Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
what about md5 sums? have the install do a checksum of itself?
This sig is definitive. Reality is frequently inaccurate.
What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?
Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.
Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.
Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
How can I trust Microsoft?
Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.
It's happened before, within the last couple years. Unfortunately I can't find the reference to it. It wasn't Mozilla, it was some other software. Someone broke in to the CVS (or other) repository and made some change.
:) Probably a better way could be devised, but as yet, none has been presented.
;)
There are solutions to this. PGP signing each patch would at least let you track down who submitted what. You'd probably need to grab the source as a set of patches, though, so you can individually verify each submitter's PGP key against their code. Ugh.
One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time!
I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all
He sure has a lot to say about something he doesn't care about.
He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.
However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.
From the article:
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.
I'll kick in $20 to Firefox if it goes toward a signing certificate.
Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)
How am I supposed to fit a pithy, relevant quote into 120 characters?
(Please pardon the elementary school essay feel of this)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Do not look into laser with remaining eye.
Say I go download the source code for the FireFox search bar extension. Say I'm an ad company and I really wanna target my ads at FireFox users, so I'd like to know what they search for using the search bar extension. So all I do is put in some code that once a month sends the list of everything they searched for to my web site (say I have a really big web site cause I get lots of money from ad companies for doing evil things like this). How oh how will I get these unwitting FireFox users to download my search bar extension from me instead of downloading it from the official site? Well I could just offer it and see how many people download it from my site once Google indexes it. That would work. But more likely what I would do is put it in some random program that lots and lots of people download (say, Kazza) and enter into agreements with shareware web sites to embed it into all the junk people download from them (say, Download.com). When the user downloads the spyware infected shareware it will silently replace the official FireFox search bar extension with my evil snooping search bar extension. But won't someone notice?!! Well no, because the extensions are not signed are they?
How we know is more important than what we know.
Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!
there's no place like ~
Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?
More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?
I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
It's the people that were targeted by the NYT ad that we have to think about.
In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."
THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
I think you've missed his point a little.
The point isn't that you trust mozilla/firefox. The point is that you're not downloading it from them, you're downloading from a mirror. If the software was signed, you'd know it was tampered with and that you were getting software you thought you were trusting.
The current system lets mirrors tamper with the software. You might trust mozilla, but you really have little idea of what the mirror may have done to it. This is at least what he's saying.. Firefox may have some sort of md5 or something posted..
Does anyone realize that Microsoft talking "smack" on Firefox is a GOOD thing? How, you may ask?
1. They are acknowledging Firefox as competition.
2. They are fighting for market share that they are losing, the right way.
3. Although their points may be invalid, they see Firefox on the level now.
Doesn't anyone realize what this means? We (Firefox supporters) won. M$ knows we exist and have our foot in the foyer.
FTFA:
To a lot of us, Bad Guy == Bill Gates, and Microsoft == Convicted Monopolist.Not only that, but let's look at where those IPs are located (which companies?) Just use whois .edu over microsoft's download pool.
level3, CWIE LLC, Savvis... now do you even know who those companies are or what they do? So which is more scary to you, this or depaul.edu?
Given the way level3 harbors spammers I would much rather trust any
What I like from his blog.
If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.
Once the Mozilla org. starts signing their binaries, Microsoft will apply an update to their certificates library to totally not trust FF to install or run.
Yeah, way to go. Not falling for that one.
From the article:
>Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?
This is a work of art. I'm sure these guys tampered the Firefox intall SO BAD (unplugging the network at critical moments, etc...) so that they achieved their desired results.
In other words, they're portraying the Firefox WORST CASE SCENARIO.
Now. Would you like us to portray the IE6 worst case scenario?
Everybody keeps talking about looking at the source code. I want to know: How many people here have actually downloaded the FireFox code and looked at it. Not just looked at it as in, "Therrrre she is!" But as in followed some piece of code.
This is not to support either side. Just a general curiousity. I refuse to believe that everybody here that keeps on drumming on about looking at the open source has actually downloaded and looked at the code, let alone successfully compiled it.
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."
Google for "windows update error" and you'll see that many users have to go figure out what their x803833828 codes actually mean from sites other than Microsoft.
Here's what I got as a result of clicking a Microsoft link in a search for "download IE":
http://www.gravito.com/sheepdot/IE1.gif
Why do I get cookies from Microsoft websites other than the ones I'm going to?
http://www.gravito.com/sheepdot/IE2.gif
Don't get me wrong, this guy has somewhat of a point, but it's lost in the fact that he's using IE to download Mozilla. Microsoft won't even let Mozilla users download IE. I think that it's pretty obvious that they don't have any intention of getting people to switch, let alone "switch back". I currently use a program called "nLite" to strip IE and IE core from my XP installations. This only started recently due to the lack of a fix for an iframe crashing bug that allowed spyware companies to bypass all those fancy "don't run the exe" windows and just drop malware into the stack. Two weeks for a fix, Microsoft. Two weeks! Mozilla devs have had serious issues like this resolved within a day, sometimes in hours of the first report. The heap overflow in rendering images is another example of how seriously open source developers take security risks.
