Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.
Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.
What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".
And even if I press no, I *still* get spyware. Why? IE Sucks.
After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.
Microsoft is never going to get it.
it's against the rules when Microsoft starts flaming back!
Theory of flight?! I'll teach you the theory of fist!!
what about md5 sums? have the install do a checksum of itself?
This sig is definitive. Reality is frequently inaccurate.
A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?
Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.
Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.
Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?
I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!
Why not read the source code and complie it yourself????
Seen any of these errors? I've installed Firefox on several pc's with no problems at all.
I also noticed this comment:
"and not caring if my Virtual PC image dies a horrible death"
(emphathis added)
Could this person be having a virtual pc problem?
sure says a lot for IE security, doesn't it?
How can I trust Microsoft?
Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.
doesn't mean it's good for you. I recall seeing prompts to install "Web Gator" software and other such junk, all of which were signed by somebody. Despite the fancy certificate though, it was still crapware.
"And now, Frank N. Furter, your time has come. Say 'goodbye' to all of this, and 'hello'... to oblivion!"
Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.
What's the point?
One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.
Of Course he can't trust Firefox, its trying to take his job away. Does a Ford Engineer trust Chevy trucks? Well maybe, but you sure as hell won't see a Ford engineer driving one...
I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all
He sure has a lot to say about something he doesn't care about.
He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]
As opposed to what? A graphical IP address? A string IP address? A musical IP address?
I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.
theefer
Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.
How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)
Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.
Opens Source was designed, like the internet protocols, for people who trust each other - the developers of shrink-wrap executables need to learn to think paranoid when they deal in user binaries.
Don't make the same errors again - if the designers of SMTP had thought about the users rather than the implementers, they woudl have built signature/encryption/sender authentication straight into the protocol and prevented the spam issue from ever arising.
This is not a signature.
That would mean that every piece of software not signed would be bad. The logical definition of necessary is not "provides some evidence", but is a strict conditional. In other words software can be trusted only if it is signed. This is obviously false, there are clearly ways one can trust a piece of software without requiring a digital signature.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
"Yeah sure, our boat is on fire, sinking and leaking radioactive waste
But look at their boat...
it's got a dent in its hull
also, why spend time trying to break into one car that has its windows rolled up..
when its sitting in a parking lot full of cars with their windows down and keys in the ignition
Type "1" in Google and hit I'm feeling lucky. Hint: It's not the IE page. Please don't mod me off topic.
(from the article) First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/. Funny when I went to http://windows.com I got redirected to the real page at http://www.microsoft.com/windows/default.mspx
The article makes perfect sense and the issues are legitimate. The thing is, they are generic issues in the PC world we live in today. They aren't any better if you use Microsoft software.
The average user is placed in situations, probably several times a week, where in theory he is voluntarily authorizing something but in practice has virtually no way to know whether it is safe to click OK or not.
Today's software is constantly giving you scary warnings about things that are perfectly OK, while constantly encouraging you to OK things which are not at all in your best interests to OK.
My favorites are all the Microsoft uninstalls which ask me whether I want to delete QQXXZZ.DLL, without telling me what QQXXZZ.DLL is or what it does or what other applications might be using it. (In fact, it seems to expect me to know that. Hey, the OS might be in a position to know whether some other application uses that DLL, but I certainly am not. And my wife, of course, doesn't even know what a DLL is...
(Now, about that pageful of medium-gray type on a light-gray background that's on the back of the car rental agreement you are presented with, in the airport, with a line of irritable people behind you...)
"How to Do Nothing," kids activities, back in print!
Sir,
Trust is not a universal concept. Some discretion is required. If you do not trust Firefox, that is your choice. You are not willing, in your mind to take a risk. Personally, I do not trust Microsoft. Despite years of press releases and keynote speaches promoting security as 'Job 1' I have lost all trust in them.
Personally, I see little value in a so called 'signed application'. If I visit my bank, I want to see a 'padlock' icon so that I know the data is not being 'sniffed' en route. Other than that, the certificate is not important to me. But that is the level of trust I am comfortable with. My concept of trust includes the concept of established relationship and earned respect. The value of Microsoft signing something doesn't mean anything to me. They are not trustworthy. After using Firefox for several versions, getting a feel for the neighborhood, I trust it.
I understand that websites use mirrors -- thats normal and doesn't normally raise a red flag. I can verify a file contents with an MD5 checksum if I need to.
Each user should has to establish their own level of trust and should not blindly rely on a certificate to tell them if they trust someone/something.
You ask 'How Can I Trust Firefox'? Well you can't blindly. You have to take a risk. I can only tell you that it works fine for me. Regular backups and common sense go a long way.
There is another reason however--Trust is not as important with Firefox as it is with Microsoft IE. The engineers of IE decided to integrate IE into the operating system with Active Desktop, ActiveX, etc. These made IE much more vulnerable. Firefox doesn't do this. It just tries to be a web browser - not a remote code execution environment.
From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
From the article:
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
While it is somewhat problematic for individual users to perform certainly corporate users could download and verify their own distro copy and distribute to their own users from that. It's more important to understand what the application does and that can only be achieved by examining or at least verifying the code and all of it's APIs.
Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.
Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.
It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.
Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.
Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.
I'll kick in $20 to Firefox if it goes toward a signing certificate.
Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)
How am I supposed to fit a pithy, relevant quote into 120 characters?
Of course, FireFox won't install any extension downloaded from a site not explicitly whitelisted. It should also be noted that the only site that is whitelisted by default is update.mozilla.org. If Mozilla.org was going to pwn you with a Firefox extension, why wouldn't the save themselves some trouble and just pwn you with TrojanFox?
Was this a deliberate omission? Probably.
