Forgot your password?
typodupeerror
Security Mozilla The Internet Microsoft Internet Explorer

How Can I Trust Firefox? 1464

Posted by timothy
from the how-could-anyone-trust-ie? dept.
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
This discussion has been archived. No new comments can be posted.

How Can I Trust Firefox?

Comments Filter:
  • Yeah, right. (Score:5, Insightful)

    by kngthdn (820601) * on Monday December 20, 2004 @10:12PM (#11143140) Homepage
    One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.

    Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.

    What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".

    And even if I press no, I *still* get spyware. Why? IE Sucks.

    After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.

    Microsoft is never going to get it.
    • Re:Yeah, right. (Score:5, Interesting)

      by Supertroll (210165) on Monday December 20, 2004 @10:31PM (#11143307) Homepage
      It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.

      However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.
    • by noidentity (188756) on Monday December 20, 2004 @10:35PM (#11143352)
      What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".

      And even if I press no, I *still* get spyware. Why? IE Sucks.


      Hey, I have a solution! Firefox can present a dialog box on the first installation that asks, "Do you want to run with better security than Microsoft Internet Explorer?" with only one button labeled "Yes".
    • I agree ... (Score:5, Interesting)

      by wasted (94866) on Monday December 20, 2004 @10:38PM (#11143384)
      From the article:

      Installing Firefox requires downloading an unsigned binary from a random web server

      Installing unsigned extensions is the default action in the Extensions dialog

      There is no way to check the signature on downloaded program files

      There is no obvious way to turn off plug-ins once they are installed

      There is an easy way to bypass the "This might be a virus" dialog ...

      ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.


      Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
      • by geoffspear (692508) on Monday December 20, 2004 @11:24PM (#11143778) Homepage
        Yes, you did miss something.

        He's claiming, in public, that his company's monopoly browser is presenting warnings that should cause users of that browser (the default on the monopoly operating system) to believe that installing Firefox (which is recommended, remember, by the Dept. of Homeland Security's CERT as being more secure) is inherently insecure and dangerous.

        That sounds like at least an antitrust violation, and probably fraud on top of it. Maybe a PATRIOT Act violation, as well.

      • Re:I agree ... (Score:5, Insightful)

        by Feztaa (633745) on Tuesday December 21, 2004 @01:21AM (#11144550) Homepage
        Installing Firefox requires downloading an unsigned binary from a random web server

        Huh? I got firefox on my distro's CDs. CDs which passed:

        * bittorrent's inherent hash checks
        * an md5sum comparison from the official distro's website
        * gpg signature on the ISOs

        as well as the subsequent updates to the browser that were downloaded from the distro's official yum server and had a valid GPG signature.

        What were you saying about unsigned, unverified, untrusted code?
      • Re:I agree ... (Score:5, Insightful)

        by TheSpoom (715771) * <slashdot&uberm00,net> on Tuesday December 21, 2004 @02:37AM (#11144869) Homepage Journal
        Just to state the obvious, I'll just give a rebuttal to some of these statements.

        Installing Firefox requires downloading an unsigned binary from a random web server

        It's a web server that mozilla.org directs you to. If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.

        Installing unsigned extensions is the default action in the Extensions dialog

        There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.

        There is no way to check the signature on downloaded program files

        Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.

        There is no obvious way to turn off plug-ins once they are installed

        This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.

        There is an easy way to bypass the "This might be a virus" dialog ...

        There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do. ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

        This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above). Firefox is demonstrably more secure than IE and has far fewer vulnerabilities [secunia.com] than Internet Explorer [secunia.com].

        To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?
      • by leuk_he (194174) on Tuesday December 21, 2004 @05:01AM (#11145376) Homepage Journal
        Why isn't firefox a signed application? Well first there is the technical point: You can buy a verisign certificate, but it only tells You are the mozilla corporation. It does not tell you that all the source in firefox is OK. It is nothing more than a fancy MD5 hash. And i wonder if a signed executable is portable to other OS'es?

        But then who is going to apply the ditital signature, is there still someone who understands ALL of foxfire's code? No jsut as there is noone who understands all of i.e. code.

        Do you trust mozilla foundation more than MS? As ptorr explains there is no reason to. So what is this signature worth in the end?

