Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Can I Trust Firefox?

Posted by timothy on from the how-could-anyone-trust-ie? dept.

TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"

8 of 1,464 comments (clear)

  1. Verisign Code Signing Certificate by AndyFewt · · Score: 5, Interesting

    Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.

    Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).

    So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.

  2. Why support Verisign? by Anonymous Coward · · Score: 5, Interesting

    I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.

  3. Problem, Verisign is the enemy! by Penguinoflight · · Score: 5, Interesting

    I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?

    Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.

    These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.

    --
    "And we have seen and do testify that the Father sent the Son to be the Savior of the World"
    1 John 4:14
  4. Re:Yeah, right. by Supertroll · · Score: 5, Interesting

    It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.

    However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.

  5. I agree ... by wasted · · Score: 5, Interesting

    From the article:

    Installing Firefox requires downloading an unsigned binary from a random web server

    Installing unsigned extensions is the default action in the Extensions dialog

    There is no way to check the signature on downloaded program files

    There is no obvious way to turn off plug-ins once they are installed

    There is an easy way to bypass the "This might be a virus" dialog ...

    ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

    Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?

    1. Re:I agree ... by ocdboy · · Score: 5, Interesting

      I completely agree - The whole essay is full of misleading information and assumptions based on the premise that Microsoft's code signing system works- whish is untrue. I dug up this link somewhere (prolly following a link from slashdot :) ) it explains not only why Active x is a problem, but also how useless code signing actually is

      http://www.halcyon.com/mclain/ActiveX/Exploder/F AQ .htm

      Q: Doesn't Code Signing and Microsoft's AuthentiCode technology prevent people from distributing malicious ActiveX controls?

      A: No. Code Signing simply attempts to identify who signed the control. Anyone can go out and get a code signature. It's a pretty much automatic process. You go to a web site, give them a name, address, credit card number and some other stuff (none of which have to be yours), click "I Agree" on a page full of legal jargon, and pretty soon you get an e-mail with the information you need to sign the control in it. Once you have your Digital ID, you can sign any unsigned ActiveX control. Nobody reviews these controls! In other words, a signature doesn't tell you who wrote the control and it doesn't tell you if the control is safe or not. Heck, with the number of hot credit card numbers out on the net, it doesn't even tell you for sure who signed it. A danger is that seeing that a control is signed will give folks a warm fuzzy feeling about the control, and encourage them to run it, even though it does not guarantee their safety!

  6. How I can trust Firefox, by TWX by TWX · · Score: 5, Interesting

    (Please pardon the elementary school essay feel of this)

    In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.

    In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.

    In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.

    In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.

    Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.

    Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st

    --
    Do not look into laser with remaining eye.
  7. Mr Torr by Petronius · · Score: 5, Interesting

    Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!

    --
    there's no place like ~