Also, complaining about MessageBoxes not working when running software in a non-standard environment (virtual machine) is silly. Odds are that the problem was display driver-related anyway.
(Please pardon the elementary school essay feel of this)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Do not look into laser with remaining eye.
I have used Mozilla products far longer than I have used IE. Every time I have ever used IE all I have ended up with is a gang of adware on my computer. I'm sure that IE could be more secure, but for me it's more of a matter of being with Mozilla products longer.
using GPG by a company I trust more than Microsoft/Verisign....
it was signed by Red Hat, and it had an automatic signature verification built into the Yum install.
Ok, move along... nothing more than FUD to see here.
Say I go download the source code for the FireFox search bar extension. Say I'm an ad company and I really wanna target my ads at FireFox users, so I'd like to know what they search for using the search bar extension. So all I do is put in some code that once a month sends the list of everything they searched for to my web site (say I have a really big web site cause I get lots of money from ad companies for doing evil things like this). How oh how will I get these unwitting FireFox users to download my search bar extension from me instead of downloading it from the official site? Well I could just offer it and see how many people download it from my site once Google indexes it. That would work. But more likely what I would do is put it in some random program that lots and lots of people download (say, Kazza) and enter into agreements with shareware web sites to embed it into all the junk people download from them (say, Download.com). When the user downloads the spyware infected shareware it will silently replace the official FireFox search bar extension with my evil snooping search bar extension. But won't someone notice?!! Well no, because the extensions are not signed are they?
How we know is more important than what we know.
Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!
there's no place like ~
Visit a secure .mil site some time.
It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.
Simple Machines in Higher Dimensions
The problem is IE is set at default to install third party plugings, which was handy before spyware and adware came along.
When I try to install extensions or anything else to firefox, I first have to add the site to my trusted sites list.
Knowing what I am installing and where it comes from means more then some signature I can't read.
Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?
More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?
I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
It's the people that were targeted by the NYT ad that we have to think about.
In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."
THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Taiwan is not China no matter what the mainland says.
Off Topic I know but come on.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Nothing at all like /.
So wait -- Microsoft == Trust, therefore !Microsoft != Trust? False premise? Yup.
Forgive my cynism, but he is ass|u|me|ing that people trust Microsoft in the first place? Does the guy not live in the real world? The reason that I trust Firefox is because I don't have any of the problems that I have with Internet Explorer. I liked IE until my computer became overran with spyware and trojans. Code signing would be nice. But didn't the guy find the feature that only allows software installations from certain sites. I am very trusting of Mozdev, and Mozilla.org. But I am quite glad that www.hijackyourbrowser.com isn't allowed to install software. Code signing is a nice idea, but I trust a whole lot of software that isn't signed. And Microsoft should know that code signing is often ignored. I ignored the driver signing last time I updated my NVidia drivers. Just because something is digitally signed doesn't mean that I should trust it. Heck, according to Microsoft's arguments I should get a new anti-virus (even though I am running Norton Antivirus Corparate Edition) because it doesn't report itself to the OS. And what is to prevent someone from cracking the way things are digitally signed? Again, I get back to the logical fallacy -- he is assuming that people inherently trust Microsoft.
The views expressed are mine own and do not express the views of my employer.
I guess he's hoping for a Christmas bone-arse from Bill Gates.
Did I make FIRST POST?
Beat that person. Beat them with a metal stick.
Not a Twitter sockpuppet... but I wish I was.
He totally missed the fundamental insecurity of IE. Crapware installs itself with IE, either by exploiting "features" or holes. Sure, some crapware requires the user to click Ok (fuck my browser now) or Cancel (fuck my browser now anyway), but for the majority of it that I've experienced, a couple visits to websites of questionable integrity pretty much does it...
Funny, I've never had Firefox do that.
Really, what the hell does it matter if the software is signed? Some spyware/adware is signed so it looks "safe" by this guy's standards, and some of it just installs without telling you. If your core browser isn't safe from exploitation, there's really no sense in going any further. If you train users to say no, spyware just exploits the holes and installs itself without asking, problem solved. 90% of users are just going to click "Ok" anyway, no matter what it tells them, and no matter how much you try to teach them.
He does have two interesting points, though, that perhaps we shouldn't trash with the rest. Maybe something beyond MD5 hashes should be provided for FF. My dad runs Windows, has no idea how to do an MD5 sum on a file, nor does he particularly need to know that. I hate even suggesting that Verisign is some bastion of legitimacy, because, well, just no. However, we're probably the biggest cooperating group of smart people (okay, some of you may be excused) the world has ever seen - surely there's a way to do it that is both easy for regular users and doesn't support V-evil.
Also, being able to turn on and off various plug-ins wouldn't hurt. Sure, I know about the extension manager, but I'm talking things like Flash and Acrobat (the two things that screw me over most often). It'd be nice if I could just turn them off temporarily. Acrobat the Plugin has to be one of the #1 things that crashes on my Win32 boxes.
Those hashes are useful for at least two reasons: 1. They let me verify that the file downloaded properly. 2. If I downloaded from a less trustworthy mirror, I can check the hash in a more trustworthy place.
This post written under Gentoo-linux with an SCO IP license.
The thing to look at is the record, plain and simple. And the record shows that, until now, code signing does not address the major security problems that people have with IE. Maybe that will change in the future, but that's the record so far.
Firefox on Windows does not have code signing because the real world has not demanded it so far. If there were enough attacks for which it turned out that code signing was the right solution, then Firefox would use code signing.
Code signing, at this point, is a gimmick because it does not address the major security problems that Microsoft has. It's a solution to a problem that is not at the top of the list of problems with Microsoft software. And because Microsoft focuses on gimmicks, Microsoft keeps failing to address the real security problems Microsoft products have.