        But he does have SOME valid points.
    • Re:Yeah, right. (Score:5, Insightful)

      by JudgeFurious (455868) on Monday December 20, 2004 @10:43PM (#11143434)
      Oh Microsoft gets it. They wouldn't be saying crap like this if they didn't get it. The question is when are the people still using IE going to get it.

      When are they going to learn that IE isn't "The Internet"? When are they going to replace a bad tool with a good one. Stupid blurbs like this one keep the doubt in uninformed peoples minds and keep IE on top of the pile. Microsoft gets it just fine.
      • Re:Yeah, right. (Score:5, Insightful)

        by bladesjester (774793) <{moc.daehsgnillohsemaj} {ta} {todhsals}> on Monday December 20, 2004 @11:09PM (#11143667) Homepage Journal
        When? Okay, here's the rundown of your average just-wants-to-look-at-the-interweb-and-get-email user (kind of like my grandma. This isn't a troll, it's a serious example)

        Well, it's called "Internet Explorer". It's got the keyword - internet. That's what they're looking for. How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

        People *MIGHT* start using something other than IE when this stops being the case. Most people want something they can understand. They don't want to feel stupid by having no idea what to do or what tools to use in order to do it.

        Not to mention the fact that they all KNOW about Microsoft. They know the name. They know it's been around for quite a while. Therefore it must be good, right? (not my opinion, but it is the view of people that I have known)

        Just my opinion as a tech with "normal" relatives and clients.
        • by cratermoon (765155) on Monday December 20, 2004 @11:14PM (#11143705) Homepage
          Time for another name change. Just call it "teh intarwebs".
        • Re:Yeah, right. (Score:5, Insightful)

          by gwernol (167574) on Monday December 20, 2004 @11:38PM (#11143871)
          Well, it's called "Internet Explorer". It's got the keyword - internet. That's what they're looking for. How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

          I'm not totally convinced by this argument. After all what does an "iPod" do? Does a "Ford Focus" give you a very sharp river crossing? What on earth has "Google" got to do with searching?

          There are ways other than naming to successfully reach a broad consumer market. Firefox isn't a bad name: its reasonably memorable and its very different from IE which is an advantage for building the brand.
        • Re:Yeah, right. (Score:5, Insightful)

          by Vaughn Anderson (581869) on Monday December 20, 2004 @11:38PM (#11143874)
          How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

          Amazon
          yahoo
          msn
          google
          etc...

          None of these mean anything but they are all sucessful none the less. It's just a marketing issue.

          "HEY GRANDMA!!! Try the NEW and _improved_ internet! It's called Firefox, blazing hot internet!!" :P

          Besides whenever the 'internet' comes up in a conversation I point people to mozilla.org, not only for their sanity but also their security. They will do the same after they experience no popups and no spyware. Word of mouth will make this spread to the next generation. Maybe the grandma's won't use it but in ten years, that will be a whole new ballgame.

        • by DissidentHere (750394) on Tuesday December 21, 2004 @12:44AM (#11144317) Homepage Journal
          While you are 100% correct there is a simple work around. Often when I install Firefox or Mozilla for someone I rename the desktop shortcut "The Internet" or "The Web" (people who don't know what Firefox is tend to use shortcuts a lot).

          On top of that is some education on IE's faults, the scum of the net, and to note that the Firefox icon is much cooler than a dumb, swooshy "E"

          This approach has worked pretty well for me so far.

          In one extreme case I did rename the Firefox icon 'Internet Explorer' for an exceedingly uncooperative user. Once it was called 'Internet Explorer' she didn't care anymore. I'm sure some poor SOB in tech support has a hell of a time with her though.
    • by Xerp (768138) on Monday December 20, 2004 @11:16PM (#11143719) Journal
      Here. Let me start my own flamewar.

      "I wanted to download Microsoft's Internet Explorer, so using Firefox I popped across to Google and searched for:

      'Microsoft Internet Explorer'

      The 3rd link told me:

      Internet Explorer Home
      https://www.microsoft.com/windows/ie/default .htm

      Ok. I'll go there!

