Forgot your password?
typodupeerror
Security Mozilla The Internet Microsoft Internet Explorer

How Can I Trust Firefox? 1464

Posted by timothy
from the how-could-anyone-trust-ie? dept.
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
This discussion has been archived. No new comments can be posted.

How Can I Trust Firefox?

Comments Filter:
  • Yeah, right. (Score:5, Insightful)

    by kngthdn (820601) * on Monday December 20, 2004 @10:12PM (#11143140) Homepage
    One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.

    Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.

    What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".

    And even if I press no, I *still* get spyware. Why? IE Sucks.

    After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.

    Microsoft is never going to get it.
  • IE? (Score:5, Insightful)

    by Anonymous Coward on Monday December 20, 2004 @10:13PM (#11143153)
    A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.
  • by quaker5567 (841639) on Monday December 20, 2004 @10:18PM (#11143192)
  • Re:IE? (Score:2, Insightful)

    by kryogen1x (838672) on Monday December 20, 2004 @10:21PM (#11143216)
    The same way we can trust wikipedia articles (but save that for another arguement). More eyeballs = fewer errors.
  • by john_g_galt (522650) on Monday December 20, 2004 @10:21PM (#11143217)
    Seen any of these errors? I've installed Firefox on several pc's with no problems at all.

    I also noticed this comment:

    "and not caring if my Virtual PC image dies a horrible death"

    (emphathis added)

    Could this person be having a virtual pc problem?
  • Code signing (Score:3, Insightful)

    by pair-a-noyd (594371) on Monday December 20, 2004 @10:22PM (#11143223)
    sure says a lot for IE security, doesn't it?

  • by capn_buzzcut (676680) on Monday December 20, 2004 @10:23PM (#11143230)
    doesn't mean it's good for you. I recall seeing prompts to install "Web Gator" software and other such junk, all of which were signed by somebody. Despite the fancy certificate though, it was still crapware.
  • But... (Score:5, Insightful)

    by mstefanus (705346) on Monday December 20, 2004 @10:23PM (#11143232)
    Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.

    What's the point?
  • by Animats (122034) on Monday December 20, 2004 @10:23PM (#11143235) Homepage
    This guy makes some good points. His main point is that the distribution process for FireFox is very insecure. The "traditional open source approach" of voluntary mirrors (perhaps with manual MD5 checks) isn't good enough for high-volume end user products. The FireFox team needs to work out a much more secure install sequence.

    One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.

  • by fred fleenblat (463628) on Monday December 20, 2004 @10:23PM (#11143239) Homepage
    It probably isn't a good long-term strategy to respond to microsoft this way. Open source software needs to find an open-source signing mechanism.

    A good starting point might be for www.mozilla.org to host unmirrored checksums for itself and its plug-ins.
  • Worrywart (Score:2, Insightful)

    by Askjeffro (787652) on Monday December 20, 2004 @10:24PM (#11143242)
    Of Course he can't trust Firefox, its trying to take his job away. Does a Ford Engineer trust Chevy trucks? Well maybe, but you sure as hell won't see a Ford engineer driving one...
  • by freeze128 (544774) on Monday December 20, 2004 @10:25PM (#11143251)
    If mozilla buys a cert, then they are openly supporting the idea of PAYING VERISIGN FOR CERTS. Isn't that just supporting another monopoly? Of course Microsoft wants you to pay for the cert... they can certainly afford one. But what about all the little guys who write code for free?
  • by Dorsai65 (804760) <dkmerriman@@@gmail...com> on Monday December 20, 2004 @10:25PM (#11143255) Homepage Journal
    Considering how much BS Verisign has instigated (the "your domain is gonna die if you don't renew with us" letters, hijacking DNS, etc.), their certs don't mean squat to me anyway.
  • by King_TJ (85913) on Monday December 20, 2004 @10:25PM (#11143256) Journal
    Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.

    How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)

    Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.
  • Re:IE? (Score:2, Insightful)

    by maskedbishounen (772174) on Monday December 20, 2004 @10:26PM (#11143262)
    Well, to get code into most OSS projects, it has to checked in. They usually use CVS to do this. Someone submits a patch and a dev or two does a once over on it.

    If it looks good, it goes in. If it's bad, or blatantly obvious malware, it won't.

    In theory you might be able to run across a rogue dev with enough access to bypass this process -- yet OSS is based on trust; unlike getting your product out quickly to keep your job, it's done by people who love the project or cause.

    Could it be a problem? Yeah, in theory. But without the source, how would we ever know how many times this has gone on at MSFT, signed code or not?
  • Valid Points (Score:3, Insightful)

    by ehack (115197) on Monday December 20, 2004 @10:26PM (#11143263) Journal
    Opens Source was designed, like the internet protocols, for people who trust each other - the developers of shrink-wrap executables need to learn to think paranoid when they deal in user binaries.

    Don't make the same errors again - if the designers of SMTP had thought about the users rather than the implementers, they woudl have built signature/encryption/sender authentication straight into the protocol and prevented the spam issue from ever arising.
  • Logical Error (Score:4, Insightful)

    by nwbvt (768631) on Monday December 20, 2004 @10:28PM (#11143275)
    "In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software)."

    That would mean that every piece of software not signed would be bad. The logical definition of necessary is not "provides some evidence", but is a strict conditional. In other words software can be trusted only if it is signed. This is obviously false, there are clearly ways one can trust a piece of software without requiring a digital signature.

  • Re:IE? (Score:5, Insightful)

    by Kyouryuu (685884) on Monday December 20, 2004 @10:29PM (#11143289) Homepage
    The obvious answer - you can't. There is no such thing as a 100% exploit-proof undertaking as significant as a web browser.

    There are two sides to the coin:
    - Firefox is generally trustworthy because a lot of eyes look at the code and changes are logged in public view. Most developers are benevolent. People have tried to create exploits with the Linux kernel, but they have been weeded out.

