted, the installation is canceled without a prompt.
Only on
What everyone seems to be missing is that Mozilla does sign their binaries. .
They provide a GPG signature
Sure, it is not from Microsoft's preferred partner, Verisign, but that does not change that fact that Moz signs their code with an accepted standard.
Not Microsoft's standard of choice to be sure, but still a standard.
Generally in open source you have MD5 hash posted on the project's homepage. You download the files from mirrors. There are multiple locations to crack at the same time. It is easier said than done.
Furthermore, there could be an private developer machine checking the main page once every 5 minutes or so to see if the MD5 hashes on the main site are corrupted.
It is easier to buy a dummy vertificate and sign the modified file than to actually go though the trouble of changing files and MD5 hashes on multiple sites.
Your comment does not fit reality as it is with Firefox. Individuals have to manually whitelist sites in Firefox in order to install an xpi. It isn't as if Mozilla isn't allowing third party extensions.
Making things hard is a great job? If I want to make an installation 'secure' by disallowing 'install from site' (the only option apart from the whitelist) then I can't install plugins, it fails without any explanation. Just try to install Flash or Java, where Firefox itself fetches the proper plugin files (so what risk?). I click 'install' and nothing happens.
If you don't like having choices made for you, you should start making your own. - Neal Stephenson