Lastly, the Flash and especially Java install with IE is a quagmire as well. What happens when the mirror takes longer than 30 seconds to kick in? Well, I click the link and it asks if I really wanted to run/save the EXE. Who cares about signed content, Spybot isn't signed and I need that. Nor is half the open source software. But Gator is signed. Hell, somewhere around 10 to 20 percent of spyware is signed!
Also, the double security windows issue regarding downloaded EXEs in IE is more of a hindrance than a help. Especially when it's been shown that malware authors can write ActiveX to just run it outside of asking the user if it is okay anyway.
Yet in the screenshots, IE allows the user to "Run" the executable.
Also...
"But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."
Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.
Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.
Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.
This is a fairly good point. I was never a big IE user but Internet Zones is a good idea. Is there an extension for FF that allows this?
I know about the block flash extension, but just speaking in general terms, the ability to label some sites as most trusted than others to a fairly low level is a good function.
Yeah, but out of the examples you have stated, only Google does not have multi-million dollar television ad campagins telling people what it does. However Google has made deals with a good many people to offer search on other sites to increase name recognition and capture the type of user that would never type google.com in their address bar.
You can make something well recognised without a self explanatory name, but you invariably need money or the backing of people with money to reach the people not immersed in the industry.
The point the poster was making is that IE has every advantage over Firefox. It comes installed with your computer, so you already have it. It has a name that instantly conveys the function, and on top of all that apparantly tells you that downloading Firefox will kill your children (looking at the article). The poster also made the point that Firefox has managed to raise the money for only one major advertisment, and probably most people didn't see it.
It's not that Firefox couldn't be recognised easily if a lot of money was poured into that goal, it's that it hasn't happened.
The right way... My product is great, it can do this, and this, and it's secure and you'll love it and....
The wrong way... Their products bad, use mine instead, oh and did I tell you how bad their product was, you must be a fool if you use it... did I say fool, I mean genius for switching to my product.
People generally don't trust someone if all they have to say is how bad the other person is.
thank God the internet isn't a human right.
They can call the shortcut anything they want. Just call the desktop icon Firefox Internet. Problem solved. (Except that the other browser comes pre-installed on everyone's Windows machine.)
Why can't they just whip themselves up a self signed root CA with openssl, call themselves the firefox signing authority, and use it to sign extensions that way?
What I wanna know is whats preventing XPI from turning into ActiveX? I know alot of security problems come from ActiveX and users clicking yes when they should click no. I've done it several times myself when I'm barreling through sites. I use Firefox exclusively. I've even installed it on my USB flash drive so I can use it at school.
Not to mention the fact that they all KNOW about Microsoft. They know the name. They know it's been around for quite a while. Therefore it must be good, right? (not my opinion, but it is the view of people that I have known)
You know what I tell people in this situation?
"Hey - tired of spyware? Well, remember Netscape, from back-in-the-day? This is what it evolved into. It's not closely tied to windows, so there's less chance that hackers can get their software on your computer. Try it out."
People that don't know "mozilla" or "firefox" know "Netscape". Plus, it uses some simple buzzwords, like "hacker" and "software" and "computer", so that you can get your point across to your audience without insulting their intelligence, and yet still let it be known that you know what you're talking about.
~Wx
sig?
This is a MS guy, so odds are he's running VPC for Windows on top of XP or Longhorn. And also because he's an MS guy, all non-MS software must be run in a virtual PC as not to defile the sacred cow. Moo.
what I hate most about MSIE and is the main reason I use Mozilla is that it doesn't let me say 'Never Trust anything from this Vendor' when an Active X control pops up. I don't trust Microsoft, neither do I trust Adobe or the company behind Shockwave, yet in MSIE, I cannot tell it I don't trust them. Boy do I hate that.
However, the University site for getting student details requires IE to get into. So even though I installed the User Agent Switcher extension and taught them how to use it to fool the site into thinking they are IE - they forgot how to do that, and next time I was there there was a "Shortcut to IEXPLORE.EXE" icon on their desktop.
:)
They don't blame the people who wrote the site either. They blame the browser for not working with the site. Even if I explain that the people who wrote the site are locking others out for no reason (it's not like it uses ActiveX or anything, the site works perfectly in firefox).
Next time I go there, I will see an IE icon on the desktop again. *sigh*
Can I get rid of executeable permissions on IEXPLORE.EXE without horrific consequences?
-- The doctor said I wouldn't get so many nose bleeds if I just kept my finger out of there!
Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?
[Being a Linux and Firefox supporter, I cannot understand that]
But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.
Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".
So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.
If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.
The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.
The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.
So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.
You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.
--Twivel
The md5 is only as secure as the file, but the Certificate is only as secure as the Certificate Authority. Read other comments here, and you find that Verisign isn't that trustworthy.
Firefox is signed with Mozilla's PGP key, which is just as secure as a certificate. The difference is, you need a secure way to get the public key to you first, so it's not much more secure than MD5.
