Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.
Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.
What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".
And even if I press no, I *still* get spyware. Why? IE Sucks.
After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.
Microsoft is never going to get it.
A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
Seen any of these errors? I've installed Firefox on several pc's with no problems at all.
I also noticed this comment:
"and not caring if my Virtual PC image dies a horrible death"
(emphathis added)
Could this person be having a virtual pc problem?
Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.
What's the point?
One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.
If mozilla buys a cert, then they are openly supporting the idea of PAYING VERISIGN FOR CERTS. Isn't that just supporting another monopoly? Of course Microsoft wants you to pay for the cert... they can certainly afford one. But what about all the little guys who write code for free?
Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.
How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)
Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.
And why would signing the code make it more
secure?
You can know that it is an official binary and
hasn't been tampered with. However, I can
accomplish this without paying Verisign money
using a standard fingerprint.
When you sign it with a Verisign certificate, the
trust then moves up the chain. So, the question
becomes, do I trust Verisign?
No.
In my opinion, this isn't even a problem. I make
sure I download files for sources that I trust,
and they make sure that those files remain clean
as a matter of site security.
It all boils down to this:
1) Normal users don't care about signed code, as
they happily click on "Yes, download this!"
without bothering to check anything.
2) Power users can verify the integrity of their
code without shelling out big bucks to Verisign.
Don't count your messages before they ACK.
The article makes perfect sense and the issues are legitimate. The thing is, they are generic issues in the PC world we live in today. They aren't any better if you use Microsoft software.
The average user is placed in situations, probably several times a week, where in theory he is voluntarily authorizing something but in practice has virtually no way to know whether it is safe to click OK or not.
Today's software is constantly giving you scary warnings about things that are perfectly OK, while constantly encouraging you to OK things which are not at all in your best interests to OK.
My favorites are all the Microsoft uninstalls which ask me whether I want to delete QQXXZZ.DLL, without telling me what QQXXZZ.DLL is or what it does or what other applications might be using it. (In fact, it seems to expect me to know that. Hey, the OS might be in a position to know whether some other application uses that DLL, but I certainly am not. And my wife, of course, doesn't even know what a DLL is...
(Now, about that pageful of medium-gray type on a light-gray background that's on the back of the car rental agreement you are presented with, in the airport, with a line of irritable people behind you...)
"How to Do Nothing," kids activities, back in print!
Sir,
Trust is not a universal concept. Some discretion is required. If you do not trust Firefox, that is your choice. You are not willing, in your mind to take a risk. Personally, I do not trust Microsoft. Despite years of press releases and keynote speaches promoting security as 'Job 1' I have lost all trust in them.
Personally, I see little value in a so called 'signed application'. If I visit my bank, I want to see a 'padlock' icon so that I know the data is not being 'sniffed' en route. Other than that, the certificate is not important to me. But that is the level of trust I am comfortable with. My concept of trust includes the concept of established relationship and earned respect. The value of Microsoft signing something doesn't mean anything to me. They are not trustworthy. After using Firefox for several versions, getting a feel for the neighborhood, I trust it.
I understand that websites use mirrors -- thats normal and doesn't normally raise a red flag. I can verify a file contents with an MD5 checksum if I need to.
Each user should has to establish their own level of trust and should not blindly rely on a certificate to tell them if they trust someone/something.
You ask 'How Can I Trust Firefox'? Well you can't blindly. You have to take a risk. I can only tell you that it works fine for me. Regular backups and common sense go a long way.
There is another reason however--Trust is not as important with Firefox as it is with Microsoft IE. The engineers of IE decided to integrate IE into the operating system with Active Desktop, ActiveX, etc. These made IE much more vulnerable. Firefox doesn't do this. It just tries to be a web browser - not a remote code execution environment.
From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
Of course, FireFox won't install any extension downloaded from a site not explicitly whitelisted. It should also be noted that the only site that is whitelisted by default is update.mozilla.org. If Mozilla.org was going to pwn you with a Firefox extension, why wouldn't the save themselves some trouble and just pwn you with TrojanFox?
Was this a deliberate omission? Probably.
Also, complaining about MessageBoxes not working when running software in a non-standard environment (virtual machine) is silly. Odds are that the problem was display driver-related anyway.
Buying A VeriSign Cert is a bad idea, for reasons already mentioned. What *would* be a good idea, however, is for Mozilla foundation to to set itself up as a CA and sign all of it's software, updates and "Official" or semi-official add-ons. I trust Mozilla foundation much more than VeriSign, and protecting users from trojaned programs on mirrors is a good idea.
The thing to look at is the record, plain and simple. And the record shows that, until now, code signing does not address the major security problems that people have with IE. Maybe that will change in the future, but that's the record so far.
Firefox on Windows does not have code signing because the real world has not demanded it so far. If there were enough attacks for which it turned out that code signing was the right solution, then Firefox would use code signing.
Code signing, at this point, is a gimmick because it does not address the major security problems that Microsoft has. It's a solution to a problem that is not at the top of the list of problems with Microsoft software. And because Microsoft focuses on gimmicks, Microsoft keeps failing to address the real security problems Microsoft products have.