      Up pops the message:

      'Unable to verify www.microsoft.com as a trusted site'

      Ok. I'll examine this certificate. Lets see who it is signed by... ah. Microsoft. Fine. As I'm testing this off a Knoppix-style CD and USB memory stick I'll accept this self-signed certificate. Seems all a bit snakeoil to me.

      Once I do accept this this I immediately get redirected to another page - something ending with "mspx". Thats not where I clicked! I guess I have to trust it for now though and just carry on.

      Over on the left is a "downloads" link, so I go there. I'm presented with a downloads page, where I have to go to another page of languages. I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"

      I close my browser and grin.
      • by Kiryat Malachi (177258) on Tuesday December 21, 2004 @01:15AM (#11144508) Journal
        I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"

        If you were actually a native Israeli, you'd know the language is called Hebrew, or, in the actual language, ivrit (ayin-vet-resh-yud).

        (If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.)
    • by dsginter (104154) on Monday December 20, 2004 @11:18PM (#11143730)
      Name: GAIN
      Publisher: Claria Corporation

      The publisher was verified so you should install and run this software.


      I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.

  • whoa wait! (Score:5, Funny)

    by Korgrath (714211) on Monday December 20, 2004 @10:13PM (#11143149) Homepage
    it's against the rules when Microsoft starts flaming back!
  • Security? (Score:3, Interesting)

    by Canadian_Daemon (642176) on Monday December 20, 2004 @10:13PM (#11143150)
    what about md5 sums? have the install do a checksum of itself?
  • IE? (Score:5, Insightful)

    by Anonymous Coward on Monday December 20, 2004 @10:13PM (#11143153)
    A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
    • Random servers (Score:5, Interesting)

      by IO ERROR (128968) * <errorNO@SPAMioerror.us> on Monday December 20, 2004 @10:39PM (#11143390) Homepage Journal
      He's got a point though. I could volunteer my services as a random Firefox mirror and who's to know if I'm distributing doctored copies? And where's the digital signature? How can you trust that binary from 207.177.45.61?

      Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.

      I'll kick in $20 to Firefox if it goes toward a signing certificate.

      Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)

      • Re:Random servers (Score:4, Interesting)

        by lakeland (218447) <lakeland@acm.org> on Tuesday December 21, 2004 @12:26AM (#11144209) Homepage
        "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother.
        You're right, at least 9.3/10.1 wouldn't bother. But you can bet that some percentage, perhaps one in 1000, will. And those people will be really anal about it -- checking the .asc using a master key they get from gpg --recv-keys which is automatically verified through their web of trust.

        And when that file doesn't match, you can bet they'll scream bloddy murder.

        Contrast that to microsoft's setup. Every update is 'required' to pass an MD5 checksum, but what's the bet that the update is allowed to unpack itself first, and since it is running as administrator it will be allowed to overwrite the location of the system call for the checksum.

        The point I'm making is that Microsoft's security is easy and automatic, but little more than a facade. Firefox's use of GPG makes it unbreakable, but it is so hard to use very few users will bother. I know I would rather have solid security than a veil of semi-security, but I can understand the journalist missing the superficial security.

        Of course, Firefox could have integrated superficial security as well. And firefox could have made the true GPG security a little easier to test.
  • Why are blogs news? (Score:5, Interesting)

    by RobPiano (471698) * on Monday December 20, 2004 @10:13PM (#11143156)
    What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?

    Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.

    Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.

  • by AndyFewt (694753) * on Monday December 20, 2004 @10:14PM (#11143159)
    Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate [verisign.com].

    Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).

    So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
    • by Anonymous Coward on Monday December 20, 2004 @10:17PM (#11143186)
      I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
    • by freeze128 (544774) on Monday December 20, 2004 @10:25PM (#11143251)
      If mozilla buys a cert, then they are openly supporting the idea of PAYING VERISIGN FOR CERTS. Isn't that just supporting another monopoly? Of course Microsoft wants you to pay for the cert... they can certainly afford one. But what about all the little guys who write code for free?
    • by Penguinoflight (517245) on Monday December 20, 2004 @10:28PM (#11143284) Homepage Journal
      I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?

      Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.

      These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
    • by ip_fired (730445) on Monday December 20, 2004 @10:30PM (#11143303) Homepage
      And why would signing the code make it more
      secure?