But, someone could just as easily have handed you a forged Windows install disk, or forged one with your computer, which had a public key for their own spoofed certificate authority, and thus undermine the whole thing.
The point is, you want to reduce the points of failure as much as possible. I think "Download one PGP key and hope it's good, then download anything from mozilla.org and know it's as good as that key" is better than trusting Verisign (and Gator and BonziBuddy).
Don't thank God, thank a doctor!
if as you assert hes using a fresh image (how you can know that is beyond me), AND assuming ff doenst use this 7-ziphttp://www.7-zip.org/ thing at all (which it appears to be a stand alone program )
then clearly the problem lies with this 3rd party app. And if you claim you got the same error you used it also. Having a 3rd party app on the system when doing alleged "sensitive security matters" seems to be contraindicated. Besides IIRC XP (which hes using) has the ability to unzip built in.
I call shenanigans on you
1) go to Tools -> Extentions
2) Click the extention you want to get rid of
3) Click uninstall
Lets compare that to uninstalling programs in windows shall we?
1) Go to Control Panel -> Add/Remove Programs
2) Click the program you want to get rid of
3) Click uninstall
Now, if he wants to pretend that theres no obvious way in firefox to remove extentions, and thus is bad - he should concede that windows has no obvious way to uninstall programs - and is thus bad.
Actually, most non-tech users probably don't even know what a verisign signature is. I also read somewhere (in the comments on the site hosting the article iirc, and they provide a link) that firefox will have signature support before version 2.0.
It is for another usage. I occasionally download big packages (knoppix iso, just released kernel etc) from bt. To verify I am in fact downloading something original, I go back to the main site to check the md5sum. The assumption is I trust the main site but not p2p.... Anyway, the main sites do get hit by cracker sometimes.... But, once some guys discover that the news will appear in slashdot
1. Off an official website, hashed, with checksums to make sure you're safe.
2. No, it's not.
3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.
4. Just because he didn't look doesn't mean there isn't a way.
5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.
I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring.
The originating web site could post an XML file containing a checksum and a list of mirror sites. The FireFox download manager would take care of choosing a mirror (or asking the user to choose one), downloading the file, and checking the file against the checksum. If the checksum doesn't match, the download gets a big red X through it and the user gets a very serious warning if they try to open the file.
I'm sure someone will point out that BitTorrrent already handles many of these problems, and does it much more efficiently and powerfully. And I agree that it would be great to have a BitTorrent extension for FireFox. But the fact is that MD5 checksums and mirror sites are the de-facto standard for open source software distribution right now, because they're so easy to implement. Why not clean up this system a bit so that average users can benefit from it?
--Stuart
What if, instead of having the author sign it, all plugins are signed by one or more reviewers? Then you can choose to only use plug-ins who have been vetted by someone you trust.
You'd still have the "know your dealer" problem, but it would be better.
This is not a political statement. This is not legal advice. It's a frick'n Slasdot post. However: I'm Running For
I find Microsoft's dependence on digital certificates hilarious, given that Verisign issued a couple of valid certificates for Microsoft to a hacker a couple of years ago. Makes you kind of wonder about the whole system and value of the verification procss they follow.
I am struck by the audacity of Torr to suggest that you can trust Microsoft install packages but not Mozilla's simply because of signing.
Signing just indicates that the source validates what is packaged. Simply, signed Microsoft install packages come from Microsoft. However this does not indicate anything about the quality of the package. This is the heart of MS's problems since it was never a question of the package source but the quality of content. They've burned so many not by fake IE packaging but by the fact IE is "junk" in the first place. Anything beyond this (all of the malware, hacks, and bugs) is just a side effect of design and code in IE not of the fact IE is a hacked install.
There are legit complaints about the Moz distribution and install proceedure. I would like to see a "self validating" install to insure the package is legit however alone signing isn't the solution. Signing is only useful for indicating the install package has not been tampered. It never indicates whether or not the software installed works. No amount of code signing from MS will fix IE's damaged reputation for misbehaving.
ps. I'm loathe to think Mozilla needs to fork out money to anyone to prove anything. They should be seeking free (beer and freedom) ways of package authentication.
Does this include the new VX/LM rootkit? Yes, I called it a rootkit because it loads a dll in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\
Oh, did I mention that it downloads and installs other spyware for you on its own? After ~two hours there were 50 different pieces of spyware installed.
Chop
Microsoft actually acknowledges that an Open Source competitor exists! Film at Eleven.
I've noticed a pattern of behavior from MS marketing: they don't seem to want to acknowledge linux, firefox, et. al. as actual products - and so a wry smile crept onto my face when I saw the image referencing the Mozilla Foundation as "Unknown Publisher."
This entry is probably an attempt at "payback" for all those "My Windows Installation Nightmare" anecdotes populating the 'web. However, his story seems just a *bit* contrived. I've installed firefox on multiple PCs and multiple windows versions and experienced 0% of the problems he's describing. Huh?