    - Ideally, Internet Explorer would be generally trustworthy because as a business, Microsoft's reputation rides on the quality of the program. In a capitalist society with an element of competition, commercial demands would force Microsoft to close exploits. However, Microsoft lives in a monopolistic universe. And as we all know, companies that live with little competition generally aren't benevolent and don't give a rip about corporate reputation. When a company has 90% market share with a web browser, they often rest on their laurels and get sloppy about it. Until a vastly superior browser like Firefox effectively turns the tables - say 60/40 - Microsoft probably feels no obligation to react and will continue to act like Firefox is no threat.

  • by ip_fired (730445) on Monday December 20, 2004 @10:30PM (#11143303) Homepage
    And why would signing the code make it more
    secure?

    You can know that it is an official binary and
    hasn't been tampered with. However, I can
    accomplish this without paying Verisign money
    using a standard fingerprint.

    When you sign it with a Verisign certificate, the
    trust then moves up the chain. So, the question
    becomes, do I trust Verisign?

    No.

    In my opinion, this isn't even a problem. I make
    sure I download files for sources that I trust,
    and they make sure that those files remain clean
    as a matter of site security.

    It all boils down to this:

    1) Normal users don't care about signed code, as
    they happily click on "Yes, download this!"
    without bothering to check anything.

    2) Power users can verify the integrity of their
    code without shelling out big bucks to Verisign.
  • Re:Security? (Score:3, Insightful)

    by bunratty (545641) on Monday December 20, 2004 @10:31PM (#11143315)
    That's what OpenOffice.org uses. [openoffice.org] The article is less about trusting Firefox, and more about trusting every mirror to provide an unhacked copy of Firefox. How do we know the mirror wasn't broken into and the mirrored copy tampered with? It's a valid point.
  • by killerface (573659) on Monday December 20, 2004 @10:33PM (#11143326) Homepage
    (from the article) First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/. Funny when I went to http://windows.com I got redirected to the real page at http://www.microsoft.com/windows/default.mspx
  • by dpbsmith (263124) on Monday December 20, 2004 @10:34PM (#11143335) Homepage
    The article makes perfect sense and the issues are legitimate. The thing is, they are generic issues in the PC world we live in today. They aren't any better if you use Microsoft software.

    The average user is placed in situations, probably several times a week, where in theory he is voluntarily authorizing something but in practice has virtually no way to know whether it is safe to click OK or not.

    Today's software is constantly giving you scary warnings about things that are perfectly OK, while constantly encouraging you to OK things which are not at all in your best interests to OK.

    My favorites are all the Microsoft uninstalls which ask me whether I want to delete QQXXZZ.DLL, without telling me what QQXXZZ.DLL is or what it does or what other applications might be using it. (In fact, it seems to expect me to know that. Hey, the OS might be in a position to know whether some other application uses that DLL, but I certainly am not. And my wife, of course, doesn't even know what a DLL is...

    (Now, about that pageful of medium-gray type on a light-gray background that's on the back of the car rental agreement you are presented with, in the airport, with a line of irritable people behind you...)
  • by krbvroc1 (725200) on Monday December 20, 2004 @10:37PM (#11143359)
    Sir,
    Trust is not a universal concept. Some discretion is required. If you do not trust Firefox, that is your choice. You are not willing, in your mind to take a risk. Personally, I do not trust Microsoft. Despite years of press releases and keynote speaches promoting security as 'Job 1' I have lost all trust in them.

    Personally, I see little value in a so called 'signed application'. If I visit my bank, I want to see a 'padlock' icon so that I know the data is not being 'sniffed' en route. Other than that, the certificate is not important to me. But that is the level of trust I am comfortable with. My concept of trust includes the concept of established relationship and earned respect. The value of Microsoft signing something doesn't mean anything to me. They are not trustworthy. After using Firefox for several versions, getting a feel for the neighborhood, I trust it.

    I understand that websites use mirrors -- thats normal and doesn't normally raise a red flag. I can verify a file contents with an MD5 checksum if I need to.

    Each user should has to establish their own level of trust and should not blindly rely on a certificate to tell them if they trust someone/something.

    You ask 'How Can I Trust Firefox'? Well you can't blindly. You have to take a risk. I can only tell you that it works fine for me. Regular backups and common sense go a long way.

    There is another reason however--Trust is not as important with Firefox as it is with Microsoft IE. The engineers of IE decided to integrate IE into the operating system with Active Desktop, ActiveX, etc. These made IE much more vulnerable. Firefox doesn't do this. It just tries to be a web browser - not a remote code execution environment.
  • by rminsk (831757) on Monday December 20, 2004 @10:37PM (#11143361)
    From "How can I trust Firefox article" Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. So lets do a dig on download.microsoft.com... download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61 So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don't have any idea where that place is, and it sure makes me nervous.
  • by Henry Stern (30869) <henry@stern.ca> on Monday December 20, 2004 @10:40PM (#11143403) Homepage
    It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?


    Of course, FireFox won't install any extension downloaded from a site not explicitly whitelisted. It should also be noted that the only site that is whitelisted by default is update.mozilla.org. If Mozilla.org was going to pwn you with a Firefox extension, why wouldn't the save themselves some trouble and just pwn you with TrojanFox?

    Was this a deliberate omission? Probably.

    Also, complaining about MessageBoxes not working when running software in a non-standard environment (virtual machine) is silly. Odds are that the problem was display driver-related anyway.
  • by BlackEyedSceva (798150) on Monday December 20, 2004 @10:41PM (#11143418)
    I have used Mozilla products far longer than I have used IE. Every time I have ever used IE all I have ended up with is a gang of adware on my computer. I'm sure that IE could be more secure, but for me it's more of a matter of being with Mozilla products longer.
  • by Anonymous Coward on Monday December 20, 2004 @10:42PM (#11143426)
    using GPG by a company I trust more than Microsoft/Verisign....
    it was signed by Red Hat, and it had an automatic signature verification built into the Yum install.