      You can know that it is an official binary and
      hasn't been tampered with. However, I can
      accomplish this without paying Verisign money
      using a standard fingerprint.

      When you sign it with a Verisign certificate, the
      trust then moves up the chain. So, the question
      becomes, do I trust Verisign?

      No.

      In my opinion, this isn't even a problem. I make
      sure I download files for sources that I trust,
      and they make sure that those files remain clean
      as a matter of site security.

      It all boils down to this:

      1) Normal users don't care about signed code, as
      they happily click on "Yes, download this!"
      without bothering to check anything.

      2) Power users can verify the integrity of their
      code without shelling out big bucks to Verisign.
    • by Rashkae (59673) on Monday December 20, 2004 @10:47PM (#11143458) Homepage
      Buying A VeriSign Cert is a bad idea, for reasons already mentioned. What *would* be a good idea, however, is for Mozilla foundation to to set itself up as a CA and sign all of it's software, updates and "Official" or semi-official add-ons. I trust Mozilla foundation much more than VeriSign, and protecting users from trojaned programs on mirrors is a good idea.
  • by Anonymous Coward on Monday December 20, 2004 @10:15PM (#11143172)
    Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?
  • by john_g_galt (522650) on Monday December 20, 2004 @10:21PM (#11143217)
    Seen any of these errors? I've installed Firefox on several pc's with no problems at all.

    I also noticed this comment:

    "and not caring if my Virtual PC image dies a horrible death"

    (emphathis added)

    Could this person be having a virtual pc problem?
  • Code signing (Score:3, Insightful)

    by pair-a-noyd (594371) on Monday December 20, 2004 @10:22PM (#11143223)
    sure says a lot for IE security, doesn't it?

  • The real question. (Score:3, Interesting)

    by Anonymous Coward on Monday December 20, 2004 @10:22PM (#11143228)

    How can I trust Microsoft?


    Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.

  • by capn_buzzcut (676680) on Monday December 20, 2004 @10:23PM (#11143230)
    doesn't mean it's good for you. I recall seeing prompts to install "Web Gator" software and other such junk, all of which were signed by somebody. Despite the fancy certificate though, it was still crapware.
  • But... (Score:5, Insightful)

    by mstefanus (705346) on Monday December 20, 2004 @10:23PM (#11143232)
    Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.

    What's the point?
  • by Animats (122034) on Monday December 20, 2004 @10:23PM (#11143235) Homepage
    This guy makes some good points. His main point is that the distribution process for FireFox is very insecure. The "traditional open source approach" of voluntary mirrors (perhaps with manual MD5 checks) isn't good enough for high-volume end user products. The FireFox team needs to work out a much more secure install sequence.

    One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.

    • from "firefox.org" (only!)

      Of course, with IE's spoofing vulnerabilties, you may not really be at firefox.org.

    • by Saint Stephen (19450) on Monday December 20, 2004 @10:52PM (#11143512) Homepage Journal
      Other platforms do not use Microsoft's propritary technology ("Authenticode") for signing binaries. They use MD5sums. MD5Sums are available for firefox (ftp://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/1.0/MD5SUMS) all firefox releases.

      Moreover, they give you this little thing called the SOURCE CODE that let's you be pretty darn sure what you're running. Read the code, and compile it yourself, or trust others to look at the code and check MD5 signatures.
      • by Algan (20532) on Monday December 20, 2004 @11:23PM (#11143770)
        I'm sorry, but you're plain wrong. Do you really think that my mom is really going to go through the trouble of downloading a text file (which does not end in .txt), opening it, using a tool that generates an MD5 signature (and that does not come standard on Windows) and comparing strings of 32 characters? And that assumes my mom would know what an MD5 is, which she does not.

        Of course, for you and me all this is not only easy, it's become second nature, but for the average Joe this sounds like a foreign language. Please try to wake up and smell the reality. You either want OSS products like Firefox to succeed and be addopted by a large mass of users - or not, in which case I don't want to hear any complaints about how your favorite application is not supported by some random vendor or service provider
        • by kscguru (551278) on Tuesday December 21, 2004 @12:35AM (#11144262)
          Do you really think that my mom is really going to go through the trouble of downloading a text file (which does not end in .txt), opening it, using a tool that generates an MD5 signature (and that does not come standard on Windows) and comparing strings of 32 characters?

