Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
what about md5 sums? have the install do a checksum of itself?
This sig is definitive. Reality is frequently inaccurate.
What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?
Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.
Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.
Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
How can I trust Microsoft?
Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.
It's happened before, within the last couple years. Unfortunately I can't find the reference to it. It wasn't Mozilla, it was some other software. Someone broke in to the CVS (or other) repository and made some change.
:) Probably a better way could be devised, but as yet, none has been presented.
;)
There are solutions to this. PGP signing each patch would at least let you track down who submitted what. You'd probably need to grab the source as a set of patches, though, so you can individually verify each submitter's PGP key against their code. Ugh.
One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time!
I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all
He sure has a lot to say about something he doesn't care about.
He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.
However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.
From the article:
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.
I'll kick in $20 to Firefox if it goes toward a signing certificate.
Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)
How am I supposed to fit a pithy, relevant quote into 120 characters?
(Please pardon the elementary school essay feel of this)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Do not look into laser with remaining eye.
Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!
there's no place like ~
Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?
More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?
I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
It's the people that were targeted by the NYT ad that we have to think about.
In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."
THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
I think you've missed his point a little.
The point isn't that you trust mozilla/firefox. The point is that you're not downloading it from them, you're downloading from a mirror. If the software was signed, you'd know it was tampered with and that you were getting software you thought you were trusting.
The current system lets mirrors tamper with the software. You might trust mozilla, but you really have little idea of what the mirror may have done to it. This is at least what he's saying.. Firefox may have some sort of md5 or something posted..
Yet in the screenshots, IE allows the user to "Run" the executable.
Also...
"But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."
Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.
Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.
Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.
Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?
[Being a Linux and Firefox supporter, I cannot understand that]
But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.
Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".
So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.
If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.
The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.
The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.
So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.
You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.
--Twivel
1. Off an official website, hashed, with checksums to make sure you're safe.
2. No, it's not.
3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.
4. Just because he didn't look doesn't mean there isn't a way.
5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.
I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring.
I find Microsoft's dependence on digital certificates hilarious, given that Verisign issued a couple of valid certificates for Microsoft to a hacker a couple of years ago. Makes you kind of wonder about the whole system and value of the verification procss they follow.