    Ok, move along... nothing more than FUD to see here.
  • Re:Yeah, right. (Score:5, Insightful)

    by JudgeFurious (455868) on Monday December 20, 2004 @10:43PM (#11143434)
    Oh Microsoft gets it. They wouldn't be saying crap like this if they didn't get it. The question is when are the people still using IE going to get it.

    When are they going to learn that IE isn't "The Internet"? When are they going to replace a bad tool with a good one. Stupid blurbs like this one keep the doubt in uninformed peoples minds and keep IE on top of the pile. Microsoft gets it just fine.
  • by 1000StonedMonkeys (593519) on Monday December 20, 2004 @10:46PM (#11143449)
    And it would take you how long to read through the entire Mozilla code to verify that you had a legitmate version?
  • by Rashkae (59673) on Monday December 20, 2004 @10:47PM (#11143458) Homepage
    Buying A VeriSign Cert is a bad idea, for reasons already mentioned. What *would* be a good idea, however, is for Mozilla foundation to to set itself up as a CA and sign all of it's software, updates and "Official" or semi-official add-ons. I trust Mozilla foundation much more than VeriSign, and protecting users from trojaned programs on mirrors is a good idea.
  • by softspokenrevolution (644206) on Monday December 20, 2004 @10:53PM (#11143530) Journal
    Nothing at all like /.
  • Re:IE? (Score:3, Insightful)

    by adamjaskie (310474) on Monday December 20, 2004 @10:55PM (#11143552) Homepage
    Not to mention his "7-Zip: Unspecified Error [OK]" box, which has nothing to do with either Mozilla Foundation OR Microsoft, but rather a third-party decompression utility that he is using.
  • Re:Yeah, right. (Score:2, Insightful)

    by onash (599976) on Monday December 20, 2004 @10:56PM (#11143559)
    I find reading this blog quite funny, as i have spent the last 3 hours updating my fathers laptop.. installing SP2, removing spyware with AdAware and rebooting 6-7 times. Hes just the regular computer user but his computer got all messed up because he wasn't sure why that update thingy kept popping up.

    My finilization of this "update" is installing Mozilla Firefox, and replacing the Firefox icon with the IE icon. He will never notice, but it will save me the hell of "fixing" his computer in a couple of months.
  • Logical fallacy? (Score:3, Insightful)

    by utlemming (654269) on Monday December 20, 2004 @10:56PM (#11143561) Homepage
    So wait -- Microsoft == Trust, therefore !Microsoft != Trust? False premise? Yup.

    Forgive my cynism, but he is ass|u|me|ing that people trust Microsoft in the first place? Does the guy not live in the real world? The reason that I trust Firefox is because I don't have any of the problems that I have with Internet Explorer. I liked IE until my computer became overran with spyware and trojans. Code signing would be nice. But didn't the guy find the feature that only allows software installations from certain sites. I am very trusting of Mozdev, and Mozilla.org. But I am quite glad that www.hijackyourbrowser.com isn't allowed to install software. Code signing is a nice idea, but I trust a whole lot of software that isn't signed. And Microsoft should know that code signing is often ignored. I ignored the driver signing last time I updated my NVidia drivers. Just because something is digitally signed doesn't mean that I should trust it. Heck, according to Microsoft's arguments I should get a new anti-virus (even though I am running Norton Antivirus Corparate Edition) because it doesn't report itself to the OS. And what is to prevent someone from cracking the way things are digitally signed? Again, I get back to the logical fallacy -- he is assuming that people inherently trust Microsoft.
  • Re:IE? (Score:3, Insightful)

    by damiam (409504) on Monday December 20, 2004 @10:56PM (#11143565)
    Bad analogy. Anyone can directly edit a Wikipedia page. Few people have write access to the official Firefox code.
  • Re:Security? (Score:3, Insightful)

    by Scrameustache (459504) on Monday December 20, 2004 @11:01PM (#11143604) Homepage Journal
    It's a valid point.

    Valid points are starting to look a lot like FUD these days.
  • by QuasiEvil (74356) on Monday December 20, 2004 @11:05PM (#11143633)
    He totally missed the fundamental insecurity of IE. Crapware installs itself with IE, either by exploiting "features" or holes. Sure, some crapware requires the user to click Ok (fuck my browser now) or Cancel (fuck my browser now anyway), but for the majority of it that I've experienced, a couple visits to websites of questionable integrity pretty much does it...

    Funny, I've never had Firefox do that.

    Really, what the hell does it matter if the software is signed? Some spyware/adware is signed so it looks "safe" by this guy's standards, and some of it just installs without telling you. If your core browser isn't safe from exploitation, there's really no sense in going any further. If you train users to say no, spyware just exploits the holes and installs itself without asking, problem solved. 90% of users are just going to click "Ok" anyway, no matter what it tells them, and no matter how much you try to teach them.

    He does have two interesting points, though, that perhaps we shouldn't trash with the rest. Maybe something beyond MD5 hashes should be provided for FF. My dad runs Windows, has no idea how to do an MD5 sum on a file, nor does he particularly need to know that. I hate even suggesting that Verisign is some bastion of legitimacy, because, well, just no. However, we're probably the biggest cooperating group of smart people (okay, some of you may be excused) the world has ever seen - surely there's a way to do it that is both easy for regular users and doesn't support V-evil.

    Also, being able to turn on and off various plug-ins wouldn't hurt. Sure, I know about the extension manager, but I'm talking things like Flash and Acrobat (the two things that screw me over most often). It'd be nice if I could just turn them off temporarily. Acrobat the Plugin has to be one of the #1 things that crashes on my Win32 boxes.

  • by cbr2702 (750255) on Monday December 20, 2004 @11:07PM (#11143649) Homepage
    Those hashes are useful for at least two reasons:
    1. They let me verify that the file downloaded properly.
    2. If I downloaded from a less trustworthy mirror, I can check the hash in a more trustworthy place.
  • by jackb_guppy (204733) on Monday December 20, 2004 @11:07PM (#11143650)
    He doesn't, you are right...