          Doesn't matter. Fact is, if even 0.1% of the downloaders check, any compromised original will be detected in just a matter of minutes - hours at the worst. Mother at home will grab it... then the media the next day will loudly announce the problem, the antivirus companies will tear the binary apart and release updated signatures in a few days, and her virus scanner will tell her about the problem in about a week. This does assume she runs a virus scanner... but if she doesn't, she's probably compromised already.

          What the Slashdot crowd seems to be missing is that we don't need everyone to follow the MD5 signature. We just need an informed and vocal minority - e.g. Slashdotters - to detect the problem and pick up the pieces afterwards.

  • He doesn't care. (Score:5, Interesting)

    by standards (461431) on Monday December 20, 2004 @10:24PM (#11143244)
    I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all

    He sure has a lot to say about something he doesn't care about.

    He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
  • by theefer (467185) * on Monday December 20, 2004 @10:24PM (#11143245) Homepage
    I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]

    As opposed to what? A graphical IP address? A string IP address? A musical IP address?

    I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.
  • by King_TJ (85913) on Monday December 20, 2004 @10:25PM (#11143256) Journal
    Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.

    How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)

    Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.
    • by XaXXon (202882) * <xaxxon@ g m ail.com> on Monday December 20, 2004 @10:54PM (#11143547) Homepage
      I think you've missed his point a little.

      The point isn't that you trust mozilla/firefox. The point is that you're not downloading it from them, you're downloading from a mirror. If the software was signed, you'd know it was tampered with and that you were getting software you thought you were trusting.

      The current system lets mirrors tamper with the software. You might trust mozilla, but you really have little idea of what the mirror may have done to it. This is at least what he's saying.. Firefox may have some sort of md5 or something posted..
  • Valid Points (Score:3, Insightful)

    by ehack (115197) on Monday December 20, 2004 @10:26PM (#11143263) Journal
    Opens Source was designed, like the internet protocols, for people who trust each other - the developers of shrink-wrap executables need to learn to think paranoid when they deal in user binaries.

    Don't make the same errors again - if the designers of SMTP had thought about the users rather than the implementers, they woudl have built signature/encryption/sender authentication straight into the protocol and prevented the spam issue from ever arising.
  • Logical Error (Score:4, Insightful)

    by nwbvt (768631) on Monday December 20, 2004 @10:28PM (#11143275)
    "In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software)."

    That would mean that every piece of software not signed would be bad. The logical definition of necessary is not "provides some evidence", but is a strict conditional. In other words software can be trusted only if it is signed. This is obviously false, there are clearly ways one can trust a piece of software without requiring a digital signature.

  • by fbg111 (529550) on Monday December 20, 2004 @10:28PM (#11143279)
    Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."
  • False security? (Score:4, Interesting)

    by zlel (736107) on Monday December 20, 2004 @10:29PM (#11143292) Homepage
    Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
    • Re:False security? (Score:5, Informative)

      by MrZeebo (331403) on Monday December 20, 2004 @11:00PM (#11143596) Homepage
      I've studied computer security at the graduate level, so I have some background in this stuff.

      When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)

      On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.

      So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).

      The moral of the story is, when you study computer security too much, you become really paranoid about everything ;-)
      • Re:False security? (Score:4, Informative)

        by gnuman99 (746007) on Tuesday December 21, 2004 @12:39AM (#11144285)
        On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file

        Generally in open source you have MD5 hash posted on the project's homepage. You download the files from mirrors. There are multiple locations to crack at the same time. It is easier said than done.

        Furthermore, there could be an private developer machine checking the main page once every 5 minutes or so to see if the MD5 hashes on the main site are corrupted.

        It is easier to buy a dummy vertificate and sign the modified file than to actually go though the trouble of changing files and MD5 hashes on multiple sites.

  • by dpbsmith (263124) on Monday December 20, 2004 @10:34PM (#11143335) Homepage
    The article makes perfect sense and the issues are legitimate. The thing is, they are generic issues in the PC world we live in today. They aren't any better if you use Microsoft software.

    The average user is placed in situations, probably several times a week, where in theory he is voluntarily authorizing something but in practice has virtually no way to know whether it is safe to click OK or not.

