Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Can I Trust Firefox?

Posted by timothy on from the how-could-anyone-trust-ie? dept.

TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"

8 of 1,464 comments (clear)

  1. Extensions are EASY to uninstall by Anonymous Coward · · Score: 5, Informative

    Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?

  2. Re:Multiple Firefox Security Flaws Discovered by Anonymous Coward · · Score: 5, Informative

    Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!

  3. Re:IE? by arkanes · · Score: 5, Informative

    It happened with Linux (the kernel itself). A security exploit was entered. It's worth pointing out, however, that this exploit never made it into any kernel release or build, as it was noticed practically instantly by Linus and others and immediate steps taken. The only reason we know about it at all is because of the open development process.

  4. He should tell the DoD the same thing. by X-rated+Ouroboros · · Score: 4, Informative

    Visit a secure .mil site some time.

    It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.

    --
    Simple Machines in Higher Dimensions
  5. Re:False security? by MrZeebo · · Score: 5, Informative

    I've studied computer security at the graduate level, so I have some background in this stuff.

    When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)

    On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.

    So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).

    The moral of the story is, when you study computer security too much, you become really paranoid about everything ;-)

  6. Re:IE? by LnxAddct · · Score: 5, Informative

    This guy's information is so distorted its not even funny. That blank diaglog that he blamed on Firefox is cause by McAffee Activescan. It scans for certain types of overflows and sometimes things set it off when there is no overflow, it has no information to put in the dialogue since no overflow exists. It is being patched and supposedly getting updated soon, but thats a problem with a completely different software suite and he blamed it on Mozilla. What a moron. Besides, his whole argument is based on signing code. I'll go buy a cert, grab a copy of the latest virus, sign it, and send it to any one I know using IE. They'll all see the nice little dialogue saying that its perfectly okay to not only download, but run right away because its signed. He acts like signing code is magic. What a bunch of bull.
    Regards,
    Steve

  7. Re:Yeah, right. by mikeswi · · Score: 5, Informative

    That's been fixed for several versions. If the site is not whitelisted, the installation is canceled without a prompt.

    --
    Only on /.
  8. Re:IE? by ar32h · · Score: 4, Informative

    What everyone seems to be missing is that Mozilla does sign their binaries.
    They provide a GPG signature .
    Sure, it is not from Microsoft's preferred partner, Verisign, but that does not change that fact that Moz signs their code with an accepted standard.
    Not Microsoft's standard of choice to be sure, but still a standard.