How Can I Trust Firefox?

TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"

whoa wait!

[Korgrath]

it's against the rules when Microsoft starts flaming back!

Re:IE?

[Anonymous Coward]

If any old fool can do it, let's see you try.

"Numeric IP address" ?

[theefer]

I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]

As opposed to what? A graphical IP address? A string IP address? A musical IP address?

I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.

Re:Verisign Code Signing Certificate

[Anonymous Coward]

Why should I trust Verisign?

Downloading Firefox w/ IE?

[fbg111]

Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."

That is like saying

[cspring007]

"Yeah sure, our boat is on fire, sinking and leaking radioactive waste
But look at their boat...
it's got a dent in its hull
also, why spend time trying to break into one car that has its windows rolled up..
when its sitting in a parking lot full of cars with their windows down and keys in the ignition

Re:This guy is right. Listen to him.

[k4_pacific]

from "firefox.org" (only!)

Of course, with IE's spoofing vulnerabilties, you may not really be at firefox.org.

Re:Yeah, right.

[noidentity]

What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".

And even if I press no, I *still* get spyware. Why? IE Sucks.

Hey, I have a solution! Firefox can present a dialog box on the first installation that asks, "Do you want to run with better security than Microsoft Internet Explorer?" with only one button labeled "Yes".

Excuse me

[Holi]

Taiwan is not China no matter what the mainland says.

Off Topic I know but come on.

URL?

[BladeMelbourne]

Peter Torr isn't a real Slashdot reader. Everyone knows that the URL is http://slashdot.org/ [slashdot.org] NOT http://www.slashdot.org/ [slashdot.org]

I guess he's hoping for a Christmas bone-arse from Bill Gates.

Did I make FIRST POST?

Re:Multiple Firefox Security Flaws Discovered

[WhatAmIDoingHere]

Beat that person. Beat them with a metal stick.

Re:Yeah, right.

[cratermoon]

Time for another name change. Just call it "teh intarwebs".

Re:Legitimate but GENERIC issues.

[kzinti]

...they don't know what QQXXZZ.DLL is either.

In Windows XP, QQXXZZ.DLL was renamed to PLUGH.DLL

Re:Yeah, right.

[Xerp]

Here. Let me start my own flamewar.

"I wanted to download Microsoft's Internet Explorer, so using Firefox I popped across to Google and searched for:

'Microsoft Internet Explorer'

The 3rd link told me:

Internet Explorer Home
https://www.microsoft.com/windows/ie/default .htm

Ok. I'll go there!

Up pops the message:

'Unable to verify www.microsoft.com as a trusted site'

Ok. I'll examine this certificate. Lets see who it is signed by... ah. Microsoft. Fine. As I'm testing this off a Knoppix-style CD and USB memory stick I'll accept this self-signed certificate. Seems all a bit snakeoil to me.

Once I do accept this this I immediately get redirected to another page - something ending with "mspx". Thats not where I clicked! I guess I have to trust it for now though and just carry on.

Over on the left is a "downloads" link, so I go there. I'm presented with a downloads page, where I have to go to another page of languages. I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"

I close my browser and grin.

Re:I agree ...

[geoffspear]

Yes, you did miss something.

He's claiming, in public, that his company's monopoly browser is presenting warnings that should cause users of that browser (the default on the monopoly operating system) to believe that installing Firefox (which is recommended, remember, by the Dept. of Homeland Security's CERT as being more secure) is inherently insecure and dangerous.

That sounds like at least an antitrust violation, and probably fraud on top of it. Maybe a PATRIOT Act violation, as well.

Re:Yeah, right.

[nrlightfoot]

No need to terminate the browser, you just have to be faster than internet explorer, and hit the back button before it pops up again. It also helps to have an older computer.

Re:Yeah, right.

[tomhudson]

How do you send someone an email telling them they're running a spambot when their isp filters out anything that has the word spam in it?

Hey, dude, you're running a SP4Mbot?

Hey, dude, you're running a 5PAMbot?
Hey, dude, you're running a 5P4Mb0t?
Hey, dude, you're running a 5P4M8ot?
Hey, moron, you're running a S-P-A-M-B-O-T?
Hey, quit sending us offers for PEN15 ENL4RGEMENT V14GR4?

He never sees the messages. Even a phone call won't work - he'll just get c0nfu5ed and up5et that he's p0ned.

Re:Yeah, right.

[DissidentHere]

While you are 100% correct there is a simple work around. Often when I install Firefox or Mozilla for someone I rename the desktop shortcut "The Internet" or "The Web" (people who don't know what Firefox is tend to use shortcuts a lot).

On top of that is some education on IE's faults, the scum of the net, and to note that the Firefox icon is much cooler than a dumb, swooshy "E"

This approach has worked pretty well for me so far.

In one extreme case I did rename the Firefox icon 'Internet Explorer' for an exceedingly uncooperative user. Once it was called 'Internet Explorer' she didn't care anymore. I'm sure some poor SOB in tech support has a hell of a time with her though.

Re:Yeah, right.

[ppanon]

In one extreme case I did rename the Firefox icon 'Internet Explorer' for an exceedingly uncooperative user. Once it was called 'Internet Explorer' she didn't care anymore. I'm sure some poor SOB in tech support has a hell of a time with her though.