Maybe Microsoft will eventually get serious and real about security, but Peter Torr's commentary illustrates that ignorance still reigns supreme at Microsoft.
Name: GAIN
Publisher: Claria Corporation
The publisher was verified so you should install and run this software.
I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.
More
(Beaten? No. Firefox is a success, so far. And... Microsoft is the arch-enemy of many on slashdot.org because they aren't as programmer-friendly or techie-friendly as other vendors, and they happen to be a colossal, market-dominating company, which makes their lack of programmer-friendliness more aggravating (if they were just a niche company, it wouldn't be nearly so bad, because they wouldn't be a constant irritation, just an occasional one).
.mozilla.org in the name (for example sg-depaul.mirror-firefox.mozilla.org).
.md5.sig for the millions of files on FTP servers that have md5 signatures available.
They have had a sketchy track record with security, but, until recently, they haven't really cared, so you can't blame them for just now trying to come up to speed. Besides, software is complex. Linux has bugs. IE has bugs. Firefox has bugs. Windows has bugs. The better developer is the one who can patch their bugs more quickly without breaking other things in the process (sometimes Microsoft is first to the punch, but they don't seem to always test their patches thoroughly).
They also are a damn good business. Many computer hobbyists really dislike the idea of large businesses being heavyweight players in their field of interest, because it means a stupendously-increased prevalence of things like patents, trade secrets, proprietary interfaces, non-disclosure agreements, and licensing fees.)
There are a few points I have to raise with this:
Mirrors are a *good* thing. The only thing that should possibly be changed is that links to mirrors should all have
I've never seen firefox spit out dialog boxes like that before. I don't know what this guy did (what variant of Windows is he running on this Virtual PC, exactly?), but, I've installed many versions of Mozilla and Firefox to many different operating systems and can't recall seeing any bizarre things like that since the beta / pre-1.0 days.
Signed software is a good idea, but, MD5 hashes aren't a bad alternative for people who aren't willing to shell out cash. Since he proclaims that IE is very good about checking the identity of files it opens, perhaps IE should include a plugin to check a file against its
"Install Now" shouldn't be the default, I agree (except perhaps if it comes from a known trusted domain).
He implies that there shouldn't be a "Do not ask me this again" option for "Are you sure you want to run this random downloaded executable?" I think this is perhaps a useful feature (what about trusted corporate environments where Firefox only accesses internal sites?) for saving a few seconds, although maybe putting the option in a config file somewhere would be wiser.
Flash is also _not_ an extension---it's a plugin. Perhaps Firefox does need a plugin manager; he raises a good point with that.
He also doesn't seem to understand the concept of extensions. Firefox is an attempt to just focus on streamlining the main part of webbrowsing, and leave it up to side projects and third-party developers to add little features via extensions; it's more of a community thing than an all-from-one-vendor thing, so of course a lot of good extensions come from other vendors. If he doesn't trust a certain vendor, he should test an extension under a different user who has no access to anything important, use a personal firewall that handles both incoming AND outgoing connections, and/or use an operating system that can lock a program into just a subtree of the filesystem (I don't know if NT or 2K can do this, but UNIX can chroot, and VMS can do even more specific things than this).
I also like this: "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." IE comes packaged with Windows. It's hard to remove from it. Things stop working if you try to remove IE from windows. I don't trust the writers of IE. So, based on what he says, my computer is only mine if it's not running Windows---sounds good to me!!
But clearly, users don't give a shit.
Ever install any freakin' piece of hardware on Windows? Nothing is signed. I've seen printed instructions that show a pretty picture of the unsigned-code warning dialog box, and tells the user to press the yes please install this dangerous driver that might destroy my computer button.
This is not from Bob's Network Adapters 'n Peat Moss. This is Samsung. Lexmark.
So, as far as Joe Average is concerned, that dialog box is just another stupid thing getting in the way of scanning these nice pictures to send to Aunt Tillie. He's being trained to ignore security warnings.
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
If you want to talk about facts don't link to a geocities website. Any website on geocities is untrustworthy as to how reliable the information is in my opinion. I'm sure that isn't the only website that has the information, so it's ridiculous to link to something as unauthoritive as that.
I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.
But this blog entry is beyond ridiculous.
First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.
He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.
Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
What, like www.windowsupdate.com points to v4.windowsupdate.microsoft.com?
Firefox isn't perfect but please, bitch about one of it's few real problems and some bullshit ones. Someone please show Mr. Torr a clue-by-four please?
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
I don't like Microsoft, and I think Firefox is excellent, but this guy does have a point with the code signing.
y -services/code-signing/digital-ids-code-signing/in dex.html
Why isn't Firefox's code signed by VeriSign? It may seem frivolus but the average user wont MD5 it until hell freezes over.
http://www.verisign.com/products-services/securit
There, its $695 dollars for the premium version with a $50 000 gurantee. The Mozilla foundation can afford that. And it really would re-assure those non-tech users. It may not matter for us geeks, but it can only do good, so we might as well.