    SP2 for XP, is signed and all, downloads from random sites without telling you the ownersihp, then destories the XP loaded, to the point of wiping the drive and reloading.

    XP can not be moved from one machine, even using the tools Microsoft gives you, so they message of "Buy new hardware" when you have the above problem, is still a full reload.

    Lastly his blog is comments are now under moderation, so you can not talk about bad.

    I guess that is what MS is calling Marketing, Security these days. Does save on build costs.
  • by jrockway (229604) * <jon-nospam@jrock.us> on Monday December 20, 2004 @11:09PM (#11143661) Homepage Journal
    What is Bejing going to do with my social security number?

    And why would Taiwan plant a trojan in IE that sends SSNs to bejing? That would be like North Korea putting a trojan in IE that sends the US super secret data. Why?
  • Re:Yeah, right. (Score:5, Insightful)

    by bladesjester (774793) <{slashdot} {at} {jameshollingshead.com}> on Monday December 20, 2004 @11:09PM (#11143667) Homepage Journal
    When? Okay, here's the rundown of your average just-wants-to-look-at-the-interweb-and-get-email user (kind of like my grandma. This isn't a troll, it's a serious example)

    Well, it's called "Internet Explorer". It's got the keyword - internet. That's what they're looking for. How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

    People *MIGHT* start using something other than IE when this stops being the case. Most people want something they can understand. They don't want to feel stupid by having no idea what to do or what tools to use in order to do it.

    Not to mention the fact that they all KNOW about Microsoft. They know the name. They know it's been around for quite a while. Therefore it must be good, right? (not my opinion, but it is the view of people that I have known)

    Just my opinion as a tech with "normal" relatives and clients.
  • Re:I agree ... (Score:3, Insightful)

    by techno-vampire (666512) on Monday December 20, 2004 @11:10PM (#11143673) Homepage
    Did I miss something again?

    No, you didn't miss anything, because the Nanolimp appologist didn't address that. He was writing FUD to keep people from downloading and installing Firefox because he knew he'd be laughed at if he claimed Firefox isn't better than IE.

  • Re:Yeah, right. (Score:5, Insightful)

    by IANAAC (692242) on Monday December 20, 2004 @11:11PM (#11143678)
    My finilization of this "update" is installing Mozilla Firefox, and replacing the Firefox icon with the IE icon. He will never notice, but it will save me the hell of "fixing" his computer in a couple of months.

    I've said this before here, and I'll say it again: You're not doing any great service by tricking someone into thinking that IE is now somehow safe. A much better option would be to be honest and say "I had to clean up way too many things on you PC because of IE. I've installed Firefox - it's much safer than IE and you'd be better off using it". Not to mention that fact that you'd be giving credit where it was actually due.

  • Re:Yeah, right. (Score:3, Insightful)

    by briancnorton (586947) on Monday December 20, 2004 @11:13PM (#11143694) Homepage
    I guess they'll just have to find solace in their 95% market share...

    Microsoft does get it. They get it very well, and in large sums. Here they are providing scathing yet legitimate criticism, and all you can do is get defensive and arrogant. The only people who dont get it are posters like you.

    "He brings us love, lets break his legs so he can't get away"

  • by jeif1k (809151) on Monday December 20, 2004 @11:13PM (#11143695)
    The thing to look at is the record, plain and simple. And the record shows that, until now, code signing does not address the major security problems that people have with IE. Maybe that will change in the future, but that's the record so far.

    Firefox on Windows does not have code signing because the real world has not demanded it so far. If there were enough attacks for which it turned out that code signing was the right solution, then Firefox would use code signing.

    Code signing, at this point, is a gimmick because it does not address the major security problems that Microsoft has. It's a solution to a problem that is not at the top of the list of problems with Microsoft software. And because Microsoft focuses on gimmicks, Microsoft keeps failing to address the real security problems Microsoft products have.

    Maybe Microsoft will eventually get serious and real about security, but Peter Torr's commentary illustrates that ignorance still reigns supreme at Microsoft.
  • by dsginter (104154) on Monday December 20, 2004 @11:18PM (#11143730)
    Name: GAIN
    Publisher: Claria Corporation

    The publisher was verified so you should install and run this software.


    I fail to see how signatures fix anything that is wrong with Internet Explorer. Automated downloads via ActiveX are going to be a problem if they are signed or not. What a moron this guy is (and I'm normally a MS softie). He should be fired if he works for MS as he is exactly the type of thinker that got us into this problem.

  • by yakofdeath (835581) <.yakofdeath314. .at. .yahoo.com.> on Monday December 20, 2004 @11:20PM (#11143745) Journal
    This piece mainly addresses the issue of potential security threats from files (like Firefox or Flash Player) that the user decides to download voluntarily. While there are potential risks here, it seems to me that the main issue is users inadvertently installing spyware and adware. I doubt that many users encounter problems from software that they were actually trying to install in the first place.
  • ActiveX (Score:4, Insightful)

    by SCHecklerX (229973) <thecaptain@captaincodo.net> on Monday December 20, 2004 @11:22PM (#11143763) Homepage
    ActiveX using code-signing for its security model. We all know how secure that is. Microsoft, as always, just doesn't get it.
  • by Algan (20532) on Monday December 20, 2004 @11:23PM (#11143770)
    I'm sorry, but you're plain wrong. Do you really think that my mom is really going to go through the trouble of downloading a text file (which does not end in .txt), opening it, using a tool that generates an MD5 signature (and that does not come standard on Windows) and comparing strings of 32 characters? And that assumes my mom would know what an MD5 is, which she does not.

    Of course, for you and me all this is not only easy, it's become second nature, but for the average Joe this sounds like a foreign language. Please try to wake up and smell the reality. You either want OSS products like Firefox to succeed and be addopted by a large mass of users - or not, in which case I don't want to hear any complaints about how your favorite application is not supported by some random vendor or service provider
  • by tomhudson (43916) <barbara.hudson@ ... a - h u dson.com> on Monday December 20, 2004 @11:23PM (#11143771) Journal
    What a LAME troll.
    You clearly have no clue about security.