    Today's software is constantly giving you scary warnings about things that are perfectly OK, while constantly encouraging you to OK things which are not at all in your best interests to OK.

    My favorites are all the Microsoft uninstalls which ask me whether I want to delete QQXXZZ.DLL, without telling me what QQXXZZ.DLL is or what it does or what other applications might be using it. (In fact, it seems to expect me to know that. Hey, the OS might be in a position to know whether some other application uses that DLL, but I certainly am not. And my wife, of course, doesn't even know what a DLL is...

    (Now, about that pageful of medium-gray type on a light-gray background that's on the back of the car rental agreement you are presented with, in the airport, with a line of irritable people behind you...)
  • by krbvroc1 (725200) on Monday December 20, 2004 @10:37PM (#11143359)
    Sir,
    Trust is not a universal concept. Some discretion is required. If you do not trust Firefox, that is your choice. You are not willing, in your mind to take a risk. Personally, I do not trust Microsoft. Despite years of press releases and keynote speaches promoting security as 'Job 1' I have lost all trust in them.

    Personally, I see little value in a so called 'signed application'. If I visit my bank, I want to see a 'padlock' icon so that I know the data is not being 'sniffed' en route. Other than that, the certificate is not important to me. But that is the level of trust I am comfortable with. My concept of trust includes the concept of established relationship and earned respect. The value of Microsoft signing something doesn't mean anything to me. They are not trustworthy. After using Firefox for several versions, getting a feel for the neighborhood, I trust it.

    I understand that websites use mirrors -- thats normal and doesn't normally raise a red flag. I can verify a file contents with an MD5 checksum if I need to.

    Each user should has to establish their own level of trust and should not blindly rely on a certificate to tell them if they trust someone/something.

    You ask 'How Can I Trust Firefox'? Well you can't blindly. You have to take a risk. I can only tell you that it works fine for me. Regular backups and common sense go a long way.

    There is another reason however--Trust is not as important with Firefox as it is with Microsoft IE. The engineers of IE decided to integrate IE into the operating system with Active Desktop, ActiveX, etc. These made IE much more vulnerable. Firefox doesn't do this. It just tries to be a web browser - not a remote code execution environment.
  • by rminsk (831757) on Monday December 20, 2004 @10:37PM (#11143361)
    From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
  • by gelfling (6534) on Monday December 20, 2004 @10:39PM (#11143388) Homepage Journal
    While it is somewhat problematic for individual users to perform certainly corporate users could download and verify their own distro copy and distribute to their own users from that. It's more important to understand what the application does and that can only be achieved by examining or at least verifying the code and all of it's APIs.

    Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.

    Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.

    It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.

    Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.
  • by Henry Stern (30869) <henry@stern.ca> on Monday December 20, 2004 @10:40PM (#11143403) Homepage
    It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?


    Of course, FireFox won't install any extension downloaded from a site not explicitly whitelisted. It should also be noted that the only site that is whitelisted by default is update.mozilla.org. If Mozilla.org was going to pwn you with a Firefox extension, why wouldn't the save themselves some trouble and just pwn you with TrojanFox?

    Was this a deliberate omission? Probably.

    Also, complaining about MessageBoxes not working when running software in a non-standard environment (virtual machine) is silly. Odds are that the problem was display driver-related anyway.
  • by TWX (665546) on Monday December 20, 2004 @10:41PM (#11143413)
    (Please pardon the elementary school essay feel of this)

    In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.

    In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.

    In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.

    In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.

    Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.

    Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
  • Mr Torr (Score:5, Interesting)

    by Petronius (515525) on Monday December 20, 2004 @10:49PM (#11143478)
    Apparently just joined MS's crack security team [microsoft.com] last Thursday [msdn.com]... needless to say, he's a real expert!
  • by X-rated Ouroboros (526150) on Monday December 20, 2004 @10:49PM (#11143479) Homepage

    Visit a secure .mil site some time.

    It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.

  • by QuasiEvil (74356) on Monday December 20, 2004 @11:05PM (#11143633)
    He totally missed the fundamental insecurity of IE. Crapware installs itself with IE, either by exploiting "features" or holes. Sure, some crapware requires the user to click Ok (fuck my browser now) or Cancel (fuck my browser now anyway), but for the majority of it that I've experienced, a couple visits to websites of questionable integrity pretty much does it...

