How Can I Trust Firefox? 1464
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
Extensions are EASY to uninstall (Score:5, Informative)
Re:Multiple Firefox Security Flaws Discovered (Score:5, Informative)
WHAT A FUCKING MORON (Score:1, Informative)
The answer is simple :P (Score:3, Informative)
Re:IE? (Score:5, Informative)
IE only enterprise app. that is a black box - why? (Score:4, Informative)
Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.
Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.
It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.
Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.
He should tell the DoD the same thing. (Score:5, Informative)
Visit a secure .mil site some time.
It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.
Re:Extensions are EASY to uninstall (Score:3, Informative)
Default Settings. (Score:3, Informative)
When I try to install extensions or anything else to firefox, I first have to add the site to my trusted sites list.
Knowing what I am installing and where it comes from means more then some signature I can't read.
Re:This guy is right. Listen to him. (Score:4, Informative)
Moreover, they give you this little thing called the SOURCE CODE that let's you be pretty darn sure what you're running. Read the code, and compile it yourself, or trust others to look at the code and check MD5 signatures.
Re:IE? (Score:2, Informative)
Someone trojaned the source tarball so that the make process built, installed, and ran a trojan horse. Here's a link to the CERT advisory:
CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution [cert.org]
Re:He should tell the DoD the same thing. (Score:1, Informative)
The military uses lots of self signed stuff, not through Verisign or whatever. Their point being (and one which I agree with too), would you trust some third party like Verisign over yourself for authority?
Obviously though this is one of the more extreme positions; for us paranoid people. The risk of blindly trusting any certificate authority (as has become clear with spyware bypassing install warnings) is that you are giving power to a foreign entity. If that's what you want to do, fine.
Re:False security? (Score:5, Informative)
When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)
On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.
So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).
The moral of the story is, when you study computer security too much, you become really paranoid about everything
Real slashdotters never RTFA! (Score:2, Informative)
It's not even remotely funny how many readers here missed other valid points: redirection to numeric ip, 7-zip error and that empty message box. I saw the last two myself - weird behavior for such well known, thoroughly tested and peer reviewed OSS project.
As for "Trust the Source!" Well, how many of Firefox users build it from said source? For that matter, how many would care (or know) to check MD5? And know where to get a valid MD5 and trusted digester in the first place?
Obligatory disclaimer: I write this from Firefox with about a dozen extentions and, yes, they are great. Nevertheless, read TFA and above.
Re:IE? (Score:5, Informative)
Regards,
Steve
So that explains those weird attempts to access... (Score:1, Informative)
Re:Yeah, right. (Score:5, Informative)
Re:Yeah, right. (Score:3, Informative)
So now I have to sort the legit from the spam, and forward the legit. I know damn well it's not from a spambot faking the headers. Its from this specific customer, running M$ products and Outlook.
Worse, I've written the rube a few times telling him he's got spamware on his box - but of course nothing has changed in 3 months. We get one legit email every few weeks, and 5 spams a day, all from him.
So keep it up M$ fanboy. We're not buying.
Re:Yeah, right. (Score:1, Informative)
This may have improved since last time I dealt with it, but I am not going to risk trying again to find out.
Re:How I can trust Firefox, by TWX (Score:1, Informative)
Re:IE? (Score:5, Informative)
They provide a GPG signature [mozilla.org]
Sure, it is not from Microsoft's preferred partner, Verisign, but that does not change that fact that Moz signs their code with an accepted standard.
Not Microsoft's standard of choice to be sure, but still a standard.
Re:Answer: Openness Trust (Score:2, Informative)
Re:False security? (Score:4, Informative)
Generally in open source you have MD5 hash posted on the project's homepage. You download the files from mirrors. There are multiple locations to crack at the same time. It is easier said than done.
Furthermore, there could be an private developer machine checking the main page once every 5 minutes or so to see if the MD5 hashes on the main site are corrupted.
It is easier to buy a dummy vertificate and sign the modified file than to actually go though the trouble of changing files and MD5 hashes on multiple sites.
Unsigned Binary BS (Score:3, Informative)
That is not entirely truthful. You can also download the source from ftp.mozilla.org directly if you are paranoid, and build the release yourself. Most, if not all mirrors also carry the source code, so you can also validate the source on the outlying site against the original if there is any question in your mind.
So it does not 'require' an unsigned binary at all. In fact as the author of the blog admits, having a signed binary does not prove that the code contained in the archive is free of malicious code at all.
The issue of redirecting the download to another site - a University for example - is represented as less safe than downloading from a verisign registered site. This is hogwash, and avoids the critical argument that Microsoft wishes you to ignore: with a CVS snapshot of the source code I don't have to depend upon pre-compiled binaries and verisign to do my thinking for me. I can run the following command:
diff mysource.c questionablesource.c
- and know immediately if something has been tainted or not. If I must have a binary, I can always validate a checksum of the questionable binary against one provided by Mozilla. Sites that aren't on the up-and-up, or have poor security quickly lose credence in the community, and fall by the wayside.
Finally, most products of open source developers are PGP (Pretty Good Privacy) signed - which serves the same purpose as Verisign - without the attendant costs. A developer publishes a public key used to decrypt a signature encrypted using his private key. If you can not validate the signature - then it did not come from who it should have.
All arguments regarding security of OSS can be countered with the same argument on the closed source side - save one: OSS source code is free to peruse (and diff) as you desire - thus providing the trump card closed source shops can not duplicate or argue effectively against without some subterfuge. The fact is Microsoft wants you to be tied to costly closed security solutions, because then you will only be able to 'trust' a few (rich) closed source shops for your software needs - and small OSS projects will die from lack of patronage. Thankfully they are mistaken in their analysis of your willingness to accept their lies without question.