Maybe Microsoft will eventually get serious and real about security, but Peter Torr's commentary illustrates that ignorance still reigns supreme at Microsoft.
Name: GAIN
Publisher: Claria Corporation
The publisher was verified so you should install and run this software.
I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.
More
This piece mainly addresses the issue of potential security threats from files (like Firefox or Flash Player) that the user decides to download voluntarily. While there are potential risks here, it seems to me that the main issue is users inadvertently installing spyware and adware. I doubt that many users encounter problems from software that they were actually trying to install in the first place.
From the article:
>Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?
This is a work of art. I'm sure these guys tampered the Firefox intall SO BAD (unplugging the network at critical moments, etc...) so that they achieved their desired results.
In other words, they're portraying the Firefox WORST CASE SCENARIO.
Now. Would you like us to portray the IE6 worst case scenario?
ActiveX using code-signing for its security model. We all know how secure that is. Microsoft, as always, just doesn't get it.
I love Microsoft to death (with the exception of Internet Explorer). But... excuse me, what the hell is this guy smoking? If he was a half competent user, he wouldn't have installed Service Pack 2 for XP to begin with. I havent, my computer is still spyware and virus free.
He encountered a very rare problem installing Firefox, all of which could have been faked. Who cares? Internet Explorer has FAR too many problems reguarding security. People get spyware by just VISITING web pages, you prick. I mean seriously, how many of you have ever went to a webpage in IE and a box popped up asking if you wanted to install 'spyware.omg.kill.computer'? NEVER. EVER. In my LIFE. Internet Explorer is a piece of crap. Microsoft needs to stop pretending IE is worth half a shit (please excuse the language).
Microsoft needs to get their crap together and build a web browser with security as the primary focus. Forget UX (User eXperience) and all that other fancy crap, just get the code secure and then work on the beautification.
My two cents.
-rico
-Eric Smith
(Beaten? No. Firefox is a success, so far. And... Microsoft is the arch-enemy of many on slashdot.org because they aren't as programmer-friendly or techie-friendly as other vendors, and they happen to be a colossal, market-dominating company, which makes their lack of programmer-friendliness more aggravating (if they were just a niche company, it wouldn't be nearly so bad, because they wouldn't be a constant irritation, just an occasional one).
.mozilla.org in the name (for example sg-depaul.mirror-firefox.mozilla.org).
.md5.sig for the millions of files on FTP servers that have md5 signatures available.
They have had a sketchy track record with security, but, until recently, they haven't really cared, so you can't blame them for just now trying to come up to speed. Besides, software is complex. Linux has bugs. IE has bugs. Firefox has bugs. Windows has bugs. The better developer is the one who can patch their bugs more quickly without breaking other things in the process (sometimes Microsoft is first to the punch, but they don't seem to always test their patches thoroughly).
They also are a damn good business. Many computer hobbyists really dislike the idea of large businesses being heavyweight players in their field of interest, because it means a stupendously-increased prevalence of things like patents, trade secrets, proprietary interfaces, non-disclosure agreements, and licensing fees.)
There are a few points I have to raise with this:
Mirrors are a *good* thing. The only thing that should possibly be changed is that links to mirrors should all have
I've never seen firefox spit out dialog boxes like that before. I don't know what this guy did (what variant of Windows is he running on this Virtual PC, exactly?), but, I've installed many versions of Mozilla and Firefox to many different operating systems and can't recall seeing any bizarre things like that since the beta / pre-1.0 days.
Signed software is a good idea, but, MD5 hashes aren't a bad alternative for people who aren't willing to shell out cash. Since he proclaims that IE is very good about checking the identity of files it opens, perhaps IE should include a plugin to check a file against its
"Install Now" shouldn't be the default, I agree (except perhaps if it comes from a known trusted domain).
He implies that there shouldn't be a "Do not ask me this again" option for "Are you sure you want to run this random downloaded executable?" I think this is perhaps a useful feature (what about trusted corporate environments where Firefox only accesses internal sites?) for saving a few seconds, although maybe putting the option in a config file somewhere would be wiser.
Flash is also _not_ an extension---it's a plugin. Perhaps Firefox does need a plugin manager; he raises a good point with that.
He also doesn't seem to understand the concept of extensions. Firefox is an attempt to just focus on streamlining the main part of webbrowsing, and leave it up to side projects and third-party developers to add little features via extensions; it's more of a community thing than an all-from-one-vendor thing, so of course a lot of good extensions come from other vendors. If he doesn't trust a certain vendor, he should test an extension under a different user who has no access to anything important, use a personal firewall that handles both incoming AND outgoing connections, and/or use an operating system that can lock a program into just a subtree of the filesystem (I don't know if NT or 2K can do this, but UNIX can chroot, and VMS can do even more specific things than this).
I also like this: "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." IE comes packaged with Windows. It's hard to remove from it. Things stop working if you try to remove IE from windows. I don't trust the writers of IE. So, based on what he says, my computer is only mine if it's not running Windows---sounds good to me!!
Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."
Google for "windows update error" and you'll see that many users have to go figure out what their x803833828 codes actually mean from sites other than Microsoft.
Here's what I got as a result of clicking a Microsoft link in a search for "download IE":
http://www.gravito.com/sheepdot/IE1.gif
Why do I get cookies from Microsoft websites other than the ones I'm going to?
http://www.gravito.com/sheepdot/IE2.gif
Don't get me wrong, this guy has somewhat of a point, but it's lost in the fact that he's using IE to download Mozilla. Microsoft won't even let Mozilla users download IE. I think that it's pretty obvious that they don't have any intention of getting people to switch, let alone "switch back". I currently use a program called "nLite" to strip IE and IE core from my XP installations. This only started recently due to the lack of a fix for an iframe crashing bug that allowed spyware companies to bypass all those fancy "don't run the exe" windows and just drop malware into the stack. Two weeks for a fix, Microsoft. Two weeks! Mozilla devs have had serious issues like this resolved within a day, sometimes in hours of the first report. The heap overflow in rendering images is another example of how seriously open source developers take security risks.