    You, as a "Power User" can verify the integrity of a binary download? Yeah, right.

    A signed binary ensures that the package that was created by Mozilla.org has not been modified
    So does an MD5 sum taken from a second site (not the site that the download came from).

    Come on, you can do better (or perhaps not, since you seem to think that Verisign == trustworthy).

  • Re:I agree ... (Score:3, Insightful)

    by cortana (588495) <sam@robots.orYEATSg.uk minus poet> on Monday December 20, 2004 @11:26PM (#11143792) Homepage
    > Installing Firefox requires downloading an unsigned binary from a random web server

    Someone should tell guy about the signature files that go right alongside the setup exe. :)
  • dot dot dot (Score:2, Insightful)

    by ecko3437 (802386) <esmith@halomessenger.org> on Monday December 20, 2004 @11:27PM (#11143797) Homepage Journal
    I love Microsoft to death (with the exception of Internet Explorer). But... excuse me, what the hell is this guy smoking? If he was a half competent user, he wouldn't have installed Service Pack 2 for XP to begin with. I havent, my computer is still spyware and virus free.

    He encountered a very rare problem installing Firefox, all of which could have been faked. Who cares? Internet Explorer has FAR too many problems reguarding security. People get spyware by just VISITING web pages, you prick. I mean seriously, how many of you have ever went to a webpage in IE and a box popped up asking if you wanted to install 'spyware.omg.kill.computer'? NEVER. EVER. In my LIFE. Internet Explorer is a piece of crap. Microsoft needs to stop pretending IE is worth half a shit (please excuse the language).

    Microsoft needs to get their crap together and build a web browser with security as the primary focus. Forget UX (User eXperience) and all that other fancy crap, just get the code secure and then work on the beautification.

    My two cents.
    -rico
  • Re:Fun Facts Time! (Score:5, Insightful)

    by Anonymous Coward on Monday December 20, 2004 @11:29PM (#11143808)
    (Beaten? No. Firefox is a success, so far. And... Microsoft is the arch-enemy of many on slashdot.org because they aren't as programmer-friendly or techie-friendly as other vendors, and they happen to be a colossal, market-dominating company, which makes their lack of programmer-friendliness more aggravating (if they were just a niche company, it wouldn't be nearly so bad, because they wouldn't be a constant irritation, just an occasional one).

    They have had a sketchy track record with security, but, until recently, they haven't really cared, so you can't blame them for just now trying to come up to speed. Besides, software is complex. Linux has bugs. IE has bugs. Firefox has bugs. Windows has bugs. The better developer is the one who can patch their bugs more quickly without breaking other things in the process (sometimes Microsoft is first to the punch, but they don't seem to always test their patches thoroughly).

    They also are a damn good business. Many computer hobbyists really dislike the idea of large businesses being heavyweight players in their field of interest, because it means a stupendously-increased prevalence of things like patents, trade secrets, proprietary interfaces, non-disclosure agreements, and licensing fees.)


    There are a few points I have to raise with this:
    Mirrors are a *good* thing. The only thing that should possibly be changed is that links to mirrors should all have .mozilla.org in the name (for example sg-depaul.mirror-firefox.mozilla.org).

    I've never seen firefox spit out dialog boxes like that before. I don't know what this guy did (what variant of Windows is he running on this Virtual PC, exactly?), but, I've installed many versions of Mozilla and Firefox to many different operating systems and can't recall seeing any bizarre things like that since the beta / pre-1.0 days.

    Signed software is a good idea, but, MD5 hashes aren't a bad alternative for people who aren't willing to shell out cash. Since he proclaims that IE is very good about checking the identity of files it opens, perhaps IE should include a plugin to check a file against its .md5.sig for the millions of files on FTP servers that have md5 signatures available.

    "Install Now" shouldn't be the default, I agree (except perhaps if it comes from a known trusted domain).

    He implies that there shouldn't be a "Do not ask me this again" option for "Are you sure you want to run this random downloaded executable?" I think this is perhaps a useful feature (what about trusted corporate environments where Firefox only accesses internal sites?) for saving a few seconds, although maybe putting the option in a config file somewhere would be wiser.

    Flash is also _not_ an extension---it's a plugin. Perhaps Firefox does need a plugin manager; he raises a good point with that.

    He also doesn't seem to understand the concept of extensions. Firefox is an attempt to just focus on streamlining the main part of webbrowsing, and leave it up to side projects and third-party developers to add little features via extensions; it's more of a community thing than an all-from-one-vendor thing, so of course a lot of good extensions come from other vendors. If he doesn't trust a certain vendor, he should test an extension under a different user who has no access to anything important, use a personal firewall that handles both incoming AND outgoing connections, and/or use an operating system that can lock a program into just a subtree of the filesystem (I don't know if NT or 2K can do this, but UNIX can chroot, and VMS can do even more specific things than this).

    I also like this: "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." IE comes packaged with Windows. It's hard to remove from it. Things stop working if you try to remove IE from windows. I don't trust the writers of IE. So, based on what he says, my computer is only mine if it's not running Windows---sounds good to me!!
  • by Anonymous Coward on Monday December 20, 2004 @11:33PM (#11143831)
    A marvelous, lengthy, and irrelevant post. Torr's point was not that you should not trust Mozilla but that you have no way of knowing that what you are downloading was created by them. It's an unsigned binary from an unknown host. Mozilla should know better and sign it.
  • by lachlan76 (770870) on Monday December 20, 2004 @11:34PM (#11143845)
    You should read some of the comments...the main article is nothing.

    However, in the end, until the OS flat-out refuses to install any application, plug-in, etc. that is not code signed (with no ability to override), we will continue to have trust problems.