    Funny, I've never had Firefox do that.

    Really, what the hell does it matter if the software is signed? Some spyware/adware is signed so it looks "safe" by this guy's standards, and some of it just installs without telling you. If your core browser isn't safe from exploitation, there's really no sense in going any further. If you train users to say no, spyware just exploits the holes and installs itself without asking, problem solved. 90% of users are just going to click "Ok" anyway, no matter what it tells them, and no matter how much you try to teach them.

    He does have two interesting points, though, that perhaps we shouldn't trash with the rest. Maybe something beyond MD5 hashes should be provided for FF. My dad runs Windows, has no idea how to do an MD5 sum on a file, nor does he particularly need to know that. I hate even suggesting that Verisign is some bastion of legitimacy, because, well, just no. However, we're probably the biggest cooperating group of smart people (okay, some of you may be excused) the world has ever seen - surely there's a way to do it that is both easy for regular users and doesn't support V-evil.

    Also, being able to turn on and off various plug-ins wouldn't hurt. Sure, I know about the extension manager, but I'm talking things like Flash and Acrobat (the two things that screw me over most often). It'd be nice if I could just turn them off temporarily. Acrobat the Plugin has to be one of the #1 things that crashes on my Win32 boxes.

  • by jeif1k (809151) on Monday December 20, 2004 @11:13PM (#11143695)
    The thing to look at is the record, plain and simple. And the record shows that, until now, code signing does not address the major security problems that people have with IE. Maybe that will change in the future, but that's the record so far.

    Firefox on Windows does not have code signing because the real world has not demanded it so far. If there were enough attacks for which it turned out that code signing was the right solution, then Firefox would use code signing.

    Code signing, at this point, is a gimmick because it does not address the major security problems that Microsoft has. It's a solution to a problem that is not at the top of the list of problems with Microsoft software. And because Microsoft focuses on gimmicks, Microsoft keeps failing to address the real security problems Microsoft products have.

    Maybe Microsoft will eventually get serious and real about security, but Peter Torr's commentary illustrates that ignorance still reigns supreme at Microsoft.
  • ActiveX (Score:4, Insightful)

    by SCHecklerX (229973) <thecaptain@captaincodo.net> on Monday December 20, 2004 @11:22PM (#11143763) Homepage
    ActiveX using code-signing for its security model. We all know how secure that is. Microsoft, as always, just doesn't get it.
  • by Sax Maniac (88550) on Monday December 20, 2004 @11:45PM (#11143921) Homepage Journal
    I think it would be great if Moz got a certificate, or signed themselves. Great, because I know what that means. They have enough money from the fundraiser, do it, and stuff this guy.

    But clearly, users don't give a shit.

    Ever install any freakin' piece of hardware on Windows? Nothing is signed. I've seen printed instructions that show a pretty picture of the unsigned-code warning dialog box, and tells the user to press the yes please install this dangerous driver that might destroy my computer button.

    This is not from Bob's Network Adapters 'n Peat Moss. This is Samsung. Lexmark.

    So, as far as Joe Average is concerned, that dialog box is just another stupid thing getting in the way of scanning these nice pictures to send to Aunt Tillie. He's being trained to ignore security warnings.

  • by farzadb82 (735100) on Monday December 20, 2004 @11:47PM (#11143942)
    "In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download."

    Yet in the screenshots, IE allows the user to "Run" the executable.

    Also...

    "But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."

    Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.

    Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.

    Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.

  • by blanks (108019) on Tuesday December 21, 2004 @12:12AM (#11144109) Homepage Journal
    "Of course, the obvious question is 'Do I trust Firefox less than IE?'"

    No, asking your self this question is just down right stupid. This is the same as saying I do not trust something, but accept that level of trust because one of your other options is less trustful.

    If you can't trust something DONT trust it. Im fucking suck of this American style of thinking our goverment and the media has us stuck on, the fact that if you have only shitty choices (presidents, tv, music, etc) then you should only choose from the shitty choices.

    In fact the best choice in most cases is to not choose at all.
  • by fzammett (255288) on Tuesday December 21, 2004 @12:14AM (#11144133) Homepage
    I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.