Lastly, the Flash and especially Java install with IE is a quagmire as well. What happens when the mirror takes longer than 30 seconds to kick in? Well, I click the link and it asks if I really wanted to run/save the EXE. Who cares about signed content, Spybot isn't signed and I need that. Nor is half the open source software. But Gator is signed. Hell, somewhere around 10 to 20 percent of spyware is signed!
Also, the double security windows issue regarding downloaded EXEs in IE is more of a hindrance than a help. Especially when it's been shown that malware authors can write ActiveX to just run it outside of asking the user if it is okay anyway.
Well, technically, I have no argument with you. That's, of course, the technical reason why code signing is a "good thing".
I guess I was trying to say, though, complete (or near complete) confidence in knowing the code you're downloading really isn't "tampered with" is a relatively minor issue for most people.
99% of the computer users I encounter really don't have a good grasp on the significance of signed certificates in the first place. In the "real world", confidence that you're downloading "what it says it is" comes more from folks getting the software from well-respected sites (such as download.com).
Microsoft is really grasping at straws, trying to punch holes in Mozilla/Firefox credibility, by bringing up relative non-issues like this. The fact remains, people are much more confident they have a "safe browser" when they use Firefox than when they use IE, and this is because of everyone's actual experiences using both products and witnessing the results others are reporting.
(EG. If I use IE, code-signed or not, I know I've got some security holes/issues in my browser. If I use Firefox, I may have that small risk it's been tampered with, but it's a much LOWER relative risk than using IE is.)
But clearly, users don't give a shit.
Ever install any freakin' piece of hardware on Windows? Nothing is signed. I've seen printed instructions that show a pretty picture of the unsigned-code warning dialog box, and tells the user to press the yes please install this dangerous driver that might destroy my computer button.
This is not from Bob's Network Adapters 'n Peat Moss. This is Samsung. Lexmark.
So, as far as Joe Average is concerned, that dialog box is just another stupid thing getting in the way of scanning these nice pictures to send to Aunt Tillie. He's being trained to ignore security warnings.
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
Yet in the screenshots, IE allows the user to "Run" the executable.
Also...
"But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."
Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.
Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.
Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.
This is a fairly good point. I was never a big IE user but Internet Zones is a good idea. Is there an extension for FF that allows this?
I know about the block flash extension, but just speaking in general terms, the ability to label some sites as most trusted than others to a fairly low level is a good function.
If you want to talk about facts don't link to a geocities website. Any website on geocities is untrustworthy as to how reliable the information is in my opinion. I'm sure that isn't the only website that has the information, so it's ridiculous to link to something as unauthoritive as that.
The subtle point that I'm getting from Peter Torr is that, you can trust Internet Explorer more because it is already installed on your computer. If you buy a new computer, it should already have IE on it and you can avoid the "scary" problems he lays out.
He knows that Firefox isn't going to be installed by default on new computers anytime soon, and you have to download it for all your older computers. So the 'trusting where your download from' issue will be there up to the point when they release their next browser in Longhorn of 2006 (well, maybe 2006).
So, this will be an issue that they will attempt to exploit in the meantime, as they try to catch up in the other areas that they lag. They have so few other advantages to go on, this will probably be one of their primary ones. The only other advantage they appear to declare, is that they can run the ActiveX packages out there. It seems to be a well thought out piece of FUD.
I personally don't think it would work. Especially when the community finds a way to elegantly tackle most of the issues that he laid out.
--
Brandon Petersen
Get Firefox!
The right way... My product is great, it can do this, and this, and it's secure and you'll love it and....
The wrong way... Their products bad, use mine instead, oh and did I tell you how bad their product was, you must be a fool if you use it... did I say fool, I mean genius for switching to my product.
People generally don't trust someone if all they have to say is how bad the other person is.
thank God the internet isn't a human right.
"Of course, the obvious question is 'Do I trust Firefox less than IE?'"
No, asking your self this question is just down right stupid. This is the same as saying I do not trust something, but accept that level of trust because one of your other options is less trustful.
If you can't trust something DONT trust it. Im fucking suck of this American style of thinking our goverment and the media has us stuck on, the fact that if you have only shitty choices (presidents, tv, music, etc) then you should only choose from the shitty choices.
In fact the best choice in most cases is to not choose at all.
TruePunk | Games
I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.
But this blog entry is beyond ridiculous.
First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.
He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.
Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
"If a bad guy can persuade you to run his program on your computer, it's not your computer any more." Your point about that is valid. What I find more amusing is that it only holds true for operating systems that a) don't distinguish between normal users and administrators and b) don't have real filesystem permissions. If bad guy X persuades me to run his program on one of my Linux boxen, it's not going to be able to do much other than trash my /home without me giving it root permission, which hopefully I won't be stupid enough to do.
Whereas in Windows, the default user IS the superuser. Bad guy X can then hit any number of holes related to ActiveX and whatnot in IE to put his program on the computer and do whatever he wants.
So I guess TFA's assumption holds true as long as you're running an MS-built operating system instead of a UNIX.
Sorry, my karma just ran over your dogma.
After all it is running on the most vernable OS on
the market today.
That is not entirely truthful. You can also download the source from ftp.mozilla.org directly if you are paranoid, and build the release yourself. Most, if not all mirrors also carry the source code, so you can also validate the source on the outlying site against the original if there is any question in your mind.