    What scares me most is that these people are probably designing the OS that >90% of the world uses.
  • Re:Yeah, right. (Score:5, Insightful)

    by CyberBill (526285) on Monday December 20, 2004 @11:35PM (#11143853)
    Obviously you dont have a lot of experience teaching computer-idiot people how to do basic things...
    They dont know what "IE" is. They dont know what "Firefox" is. And the worst part is they dont care.

    I do exactly what parent said, install Firefox and remove all IE icons, and tell them the icon to get on the internet looks different now. :P
  • Re:Yeah, right. (Score:5, Insightful)

    by gwernol (167574) on Monday December 20, 2004 @11:38PM (#11143871)
    Well, it's called "Internet Explorer". It's got the keyword - internet. That's what they're looking for. How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

    I'm not totally convinced by this argument. After all what does an "iPod" do? Does a "Ford Focus" give you a very sharp river crossing? What on earth has "Google" got to do with searching?

    There are ways other than naming to successfully reach a broad consumer market. Firefox isn't a bad name: its reasonably memorable and its very different from IE which is an advantage for building the brand.
  • Re:Yeah, right. (Score:5, Insightful)

    by Vaughn Anderson (581869) on Monday December 20, 2004 @11:38PM (#11143874)
    How in the nine hells are they supposed to know what "Firefox" is (most of them do not read the times). Firefox is not an intuitive name. It gives the average person absolutely no idea what it does by just looking at what the name is.

    Amazon
    yahoo
    msn
    google
    etc...

    None of these mean anything but they are all sucessful none the less. It's just a marketing issue.

    "HEY GRANDMA!!! Try the NEW and _improved_ internet! It's called Firefox, blazing hot internet!!" :P

    Besides whenever the 'internet' comes up in a conversation I point people to mozilla.org, not only for their sanity but also their security. They will do the same after they experience no popups and no spyware. Word of mouth will make this spread to the next generation. Maybe the grandma's won't use it but in ten years, that will be a whole new ballgame.

  • Re:Yeah, right. (Score:1, Insightful)

    by Anonymous Coward on Monday December 20, 2004 @11:44PM (#11143916)
    True, I renamed Firefox to "internet" for my mother, I love the logo and stuff, but really, how about like Internet Fox :P~.. Or just make the icon on the desktop say "Browse the Web with firefox" or "Browse the Web" or "Firefox Web Browser"

    better do it before Microsoft have a trademark on the word internet or browser
  • by Sax Maniac (88550) on Monday December 20, 2004 @11:45PM (#11143921) Homepage Journal
    I think it would be great if Moz got a certificate, or signed themselves. Great, because I know what that means. They have enough money from the fundraiser, do it, and stuff this guy.

    But clearly, users don't give a shit.

    Ever install any freakin' piece of hardware on Windows? Nothing is signed. I've seen printed instructions that show a pretty picture of the unsigned-code warning dialog box, and tells the user to press the yes please install this dangerous driver that might destroy my computer button.

    This is not from Bob's Network Adapters 'n Peat Moss. This is Samsung. Lexmark.

    So, as far as Joe Average is concerned, that dialog box is just another stupid thing getting in the way of scanning these nice pictures to send to Aunt Tillie. He's being trained to ignore security warnings.

  • by aussie_a (778472) on Monday December 20, 2004 @11:56PM (#11143999) Journal
    If you want to talk about facts don't link to a geocities website. Any website on geocities is untrustworthy as to how reliable the information is in my opinion. I'm sure that isn't the only website that has the information, so it's ridiculous to link to something as unauthoritive as that.
  • by brandonp (126) * <brandon.petersenNO@SPAMgmail.com> on Monday December 20, 2004 @11:59PM (#11144024) Homepage
    The subtle point that I'm getting from Peter Torr is that, you can trust Internet Explorer more because it is already installed on your computer. If you buy a new computer, it should already have IE on it and you can avoid the "scary" problems he lays out.

    He knows that Firefox isn't going to be installed by default on new computers anytime soon, and you have to download it for all your older computers. So the 'trusting where your download from' issue will be there up to the point when they release their next browser in Longhorn of 2006 (well, maybe 2006).

    So, this will be an issue that they will attempt to exploit in the meantime, as they try to catch up in the other areas that they lag. They have so few other advantages to go on, this will probably be one of their primary ones. The only other advantage they appear to declare, is that they can run the ActiveX packages out there. It seems to be a well thought out piece of FUD.

    I personally don't think it would work. Especially when the community finds a way to elegantly tackle most of the issues that he laid out.

    --
    Brandon Petersen
    Get Firefox! [spreadfirefox.com]
  • Re:Yeah, right. (Score:3, Insightful)

    by Vaughn Anderson (581869) on Tuesday December 21, 2004 @12:05AM (#11144074)
    amazon, google, msn, yahoo, etc are all web pages. something you can easily bookmark or even set as your home page. Programs are a whole different story. why should I run this firefox thing?

    What's a bookmark? What's a webpage? What's an application? If people think the internet is inside of a blue "e" none of these kinds of issues matter, they just need to know where to click.

    It's name recognition, that's all. Once they know that if you click on the pretty fox icon instead of the blue "e", that's all the matters. If the general public can learn that a big blue "e" means the internet, then they can learn another way, especially after the 3rd time of bringing their box to Best Buy and paying $150 to some techno-snobish teen to clean off the spyware and viruses.

    Getting these people to download and install Firefox, that is the real challenge.

  • Re:Yeah, right. (Score:5, Insightful)

    by Fnkmaster (89084) * on Tuesday December 21, 2004 @12:10AM (#11144100)
    WTF are you talking about? FF tells you clearly when a site is trying to install an XPI file, you just have to click the Allow button on the yellow bar on top of the page to whitelist the site before it will be allowed to prompt you for XPI installation.