    But this blog entry is beyond ridiculous.

    First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.

    He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.

    Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
  • Huh? (Score:5, Insightful)

    by pherris (314792) on Tuesday December 21, 2004 @12:41AM (#11144297) Homepage Journal
    First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/

    What, like www.windowsupdate.com [windowsupdate.com] points to v4.windowsupdate.microsoft.com?

    Firefox isn't perfect but please, bitch about one of it's few real problems and some bullshit ones. Someone please show Mr. Torr a clue-by-four please?

  • Trust IE more? (Score:5, Insightful)

    by dantheman82 (765429) on Tuesday December 21, 2004 @12:47AM (#11144334) Homepage
    I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:

    1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx

    Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.

    2) Watch what you quote - when you wisely point out that Secunia [secunia.com] has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.

    3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.

    4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).

    5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
  • by twivel (89696) on Tuesday December 21, 2004 @01:18AM (#11144526)
    Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?

    [Being a Linux and Firefox supporter, I cannot understand that]

    But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.

    Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".

    So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.

    If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.

    The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.

    The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.

    So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.

    You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.

    --Twivel
  • by Jugalator (259273) on Tuesday December 21, 2004 @03:36AM (#11145076) Journal
    They ask themselves who you can trust Firefox when they haven't answered: How can I trust ActiveX?

    In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download.

    An ActiveX control with no signature can also be harmless and useful. Most are actually unsigned and most aren't spyware-related. And I'm sure companies like Gator, or whatever they're called today, have already made the money to be able to sign their ActiveX controls. I can't see how these are related to security at all. It's more related to money than anything else.

    How are you supposed to tell which are harmful or not until after they're installed? Wouldn't it be best to make them able to do less? You don't *have* to use ActiveX for stuff like Windows Update hardware identification. Why not replace it with a standalone installer app?
  • What a choad (Score:4, Interesting)

    by _KiTA_ (241027) on Tuesday December 21, 2004 @04:35AM (#11145296) Homepage


    Installing Firefox requires downloading an unsigned binary from a random web server

    Installing unsigned extensions is the default action in the Extensions dialog

    There is no way to check the signature on downloaded program files

    There is no obvious way to turn off plug-ins once they are installed

    There is an easy way to bypass the "This might be a virus" dialog


    1. Off an official website, hashed, with checksums to make sure you're safe.

    2. No, it's not.

    3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.

    4. Just because he didn't look doesn't mean there isn't a way.

    5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.

    I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring. :P
  • 1 very good reason (Score:4, Insightful)

    by polyp2000 (444682) on Tuesday December 21, 2004 @05:29AM (#11145466) Homepage Journal
    People in glass houses should not throw stones - perhaps they should ask the question how to repair the loss in trust people have in IE before casting uncertainty about other browsers.

    Here one very good reason why we can "trust" firefox over IE

    We have the source code - and as such it gives confidence that the firefox team have no evil to hide - and that any software bugs can be repaired by anyone who cares.
  • by sootman (158191) on Tuesday December 21, 2004 @12:09PM (#11147908) Homepage Journal
    ...once and for all, digital signatures do NOTHING. Once a user wants to install something, they will click 'yes' to whatever it takes. We all get a million warnings a day that we click 'yes' to with no ill effects, so what's one more? Call it "the boy who cried wolf" syndrome.

    We wouldn't *need* all these warnings in the first place if MS hadn't allowed two extremely popular programs (IE and OE) to run executables with no user intervention. If they would have stuck with the ORIGINAL design--"Code canNOT run until you tell it to"--we'd all be better off. Run all the JS on a web page you want, but NO ONE can run code that affects the LOCAL MACHINE until told to. But no, stupid fucking MS, who didn't even *know* netowrks existed until Win 3.11, jumps into the game with the assumption that "Hey, you're on a network? Well then, you're probably at work, so the network's probably safe." Maybe we can fix the problem by putting up signs on the Redmond campus: "Strangers have the best candy!" and see if that thins the herd some.

    How many old-timers here remember telling their new-to-the-net friends "You can *read* any email you want and NOTHING BAD CAN HAPPEN, but always be sure before clicking an attachment!"? And then we had to go and revise that statement.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...