So it does not 'require' an unsigned binary at all. In fact as the author of the blog admits, having a signed binary does not prove that the code contained in the archive is free of malicious code at all.
The issue of redirecting the download to another site - a University for example - is represented as less safe than downloading from a verisign registered site. This is hogwash, and avoids the critical argument that Microsoft wishes you to ignore: with a CVS snapshot of the source code I don't have to depend upon pre-compiled binaries and verisign to do my thinking for me. I can run the following command:
diff mysource.c questionablesource.c
- and know immediately if something has been tainted or not. If I must have a binary, I can always validate a checksum of the questionable binary against one provided by Mozilla. Sites that aren't on the up-and-up, or have poor security quickly lose credence in the community, and fall by the wayside.
Finally, most products of open source developers are PGP (Pretty Good Privacy) signed - which serves the same purpose as Verisign - without the attendant costs. A developer publishes a public key used to decrypt a signature encrypted using his private key. If you can not validate the signature - then it did not come from who it should have.
All arguments regarding security of OSS can be countered with the same argument on the closed source side - save one: OSS source code is free to peruse (and diff) as you desire - thus providing the trump card closed source shops can not duplicate or argue effectively against without some subterfuge. The fact is Microsoft wants you to be tied to costly closed security solutions, because then you will only be able to 'trust' a few (rich) closed source shops for your software needs - and small OSS projects will die from lack of patronage. Thankfully they are mistaken in their analysis of your willingness to accept their lies without question.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
What, like www.windowsupdate.com points to v4.windowsupdate.microsoft.com?
Firefox isn't perfect but please, bitch about one of it's few real problems and some bullshit ones. Someone please show Mr. Torr a clue-by-four please?
"And a voice was screaming: 'Holy Jesus! What are these goddamn animals?'" - HST
I don't like Microsoft, and I think Firefox is excellent, but this guy does have a point with the code signing.
y -services/code-signing/digital-ids-code-signing/in dex.html
Why isn't Firefox's code signed by VeriSign? It may seem frivolus but the average user wont MD5 it until hell freezes over.
http://www.verisign.com/products-services/securit
There, its $695 dollars for the premium version with a $50 000 gurantee. The Mozilla foundation can afford that. And it really would re-assure those non-tech users. It may not matter for us geeks, but it can only do good, so we might as well.
I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:
1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx
Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.
2) Watch what you quote - when you wisely point out that Secunia has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.
3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.
4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).
5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
This sig donated to Pater. Long live
Firefox has been the darling of internet news media lately, not just on the internet but on television and print too, and all for free. Even grandma - who with her one good eye uses the internet for her genealogy - knows Firefox by now.
SEO Copywriter. Just Say ON
Why can't they just whip themselves up a self signed root CA with openssl, call themselves the firefox signing authority, and use it to sign extensions that way?
However, the University site for getting student details requires IE to get into. So even though I installed the User Agent Switcher extension and taught them how to use it to fool the site into thinking they are IE - they forgot how to do that, and next time I was there there was a "Shortcut to IEXPLORE.EXE" icon on their desktop.
:)
They don't blame the people who wrote the site either. They blame the browser for not working with the site. Even if I explain that the people who wrote the site are locking others out for no reason (it's not like it uses ActiveX or anything, the site works perfectly in firefox).
Next time I go there, I will see an IE icon on the desktop again. *sigh*
Can I get rid of executeable permissions on IEXPLORE.EXE without horrific consequences?
-- The doctor said I wouldn't get so many nose bleeds if I just kept my finger out of there!
You've obviously never used slime on Emacs. Come to think of it, unless you feel like doing everything in basic or C++, Visual Studio pretty much sucks...
All's true that is mistrusted
Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?
[Being a Linux and Firefox supporter, I cannot understand that]
But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.
Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".
So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.
If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.
The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.
The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.
So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.
You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.
--Twivel
I hate to break it to you, but any site found on the internet is untrustworthy.
Don't blame me, I didn't vote for either of them!
Download the source, check the source for whatever your curious about and COMPILE IT YOURSELF. If your that untrusting, then you can be as paranoid as you want. Besides, last time I downloaded "trusted" IE software, I got some spyware....
The md5 is only as secure as the file, but the Certificate is only as secure as the Certificate Authority. Read other comments here, and you find that Verisign isn't that trustworthy.
Firefox is signed with Mozilla's PGP key, which is just as secure as a certificate. The difference is, you need a secure way to get the public key to you first, so it's not much more secure than MD5.
But, someone could just as easily have handed you a forged Windows install disk, or forged one with your computer, which had a public key for their own spoofed certificate authority, and thus undermine the whole thing.
The point is, you want to reduce the points of failure as much as possible. I think "Download one PGP key and hope it's good, then download anything from mozilla.org and know it's as good as that key" is better than trusting Verisign (and Gator and BonziBuddy).
Don't thank God, thank a doctor!
The general tone fo responses to this article is somewhat alarming. It mostly consists of "how dare they criticize us?".
Let's make no mistake: IE is a mess and does a lot of things wrong. Firefox makes a fairly good attempt at avoiding IE's errors. However that doesn't mean that it can't be making other mistakes.
The original article is by a MS employee, and there is no doubt that he has his own agenda. Notwithstanding that, he's made some valid criticisms and to ignore them would be downright stupid.
I guess that the use of mirrors is unavoidable. Given the demand for Firefox, it could not be hosted in a single place. However it does create a possible security problem. How does a (possibly non-technical) user know that a mirror is safe? This is particularly troublesome if the mirror has only a numeric address (like 207.126.111.202).
If any mirror is untrustworthy, they could easily produce a hacked version of Firefox and distribute it widely.
There are many possible approaches to this problem, but it is certainly worth some research. Users need to know that they are getting a safe version of the software.