    This was done as a security measure to prevent malicious attempts to install unwanted (spyware) XPI files on sketchy sites, which started to happen. I wish to god IE would do the same thing with Browser Helper Objects, and any ActiveX objects for that matter.
  • by blanks (108019) on Tuesday December 21, 2004 @12:12AM (#11144109) Homepage Journal
    "Of course, the obvious question is 'Do I trust Firefox less than IE?'"

    No, asking your self this question is just down right stupid. This is the same as saying I do not trust something, but accept that level of trust because one of your other options is less trustful.

    If you can't trust something DONT trust it. Im fucking suck of this American style of thinking our goverment and the media has us stuck on, the fact that if you have only shitty choices (presidents, tv, music, etc) then you should only choose from the shitty choices.

    In fact the best choice in most cases is to not choose at all.
  • Re:Yeah, right. (Score:2, Insightful)

    by TechniMyoko (670009) on Tuesday December 21, 2004 @12:14AM (#11144132) Homepage
    the easiest solution is to send all email back to him, telling him NONE will be sent till he cleans his box. Dont keep holding the guys hand, slap the mofo
  • by fzammett (255288) on Tuesday December 21, 2004 @12:14AM (#11144133) Homepage
    I have posted on numerous ocassions my less than glowing feelings about Firefox. I run IE (well, to be fair, Maxthon) and am very happy doing so, haven't had problems in I don't know how long, and just in general I'm not especially thrilled with Firefox.

    But this blog entry is beyond ridiculous.

    First, I have installed Firefox on a number of ocassions, recently and beta builds in the past. I have done so on a couple of different versions of Windows, a few Linux versions some of which were running under VMWare. I have NEVER had ANY problem installing it. Certainly I've never seen a blank dialog like this guy claims to have.

    He raises some interesting concerns about the download locations I think, legitimate concerns, but beyond that it's a bunch of obvious FUD drivel. The security warning dialogs he mentions, while legitimate issues for novice users, are a result of the way IE handles potentially unsafe content, NOT the fault of Firefox. I would bet most people downloading a new browser can probably handle these dialogs without too much trouble, and again, they are from IE, not Firerox. He's right, signing the Firefox download wouldn't be a bad idea, but it's hardly the big deal he seems to think it is.

    Look, I think there are legitimate gripes about Firefox (just like there are about IE by the way)... I don't think either side needs to be making stuff up. I find myself sometimes defending MS against what I see as unfair assessments by the OSS community, but seeing posts like this blog entry makes me feel like an ass for doing so. BOTH sides need to be mature and compete fairly, may the best product win. It's annoying when crap like this sneaks through.
  • Re:Fun Facts Time! (Score:3, Insightful)

    by spitefulcrow (713858) <sam@dividezero.net> on Tuesday December 21, 2004 @12:17AM (#11144151) Journal
    "If a bad guy can persuade you to run his program on your computer, it's not your computer any more." Your point about that is valid. What I find more amusing is that it only holds true for operating systems that a) don't distinguish between normal users and administrators and b) don't have real filesystem permissions. If bad guy X persuades me to run his program on one of my Linux boxen, it's not going to be able to do much other than trash my /home without me giving it root permission, which hopefully I won't be stupid enough to do. Whereas in Windows, the default user IS the superuser. Bad guy X can then hit any number of holes related to ActiveX and whatnot in IE to put his program on the computer and do whatever he wants. So I guess TFA's assumption holds true as long as you're running an MS-built operating system instead of a UNIX.
  • by kscguru (551278) on Tuesday December 21, 2004 @12:35AM (#11144262)
    Do you really think that my mom is really going to go through the trouble of downloading a text file (which does not end in .txt), opening it, using a tool that generates an MD5 signature (and that does not come standard on Windows) and comparing strings of 32 characters?

    Doesn't matter. Fact is, if even 0.1% of the downloaders check, any compromised original will be detected in just a matter of minutes - hours at the worst. Mother at home will grab it... then the media the next day will loudly announce the problem, the antivirus companies will tear the binary apart and release updated signatures in a few days, and her virus scanner will tell her about the problem in about a week. This does assume she runs a virus scanner... but if she doesn't, she's probably compromised already.

    What the Slashdot crowd seems to be missing is that we don't need everyone to follow the MD5 signature. We just need an informed and vocal minority - e.g. Slashdotters - to detect the problem and pick up the pieces afterwards.

  • Huh? (Score:5, Insightful)

    by pherris (314792) on Tuesday December 21, 2004 @12:41AM (#11144297) Homepage Journal
    First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/

    What, like www.windowsupdate.com [windowsupdate.com] points to v4.windowsupdate.microsoft.com?

    Firefox isn't perfect but please, bitch about one of it's few real problems and some bullshit ones. Someone please show Mr. Torr a clue-by-four please?

  • Re:Fun Facts Time! (Score:5, Insightful)

    by taylortbb (759869) <taylor.byrnes @ g m a i l . c om> on Tuesday December 21, 2004 @12:44AM (#11144310) Homepage
    I don't like Microsoft, and I think Firefox is excellent, but this guy does have a point with the code signing.

    Why isn't Firefox's code signed by VeriSign? It may seem frivolus but the average user wont MD5 it until hell freezes over.

    http://www.verisign.com/products-services/security -services/code-signing/digital-ids-code-signing/in dex.html [verisign.com]
    There, its $695 dollars for the premium version with a $50 000 gurantee. The Mozilla foundation can afford that. And it really would re-assure those non-tech users. It may not matter for us geeks, but it can only do good, so we might as well.
  • Trust IE more? (Score:5, Insightful)

    by dantheman82 (765429) on Tuesday December 21, 2004 @12:47AM (#11144334) Homepage
    I'm a Student Ambassador to Microsoft, and promote VS.NET on campus. I think this guy is quite nieve (even if from Microsoft) or being deceptive. A few pointers:

    1) At least when you post, do a similar comparison between both browsers. I want IE so when I search Google for download internet explorer, then the first link is "www.microsoft.com/ie/" which REDIRECTS me to http://www.microsoft.com/windows/ie/default.htm which again REDIRECTS me to http://www.microsoft.com/windows/ie/default.mspx

    Can someone tell me if that is the same Internet Explorer? After all, Microsoft is a big company. I just wanted the regular IE.