I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:
1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx
Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.
2) Watch what you quote - when you wisely point out that Secunia has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.
3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.
4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).
5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
This sig donated to Pater. Long live
Did you even read the freaking article? The author didn't say "Don't use firefox, they encourage bad behavior." He had legitimate points. If firefox wants to sell security, they need to appear secure. Not having the installed signed isn't a good marketing tactic. If I didn't know what I was doing, I wouldn't be installing firefox for the same reason the author brings up. It annoys the crap out of me that most (if not all) plugins aren't signed by their authors. Do you really think that just because nothing bad has happened yet that the good times will continue? That's foolishness. Firefox needs to be perceived to be at least as secure as IE. This article points out that the perception of firefox's security is less than IE under SP2. Stop being a blind zealot and start being realistically critical.
You've obviously never used slime on Emacs. Come to think of it, unless you feel like doing everything in basic or C++, Visual Studio pretty much sucks...
All's true that is mistrusted
Installing Firefox requires downloading an unsigned binary from a random web server
Huh? I got firefox on my distro's CDs. CDs which passed:
* bittorrent's inherent hash checks
* an md5sum comparison from the official distro's website
* gpg signature on the ISOs
as well as the subsequent updates to the browser that were downloaded from the distro's official yum server and had a valid GPG signature.
What were you saying about unsigned, unverified, untrusted code?
If you want to discuss pre and during installation, then you need to discuss the browser he was using for the "pre" and "during" steps and that's IE, not Firefox.
I only scanned the article quickly (its late), but it seems to me his points are all from the perspective of what "we" think is correct. The "we" being Microsoft. Is Microsoft correct? Debatable. He also is quick to point out problems with mirror sites (his gripe about the 403, for example), and does so in such a way as to imply it is Mozilla/Firefox's fault, when it obviously isn't.
Mirror sites are not controlled by the primary vendor. When you consider all of the software downloaded every day from mirror sites (iBiblio, all of the Apache mirror sites, etc) without issue, I'd say beefs about mirrors and not recognizing FQDNs are irrelevant. That leaves his points about signing the code.
When you consider other ways you can verify code (he never once mentions doing a MD5 checksum and verifying the result, for example), I consider his further points about verifying the code to be almost non-issues as well. Is signed code automatically trustworthy? IE is signed code...do you trust it? I don't. So what does the signing do for me?
He also gripes about Firefox's preferences and settings not being in the same location as IE's (his remarks about Tools->Options, etc), yet never points out where to actually find the settings.
All in all, his article doesn't impress me one bit from a debate perspective. It only makes "sense" if you are him: an employee of Microsoft who wants to imply, using open-ended questions and personal innuendo, that anything other than Microsoft is dangerous and risky.
I think it is ironic that he gloats about what his team is doing. How long did it take them? Years. How long did it take Microsoft to get SP2 out for XP? Years. Yet his article acts like the state of Microsoft's software today (fully patched, because retail versions don't have the updates) is the state its always been in, which is false.
Frankly i dont need verisign (that company that tried to redirect all non existent web domains to its own site) to tell me whats good or not. Verisign is equally as much of a problem.
Just to state the obvious, I'll just give a rebuttal to some of these statements.
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
It's a web server that mozilla.org directs you to. If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.
Installing unsigned extensions is the default action in the Extensions dialog
There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.
There is no way to check the signature on downloaded program files
Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.
There is no obvious way to turn off plug-ins once they are installed
This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.
There is an easy way to bypass the "This might be a virus" dialog
There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do.
This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above). Firefox is demonstrably more secure than IE and has far fewer vulnerabilities than Internet Explorer.
To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
If firefox wants to sell security, they need to appear secure.
.asc signature from ftp.mozilla.org, then get gpg, import the appropriate key from a public server, verify the signature and, if matching, run "Firefox Setup 1.0.exe" to install a verified, trusted version of the program.
That was his argument, alright. Appear secure. Sell security. Yep, that's what MS is doing, too - selling products that appear secure. They'll be selling Palladium next, too. Not that it would be a lot of help, but that's not the point, as it's pretty much meant to help their bottom line.
This is by now already redundant, but a signed binary is nothing to the average user. Heck, Verisign means nothing to the average user, either. They will happily check the "always trust" option for self-signed AX controls without wondering what it means.
On the other hand, if you do understand a little about security, you have the option of getting the (in this case win32) binary together with the
I agree, however, that unsigned extensions don't seem trustworthy. However, until some peer review mechanism is adopted for "official extensions", this is again a rather moot point. Do you trust an extension that's signed by foo@bar.com? even if this is somehow endorsed by mozilla.org (key signing, etc.) how do you know that foo does follow at least minimal security practices? and so on. It all depends on your paranoia level. Luckily, with javascript extensions, at least some people have the time/interest to unpack it and pore over the code to make sure it isn't trojaned. For stuff like flash, you have to trust the vendor, which makes it about on the same level of 'security' as claria et al.