The dodgy dialogs sound like bugs. Rather than getting offended, it would be better to contact the author and try to repro the bugs. Maybe the bugs are in IE or in Virtual PC, but they might be in Firefox. It would be foolish to say that Firefox has no bugs.
One of the biggest criticisms of MS is their arrogant (lack of) response to user feedback.
Let's not be like them.
Frankly i dont need verisign (that company that tried to redirect all non existent web domains to its own site) to tell me whats good or not. Verisign is equally as much of a problem.
Firefox is going to need more than one add in a regional paper to get the word out. When they come out with a U2 version complete with nauseating add campaign I'll agree you have a point.
What? You mean all those horny housewives really aren't glad to see me?
*sniff* I'm going to die alone and unloved. (Oh, wait, I'm a Slashdot poster. That was already a given...)
Kierthos
Mr. Hu is not a ninja.
if as you assert hes using a fresh image (how you can know that is beyond me), AND assuming ff doenst use this 7-ziphttp://www.7-zip.org/ thing at all (which it appears to be a stand alone program )
then clearly the problem lies with this 3rd party app. And if you claim you got the same error you used it also. Having a 3rd party app on the system when doing alleged "sensitive security matters" seems to be contraindicated. Besides IIRC XP (which hes using) has the ability to unzip built in.
I call shenanigans on you
Actually as someone who recently moved from a use what ever editor you like as long as Ant still ran. To a VS environment I would have to disagree. Eclipse is a great dev env, it has things like knowing that if you change a method signature where you are going to screwed over, if you change an member var name it will ask about updating all of your getters and setters and where they are called, it has some level of built in versioning that understood method changes apart from your just plain edits that also allowed for undo beyond control Z couple that with real CVS integration and you have a kick ass system. VS doesn't even integrate with Source Safe well.
1) go to Tools -> Extentions
2) Click the extention you want to get rid of
3) Click uninstall
Lets compare that to uninstalling programs in windows shall we?
1) Go to Control Panel -> Add/Remove Programs
2) Click the program you want to get rid of
3) Click uninstall
Now, if he wants to pretend that theres no obvious way in firefox to remove extentions, and thus is bad - he should concede that windows has no obvious way to uninstall programs - and is thus bad.
They ask themselves who you can trust Firefox when they haven't answered: How can I trust ActiveX?
In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download.
An ActiveX control with no signature can also be harmless and useful. Most are actually unsigned and most aren't spyware-related. And I'm sure companies like Gator, or whatever they're called today, have already made the money to be able to sign their ActiveX controls. I can't see how these are related to security at all. It's more related to money than anything else.
How are you supposed to tell which are harmful or not until after they're installed? Wouldn't it be best to make them able to do less? You don't *have* to use ActiveX for stuff like Windows Update hardware identification. Why not replace it with a standalone installer app?
Beware: In C++, your friends can see your privates!
No, it's okay. The geocities page was digitally signed.
End User License Agreement
i. By reading this text, you agree to mod it as insightful due to its illustration of the problems with the argument against unsigned media.
ii. By reading this text, you further agree that it is relatively entertaining material, given the number of hours the posting individual has been online without rest, before contriving the post.
1. Off an official website, hashed, with checksums to make sure you're safe.
2. No, it's not.
3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.
4. Just because he didn't look doesn't mean there isn't a way.
5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.
I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring.
Why isn't firefox a signed application? Well first there is the technical point: You can buy a verisign certificate, but it only tells You are the mozilla corporation. It does not tell you that all the source in firefox is OK. It is nothing more than a fancy MD5 hash. And i wonder if a signed executable is portable to other OS'es?
But then who is going to apply the ditital signature, is there still someone who understands ALL of foxfire's code? No jsut as there is noone who understands all of i.e. code.
Do you trust mozilla foundation more than MS? As ptorr explains there is no reason to. So what is this signature worth in the end?
But he does have SOME valid points.
People in glass houses should not throw stones - perhaps they should ask the question how to repair the loss in trust people have in IE before casting uncertainty about other browsers.
Here one very good reason why we can "trust" firefox over IE
We have the source code - and as such it gives confidence that the firefox team have no evil to hide - and that any software bugs can be repaired by anyone who cares.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Verisign is equally as much of a problem.
/. that spyware is tremendously easy to defeat. Keep that in mind when the next "intelligent linux guy" comes out and says he had to reinstall Windows over spyware. Then think about it, all the guy had to do was hit Google for a few minutes and his problems would have been solved. But no, he approaches it like a moron since he just because he wants to use a product he refuses to learn. But hates the product, yet appears to be hooked on using it.
So? Just because a school may be flawed, that is no excuse not to get a degree.
If FF wants to be a real player, it has to play by the established rules many organizations follow.
I know of quite a few firms, financial institutions, and state government offices which do not allow employees to use anything other than IE; much of the reasoning coencides with what this article is saying. They all use intrusion prevention services and just have the helpdesk clean up the occasional mess caused by a sneaky spyware install or virus infested laptop trying to vpn in. This, in conjunction with AV protection (which you need regardless of IE), make for a feasable solution to these guys. They aren't getting hacked into, the employees don't worry about their workstations and the companies go make money like they should be focused on doing.
Even the lowliest of helpdesk personnel had best know how to remove any spyware which exists. I know this is mostly a Linux board, but some of us started with Linux and had to learn Windows so we would understand the IT world better so we could move above the limitations imposed by a "wINDOWS THE SUCK. LOONIX RULEZ!!!" mentality. Back to the topic at hand: There are only a few places in the Windows registry where Spyware and other malware can load upon boot and from the browser. It takes about a minute to flip through them all, disable the ones which don't have anything "extra", remove the associated files, reboot.