Re:Yeah, right. (Score:2, Informative)
Re:Yeah, right. (Score:4, Informative)
Re:Yeah, right. (Score:3, Informative)
Re:Yeah, right. (Score:2, Informative)
Not true. Just hit Esc (which will imply 'No') and keep it pressed for a few seconds.
This stops even execution of JavaScript timer-based code.
Just because one doesn't know how to use IE while staying spyware-free doesn't mean IE is crappy. It means that the user is crappy.
I've used IE forever and never got any spyware in my life.
Re:The guy missed something... (Score:2, Informative)
Edit -> Preferences -> Downloads -> Plug-ins
Uncheck the file types that use the plug-in you want to disable.
Re:Yeah, right. (Score:2, Informative)
And finally, FF has much less control over your OS as IE does, so any harm from a moron who clicks the yellow bar, waits 5 secs THEN installs the extension, will still be minimal
Re:I agree ... (Score:2, Informative)
I dare you to diable Flash like that. I love FF, but the man has a point.
Re:Yeah, right. (Score:2, Informative)
Re:IE? (Score:1, Informative)
http://www.linuxsecurity.com/content/view/11493
Somebody busted into a CVS server which was downstream from the master bitkeeper server. Bitkeeper noticed the discrepancy.
The actual hack was some code in a system call:
if ((options == (__WCLONE|__WALL) && (current->uid = 0))
retval = -EINVAL;
Note that the expression with current->uid is an assignment of 0 to current->uid, rather than a comparison of current->uid to 0. If one reads the code in context and does not notice the difference between "=" and "==", then this bit of code blends into its surroundings reasonably well.
The kernel has several defenses against this. First, there's a source control system, based on signatures. At the risk of starting a Slashdot flamewar, I'll point out that the "signed trusted code" design endorsed by Microsoft is actually the protection system used for source code by the FSF and (I believe) by the Linux kernel these days.
Second, there are people who read and summarize kernel changes (I used to be one of them) -- it's a lot easier to spot these shenanigans in a diff than it is to read a whole kernel.
And third, there are a layer of people known as the "kernel janitors" who are interested in cleaning up the junk that accumulates in the kernel. It's likely that a janitor would spot this.
In another item:
http://hackvan.com/pub/stig/info/trojan-horses-
Read past the IE trojan spoof mail to the attack on ftp.win.tue.nl . Someone cracked the ftp server and replaced util-linux, which includes the "login" program, with a trojan version including a trojan "login" program.
http://ftp.gnu.org/MISSING-FILES.README
ftp.gnu.org was rooted and trojaned for four months before somebody noticed.
http://kerneltrap.org/node/1717?PHPSESSID=13374
Somebody broke into four machines of the Debian project. They sniffed passwords from unencrypted network traffic, and then elevated from user to super-user by exploiting an integer overflow in the brk() system call.
Re:Yeah, right. (Score:3, Informative)
This was done as a security measure to prevent malicious attempts to install unwanted (spyware) XPI files on sketchy sites, which started to happen. I wish to god IE would do the same thing with Browser Helper Objects, and any ActiveX objects for that matter.
IE does the same thing. In fact, Firefox copied the UI for their security feature wholesale from the IE version of the same said security feature.
Re:Yeah, right. (Score:3, Informative)
Peter Torr's reply to comments (Score:2, Informative)
Re:Yeah, right. (Score:3, Informative)
Re:I agree ... (Score:3, Informative)
I can easily recompile FireFox, re-hash and then dupe you into thinking that it's the legit firefox.
That said, there is a huge difference between an MD5 -hash- (hash is the key word, the MD5 hash is not a signature) and code signing a la Microsoft.
Code-signing is cryptographic in nature, and is public/private key based much like PGP or SSL. In order to create a "signature" for code, you need to first possess the private key. Without the private key, you cannot generate a signature that would be mathematically valid.
Any signature you -did- generate, sans private key, would immediatly send up alarm bells by anyone who tries to install it, as there would be a difference between the installed code and the signature that is posted (due to the lack of an authentic private key used to generate the sig).
This is, of course, much the same as PGP signing (though not necessarily encrypting) an e-mail message.
That said, as for the mirror->main idea... all it takes is one bad mirror and a lot of people get a bad FireFox.
Mod me down as a troll all you like (I'm sure someone will do it.. saying anything even remotely bad about FireFox, Linux, His Holiness Linus Torvalds or the GPL is automatic grounds for "troll" on
All an MD5 hash is good for is proving, assuming you trust the hash, that what you downloaded and what the mirrored hosted are the same thing (ie, not corrupted during download). As a trust mechansism, it's useless.
Then again, there was an article on
SHA1, my brothers.
Re:Yeah, right. (Score:2, Informative)
IE does, in fact it was implemented in IE first (with betas of SP2) - Firefox copied them.
"it's almost a carbon copy of the new Internet Explorer Information Bar" [mozillazine.org]
well lets see (Score:2, Informative)
Re:Fun Facts Time! (Score:2, Informative)
Wasn't Versign the registrar that gave out a Microsoft certificate to someone who wasn't Microsoft [pkiforum.com]?
Wasn't Verisign the one that sent domain renewal notices to other companies customers [theregister.co.uk]?
Screw Verisign; use someone like cacert.org.
Re:Fun Facts Time! (Score:3, Informative)
VeriSign, Inc, discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation.
Problems like that, and the fact that IE prompts you to accept certificates even for ActiveX controls that do not do anything potentially unsafe which just conditions people to click "Yes" without thinking, make code-signing a dangerous placebo rather than a real solution. Quite a few spyware authors have legitimate Verisign issued certificates BTW.