Particularly the next time she calls an internet store to complain their site refuses to load (because of ActiveX components) and when their technical support guy asks her what browser she's using, she replies "Internet Explorer"

Hijinks ensue.

Re:Yeah, right.

[Kiryat Malachi]

I don't see my native Israeli, so I opt for "English". I'm taken to another downloads page (yes, I'm getting board of downloads pages already too). From here I am told that I must go to the 'downloads centre'. Great. Another downloads page. Here I get to select my language again. Um. Still no Israeli, so I go for English again. But Wait! There - no kidding - are only versions for Microsoft Operating Systems!"

If you were actually a native Israeli, you'd know the language is called Hebrew, or, in the actual language, ivrit (ayin-vet-resh-yud).

(If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.)

Re:Yeah, right.

[Anonymous Coward]

If you were actually a native Israeli, you'd know the language is called Hebrew, or, in the actual language, ivrit (ayin-vet-resh-yud).

Wrong again, it's ayin-vet-rest-yod-tav.

On an offtopic note, when is Slashdot going to allow hebrew in comments?

Re:Yeah, right.

[maciejkt]

Specifically, this is the hostperm.1 file in your profile directory.

Am I the only one to read this as hotsperm?

Re:Yeah, right.

[jfengel]

On an offtopic note, when is Slashdot going to allow hebrew in comments?

Right after they fix the HTML to work properly in the Firefox browser we're all praising in this thread.

Re:Yeah, right.

[Anonymous Coward]

Correct, Mr. Anderson. We know nothing about your addiction to "bunny porn," or your recent Google search for "glasses girl bukkake horse." Please, carry on with your IE endeavors. We wish you luck with your recent eBay listings.

-- GNU/Anonymous Coward[s]
-- -- Or are we?

Re:Random servers

[Inthewire]

"I have on record"

Yes, that's authoritative.
Hi, I'm Tim and I want a secure browser.
Oh, good, some random fuck on Slashdot trusts this site, it must be secure.

There's a world beyond your comfort zone, and your walls may have been breached.

Firefox != iPod

[Barlo_Mung_42]

Firefox is going to need more than one add in a regional paper to get the word out. When they come out with a U2 version complete with nauseating add campaign I'll agree you have a point.

Re:Most Spies for Beijing are Taiwanese

[Kierthos]

What? You mean all those horny housewives really aren't glad to see me?

*sniff* I'm going to die alone and unloved. (Oh, wait, I'm a Slashdot poster. That was already a given...)

Kierthos

Re:I agree ...

[boky]

> IE is signed code...do you trust it? I don't.

IE's signature tells you for sure it came from Microsoft. Another reason to trust it even less :-)

Perhaps you doubt the veracity of my statement

[Dr. Cody]

If you're a native Israeli who just can't speak English, I apologize, but all evidence from your post shows you can, in fact, speak English.

Ah. I see by the expression on your face that you are confused by my statement. Perhaps you doubt its veracity, but let me assure you, I speak not a word of English [kithfan.org].

Backdoor jab

[Raven15]

I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...

I've already got IE, why would another backdoor be any big deal?

one more fucktard...

[sootman]

...once and for all, digital signatures do NOTHING. Once a user wants to install something, they will click 'yes' to whatever it takes. We all get a million warnings a day that we click 'yes' to with no ill effects, so what's one more? Call it "the boy who cried wolf" syndrome.

We wouldn't *need* all these warnings in the first place if MS hadn't allowed two extremely popular programs (IE and OE) to run executables with no user intervention. If they would have stuck with the ORIGINAL design--"Code canNOT run until you tell it to"--we'd all be better off. Run all the JS on a web page you want, but NO ONE can run code that affects the LOCAL MACHINE until told to. But no, stupid fucking MS, who didn't even *know* netowrks existed until Win 3.11, jumps into the game with the assumption that "Hey, you're on a network? Well then, you're probably at work, so the network's probably safe." Maybe we can fix the problem by putting up signs on the Redmond campus: "Strangers have the best candy!" and see if that thins the herd some.

How many old-timers here remember telling their new-to-the-net friends "You can *read* any email you want and NOTHING BAD CAN HAPPEN, but always be sure before clicking an attachment!"? And then we had to go and revise that statement.

Grade A Prime - BS

[freshBlueO2]

--"In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download."

Ok, that's Grade A B.S. Right there.

First of all, isn't www.cnn.com a trusted site? If so, why does IE allow Spyware "Avenue A" download on my system.

Second, Verisign cost more money than what's it worth. Hey, if I had $300+ to spend every year so that Micro$haft can grant me it's blessing, that doesn't make my tabloid of a site anymore trustworthy.

Third, You don't know where mirror.sg.depaul.edu is? Give me a break. www.microsoft.com goes to a cluster of machines all across the US. Maybe I'll get lucky playing Russian rolutte one day with a disgruntled MS employee that decides to send an... opps torjan from one of it's sites. Spectulation is a two-edged sword.

Fourth, MS has a 10+ year track record with its greed, its defiance, its manipulation and persussain, and most of all, it deception. Now, knowing this let's apply that Law#1 to the Ten Immutable Laws of Security "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." Seems like I hear this one directed to MS users... a lot.

-my four cents worth.