I know, I'll get modded a troll even though I just made clear a rare point on
Fix those registry entries here: HiJackThis (that is, if you work with Windows and are too lazy to RTFM)
Yeah... you're right.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
Here is some of his reply to the comments
The originating web site could post an XML file containing a checksum and a list of mirror sites. The FireFox download manager would take care of choosing a mirror (or asking the user to choose one), downloading the file, and checking the file against the checksum. If the checksum doesn't match, the download gets a big red X through it and the user gets a very serious warning if they try to open the file.
I'm sure someone will point out that BitTorrrent already handles many of these problems, and does it much more efficiently and powerfully. And I agree that it would be great to have a BitTorrent extension for FireFox. But the fact is that MD5 checksums and mirror sites are the de-facto standard for open source software distribution right now, because they're so easy to implement. Why not clean up this system a bit so that average users can benefit from it?
--Stuart
What if, instead of having the author sign it, all plugins are signed by one or more reviewers? Then you can choose to only use plug-ins who have been vetted by someone you trust.
You'd still have the "know your dealer" problem, but it would be better.
This is not a political statement. This is not legal advice. It's a frick'n Slasdot post. However: I'm Running For
If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.
Ah. I see by the expression on your face that you are confused by my statement. Perhaps you doubt its veracity, but let me assure you, I speak not a word of English.
I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...
I've already got IE, why would another backdoor be any big deal?
I find Microsoft's dependence on digital certificates hilarious, given that Verisign issued a couple of valid certificates for Microsoft to a hacker a couple of years ago. Makes you kind of wonder about the whole system and value of the verification procss they follow.
you can use checksums to verify you binary when you download it. by the way my distro packages it and all my packages are signed on my Linux os. can we say the same for windows? this article is nothing but twisted fud.
I am struck by the audacity of Torr to suggest that you can trust Microsoft install packages but not Mozilla's simply because of signing.
Signing just indicates that the source validates what is packaged. Simply, signed Microsoft install packages come from Microsoft. However this does not indicate anything about the quality of the package. This is the heart of MS's problems since it was never a question of the package source but the quality of content. They've burned so many not by fake IE packaging but by the fact IE is "junk" in the first place. Anything beyond this (all of the malware, hacks, and bugs) is just a side effect of design and code in IE not of the fact IE is a hacked install.
There are legit complaints about the Moz distribution and install proceedure. I would like to see a "self validating" install to insure the package is legit however alone signing isn't the solution. Signing is only useful for indicating the install package has not been tampered. It never indicates whether or not the software installed works. No amount of code signing from MS will fix IE's damaged reputation for misbehaving.
ps. I'm loathe to think Mozilla needs to fork out money to anyone to prove anything. They should be seeking free (beer and freedom) ways of package authentication.
I trust MD5 Checksums more then I do a page that says it's signed by Microsoft, Verisign, or whoever. How many of us have to isntall drivers on Windows XP that pop up and say they are not certified by Microsoft? Utter crap. Code signing works the same was as trusting the website you download the code from. If you don't trust DePaul's website, then that's fine. If your really antsy about making sure what you run is absolutely the code being distrbuted by Mozilla.org, you have to know the MD5 Checksum that Mozilla got when it ran MD5. This also assume you put trust into the MD5 sumer you use. Trust is not something that can be readily handled by software. You can use tools to verify things, but if the tool is faulty and gives you the answer you expect, then it's possible you can still run code that is hostile. Even if you say but it has a Verisign certificate means nothing too because even the criminals can buy certificates or even steal valid ones. The only way you can be certain is if you download only from a web site you trust, or put your trust in the Mozilla project that they only have mirrors that they trust or that they verify are ok. Any of these situations or tools like MD5 sumers are not liekly to even be known by the semi computer illiterate. They also would not know or care about signed software either. They do what they do in real life....they trust IBM and other big companioes including Microsoft although Microsoft is gradually loosing their trust if they have not completely lost any trust they had. My brother has even switched to Firefox but not because of the security features.....he switched because of tabbed browsing and faster web page rendering.
Gorkman
Wasn't Versign the registrar that gave out a Microsoft certificate to someone who wasn't Microsoft?
Wasn't Verisign the one that sent domain renewal notices to other companies customers?
Screw Verisign; use someone like cacert.org.
I think the author of the article has some valid points. What could it hurt to start code-signing (at least) the Windows releases of FireFox? The author also has a good point that for the simple cost of a code-signing cert, you could potentially gain the trust of a whole new base of users.....is that bad? I don't think so.
The fact of the matter is that users have been trained (albeit by Microsoft) to be paranoid when they get messages such as those listed by the author. The whole idea behind FireFox is to do things the 'right way'......well, in the mind of the users, code-signing is probably the right way. Also, it wouldn't be terribly difficult to figure out what the top 25-50 FireFox extensions are. Once you've got that figured out, the huge FF developer base could do a code review on them, and sign them using the FireFox code-signing cert. One of the great things about open-source is the ability to see the source and tap into the vast development resources that exist in average 'Joes' such as myself.....why not use that?
Think of your folks in this situation. I know my parents (who are absolutely *not* technically savvy) would be more inclined to trust something that didn't warn them about potentially insecure code. REGARDLESS of the fact that it was IE that gave them the message.....they still got it....which is the point.
--Ben...once and for all, digital signatures do NOTHING. Once a user wants to install something, they will click 'yes' to whatever it takes. We all get a million warnings a day that we click 'yes' to with no ill effects, so what's one more? Call it "the boy who cried wolf" syndrome.
