Slashdot Mirror
How Can I Trust Firefox?
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.
Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.
What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".
And even if I press no, I *still* get spyware. Why? IE Sucks.
After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.
Microsoft is never going to get it.
it's against the rules when Microsoft starts flaming back!
Theory of flight?! I'll teach you the theory of fist!!
A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate.
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?
I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!
Seen any of these errors? I've installed Firefox on several pc's with no problems at all.
I also noticed this comment:
"and not caring if my Virtual PC image dies a horrible death"
(emphathis added)
Could this person be having a virtual pc problem?
Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.
What's the point?
I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
Of course, with IE's spoofing vulnerabilties, you may not really be at firefox.org.
Unknown host pong.
From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
From the article:
...
...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
(Please pardon the elementary school essay feel of this)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Do not look into laser with remaining eye.
Apparently just joined MS's crack security team last Thursday... needless to say, he's a real expert!
there's no place like ~
I've studied computer security at the graduate level, so I have some background in this stuff.
;-)
When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)
On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.
So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).
The moral of the story is, when you study computer security too much, you become really paranoid about everything
Name: GAIN
Publisher: Claria Corporation
The publisher was verified so you should install and run this software.
I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.
More
(Beaten? No. Firefox is a success, so far. And... Microsoft is the arch-enemy of many on slashdot.org because they aren't as programmer-friendly or techie-friendly as other vendors, and they happen to be a colossal, market-dominating company, which makes their lack of programmer-friendliness more aggravating (if they were just a niche company, it wouldn't be nearly so bad, because they wouldn't be a constant irritation, just an occasional one).
.mozilla.org in the name (for example sg-depaul.mirror-firefox.mozilla.org).
.md5.sig for the millions of files on FTP servers that have md5 signatures available.
They have had a sketchy track record with security, but, until recently, they haven't really cared, so you can't blame them for just now trying to come up to speed. Besides, software is complex. Linux has bugs. IE has bugs. Firefox has bugs. Windows has bugs. The better developer is the one who can patch their bugs more quickly without breaking other things in the process (sometimes Microsoft is first to the punch, but they don't seem to always test their patches thoroughly).
They also are a damn good business. Many computer hobbyists really dislike the idea of large businesses being heavyweight players in their field of interest, because it means a stupendously-increased prevalence of things like patents, trade secrets, proprietary interfaces, non-disclosure agreements, and licensing fees.)
There are a few points I have to raise with this:
Mirrors are a *good* thing. The only thing that should possibly be changed is that links to mirrors should all have
I've never seen firefox spit out dialog boxes like that before. I don't know what this guy did (what variant of Windows is he running on this Virtual PC, exactly?), but, I've installed many versions of Mozilla and Firefox to many different operating systems and can't recall seeing any bizarre things like that since the beta / pre-1.0 days.
Signed software is a good idea, but, MD5 hashes aren't a bad alternative for people who aren't willing to shell out cash. Since he proclaims that IE is very good about checking the identity of files it opens, perhaps IE should include a plugin to check a file against its
"Install Now" shouldn't be the default, I agree (except perhaps if it comes from a known trusted domain).
He implies that there shouldn't be a "Do not ask me this again" option for "Are you sure you want to run this random downloaded executable?" I think this is perhaps a useful feature (what about trusted corporate environments where Firefox only accesses internal sites?) for saving a few seconds, although maybe putting the option in a config file somewhere would be wiser.
Flash is also _not_ an extension---it's a plugin. Perhaps Firefox does need a plugin manager; he raises a good point with that.
He also doesn't seem to understand the concept of extensions. Firefox is an attempt to just focus on streamlining the main part of webbrowsing, and leave it up to side projects and third-party developers to add little features via extensions; it's more of a community thing than an all-from-one-vendor thing, so of course a lot of good extensions come from other vendors. If he doesn't trust a certain vendor, he should test an extension under a different user who has no access to anything important, use a personal firewall that handles both incoming AND outgoing connections, and/or use an operating system that can lock a program into just a subtree of the filesystem (I don't know if NT or 2K can do this, but UNIX can chroot, and VMS can do even more specific things than this).
I also like this: "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." IE comes packaged with Windows. It's hard to remove from it. Things stop working if you try to remove IE from windows. I don't trust the writers of IE. So, based on what he says, my computer is only mine if it's not running Windows---sounds good to me!!
I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.
But this blog entry is beyond ridiculous.
First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.
He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.
Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
If a pion (n-) collides with a proton in the woods & noone is there to hear it, does lamdba decay into the source pa
Doesn't matter. Fact is, if even 0.1% of the downloaders check, any compromised original will be detected in just a matter of minutes - hours at the worst. Mother at home will grab it... then the media the next day will loudly announce the problem, the antivirus companies will tear the binary apart and release updated signatures in a few days, and her virus scanner will tell her about the problem in about a week. This does assume she runs a virus scanner... but if she doesn't, she's probably compromised already.
What the Slashdot crowd seems to be missing is that we don't need everyone to follow the MD5 signature. We just need an informed and vocal minority - e.g. Slashdotters - to detect the problem and pick up the pieces afterwards.
A witty [sig] proves nothing. --Voltaire
I don't like Microsoft, and I think Firefox is excellent, but this guy does have a point with the code signing.
y -services/code-signing/digital-ids-code-signing/in dex.html
Why isn't Firefox's code signed by VeriSign? It may seem frivolus but the average user wont MD5 it until hell freezes over.
http://www.verisign.com/products-services/securit
There, its $695 dollars for the premium version with a $50 000 gurantee. The Mozilla foundation can afford that. And it really would re-assure those non-tech users. It may not matter for us geeks, but it can only do good, so we might as well.
I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:
1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx
Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.
2) Watch what you quote - when you wisely point out that Secunia has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.
3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.
4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).
5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
This sig donated to Pater. Long live
Frankly i dont need verisign (that company that tried to redirect all non existent web domains to its own site) to tell me whats good or not. Verisign is equally as much of a problem.