We wouldn't *need* all these warnings in the first place if MS hadn't allowed two extremely popular programs (IE and OE) to run executables with no user intervention. If they would have stuck with the ORIGINAL design--"Code canNOT run until you tell it to"--we'd all be better off. Run all the JS on a web page you want, but NO ONE can run code that affects the LOCAL MACHINE until told to. But no, stupid fucking MS, who didn't even *know* netowrks existed until Win 3.11, jumps into the game with the assumption that "Hey, you're on a network? Well then, you're probably at work, so the network's probably safe." Maybe we can fix the problem by putting up signs on the Redmond campus: "Strangers have the best candy!" and see if that thins the herd some.
How many old-timers here remember telling their new-to-the-net friends "You can *read* any email you want and NOTHING BAD CAN HAPPEN, but always be sure before clicking an attachment!"? And then we had to go and revise that statement.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Microsoft actually acknowledges that an Open Source competitor exists! Film at Eleven.
I've noticed a pattern of behavior from MS marketing: they don't seem to want to acknowledge linux, firefox, et. al. as actual products - and so a wry smile crept onto my face when I saw the image referencing the Mozilla Foundation as "Unknown Publisher."
This entry is probably an attempt at "payback" for all those "My Windows Installation Nightmare" anecdotes populating the 'web. However, his story seems just a *bit* contrived. I've installed firefox on multiple PCs and multiple windows versions and experienced 0% of the problems he's describing. Huh?
He reviews the FF browser security and all he can talk about is binary signing?
Is that all they have?
This makes about as much sense as a Word review that criticizes scroll bar dimensions.
Virtually irrelevant to the subject. It's great to hear MS whine about well executed free software, they truly have no ammunition against it.
VeriSign, Inc, discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation.
Problems like that, and the fact that IE prompts you to accept certificates even for ActiveX controls that do not do anything potentially unsafe which just conditions people to click "Yes" without thinking, make code-signing a dangerous placebo rather than a real solution. Quite a few spyware authors have legitimate Verisign issued certificates BTW.
--"In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download."
Ok, that's Grade A B.S. Right there.
First of all, isn't www.cnn.com a trusted site? If so, why does IE allow Spyware "Avenue A" download on my system.
Second, Verisign cost more money than what's it worth. Hey, if I had $300+ to spend every year so that Micro$haft can grant me it's blessing, that doesn't make my tabloid of a site anymore trustworthy.
Third, You don't know where mirror.sg.depaul.edu is? Give me a break. www.microsoft.com goes to a cluster of machines all across the US. Maybe I'll get lucky playing Russian rolutte one day with a disgruntled MS employee that decides to send an... opps torjan from one of it's sites. Spectulation is a two-edged sword.
Fourth, MS has a 10+ year track record with its greed, its defiance, its manipulation and persussain, and most of all, it deception. Now, knowing this let's apply that Law#1 to the Ten Immutable Laws of Security "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." Seems like I hear this one directed to MS users... a lot.
-my four cents worth.
For reasons many others have pointed out, verifying the Firefox download is worthwhile. It allows you to make sure that the contents of your download are the same as that intended by someone at the Mozilla project, rather than an accidentally corrupted copy, or a maliciously changed copy.
A few people have pointed out that there is a way to verify the Firefox download via GPG/PGP. How usable is this method, though?
I am mainly familiar with GPG/PGP from apache.org and all the developer tools I download from there. Take ant.apache.org, for instance. Their "Binary Distributions" link goes to a page that begins with a suggestion to verify the download, a link to instructions on how to verify, and a link to the main distribution directory where the keys and signatures are available.
So let's say I download Firefox and expect the same kind of experience. www.getfirefox.com takes me directly to http://www.mozilla.org/products/firefox/ where I am given a big "Free Download" link.
Clicking the link immediately gives me firefox-1.0.installer.tar.gz from a mirror site, and my current Firefox browser prompts me to save it. So the download link doesn't point to anywhere with keys or signatures. The page text itself doesn't mention keys or signatures.
Well, there is an "Other systems and languages" link, so perhaps that has a more detailed download page where the keys and signatures are. The link takes me to http://www.mozilla.org/products/firefox/all.html, where I am given a table of "Download" links for different languages and platforms. Clicking any of the "Download" links again immediately gives me the installer file for download rather than directing to a page that might have keys or signatures. And the whole download page has no text about keys or signatures either.
The Firefox download experience seems to totally ignore GPG/PGP. I understand that the necessary info is accessible somewhere on the mozilla.org site, but the point is that the site doesn't relate the tasks of downloading the app and verifying it at all.
Though you can argue that
A) software publishers and users shouldn't buy into the whole commerical Verisign digital certificate thing and should instead use GPG/PGP verification, and/or
B) automatic PGP/GPG verification by the program doing the download isn't necessary, or feasible to apply to every download program,
I don't think you can argue that mozilla.org is effective at supporting PGP/GPG verification of the software it publishes.
So why not:
1. Have the mozilla.org site make the PGP/GPG verification of Firefox and other products as visible and clear as the product downloads themselves? They've done an excellent job with the download process, why not bring the verification process up to the same level?
2. Work on a Firefox download feature that automatically attempts to PGP/GPG verify the download when a signature is available on the server? No matter how the Cancel/OK/Accept/Install/Ignore options are laid out or defaulted, the user would at least get worthwhile info. The browser would say that either "Hey! You have one of mozilla.org's keys and your download checks out according to them!" or "This download is signed by mozilla.org's keys, but you don't have any of them, maybe you should ask somebody for mozilla.org's keys and add them so you can check downloads!" or "This download isn't signed at all, maybe you should ask the publisher to get keys and sign it so you can check his downloads!" or "This download is signed by one of the mozilla.org keys you have, but it doesn't check out according to them, maybe you should check what site you are downloading from!"