    2) Watch what you quote - when you wisely point out that Secunia [secunia.com] has found (gulp!) 3 security advisories, did you know that only one was moderately critical and the rest were minor? Then, I noticed the advisories for Internet Explorer 6 (the most secure IE browser) - only 53 advisories from 2003-2004 (same timeframe), of which 42% (or around 24) were either highly or extremely critical! Oops, let's not compare using that website.

    3) Then, there's the whole issue with downloading extensions - when I click on a link to download my XPI (no clue what it is, as naive user), it waits a few seconds (no surprises) and then asks me to install now or cancel. Oh, and horror of horrors, the Install Now is default! That's what I wanted anyway...and this isn't ActiveX that installs/runs immediately or whenever, but explicitly states that it starts on restart of Mozilla. So, I can even uninstall before reloading Mozilla if I have second thoughts! Hmm, sounds secure to me.

    4) I've seen too many web sites that have Versign and a bunch of other BS images that give me no more trust than another site without them. So, I create a spoofed website with Verisign pictures and have no problem fooling users. But with a Firefox plugin, I'll know I'm on a spoofed website. Personally, word of mouth is the biggest way to increase trust, and that's why I recommend Firefox using word of mouth the most - I'll tie my name to Firefox because I use it and trust it. (Even carry it on my USB drive).

    5) Why not fight for some real change and migrate AWAY from ActiveX controls and Microsoft-specific mangled HTML code (and even links) that I can't even run in Firefox? And build in some Firefox-like security rather than pretending the fire is under control!
  • by rinkjustice (24156) <rinkjustice.NO_SPAMrocketmail@com> on Tuesday December 21, 2004 @12:48AM (#11144340) Homepage Journal
    Firefox has been the darling of internet news media lately, not just on the internet but on television and print too, and all for free. Even grandma - who with her one good eye uses the internet for her genealogy - knows Firefox by now.

  • Re:Yeah, right. (Score:3, Insightful)

    by bladesjester (774793) <{slashdot} {at} {jameshollingshead.com}> on Tuesday December 21, 2004 @12:55AM (#11144379) Homepage Journal
    I keep getting this answer. Keep in mind that I do agree with it. Renaming the shortcut does work.

    However, there's a problem with this. What about the people that don't have someone to do that for them be it relative or IT person? The ones that just buy a Dell, Gateway, etc and go from there. These are the same types of people that don't apply patches because they either don't know about them or don't care because the computer "just works" the way that it is.

    And the people you rename it for can't tell their friends about the program because they now have absolutely NO idea of what it's name is because the shortcut is labeled "The Web" so that they know what it does.

    It's sort of a no win situation...

    Until you get to the "problem" people, you're still going to have a problem.
  • Re:I agree ... (Score:5, Insightful)

    by Enrico Pulatzo (536675) on Tuesday December 21, 2004 @12:59AM (#11144412)
    Did you even read the freaking article? The author didn't say "Don't use firefox, they encourage bad behavior." He had legitimate points. If firefox wants to sell security, they need to appear secure. Not having the installed signed isn't a good marketing tactic. If I didn't know what I was doing, I wouldn't be installing firefox for the same reason the author brings up. It annoys the crap out of me that most (if not all) plugins aren't signed by their authors. Do you really think that just because nothing bad has happened yet that the good times will continue? That's foolishness. Firefox needs to be perceived to be at least as secure as IE. This article points out that the perception of firefox's security is less than IE under SP2. Stop being a blind zealot and start being realistically critical.
  • by fishbowl (7759) on Tuesday December 21, 2004 @01:02AM (#11144436)

    "Why can't they just whip themselves up a self signed root CA with openssl, call themselves the firefox signing authority, and use it to sign extensions that way?"

    They can, and they should. But this is perceived in the marketplace the same way as you setting up a folding table on the street corner with a cashbox and calling yourself a "bank."

    Verisign got early market mindshare. I was urging people, such as my employer at the time (a large internet service provider on the west coast who I will not name but whose color was Purple), but nobody seemed interested in setting up a CA when the timing would have been perfect.

    All anyone seemed to care about in those days was that the little gold key icon lit up in the Netscape window :-(
  • Re:IE? (Score:2, Insightful)

    by mr_walrus (410770) on Tuesday December 21, 2004 @01:06AM (#11144460)
    i already have been making a habit of downloading executables and
    md5 summs from DIFFERENT mirror sites when multiple sites are
    available.

    not sure it really improves security, but it gives me a warm fuzzy
    feeling... oh wait, that's my bladder again
  • Re:Fun Facts Time! (Score:5, Insightful)

    by Theatetus (521747) on Tuesday December 21, 2004 @01:14AM (#11144504) Journal
    Visual Studio is widely renowned as the singular best programming environment there is

    You've obviously never used slime on Emacs. Come to think of it, unless you feel like doing everything in basic or C++, Visual Studio pretty much sucks...

  • Re:I agree ... (Score:5, Insightful)

    by Feztaa (633745) on Tuesday December 21, 2004 @01:21AM (#11144550) Homepage
    Installing Firefox requires downloading an unsigned binary from a random web server

    Huh? I got firefox on my distro's CDs. CDs which passed:

    * bittorrent's inherent hash checks
    * an md5sum comparison from the official distro's website
    * gpg signature on the ISOs

    as well as the subsequent updates to the browser that were downloaded from the distro's official yum server and had a valid GPG signature.

    What were you saying about unsigned, unverified, untrusted code?
  • by Brandybuck (704397) on Tuesday December 21, 2004 @01:26AM (#11144574) Homepage Journal
    I hate to break it to you, but any site found on the internet is untrustworthy.
  • by mvdw (613057) on Tuesday December 21, 2004 @01:34AM (#11144604) Homepage

    I agreed with you, up until this:

    BOTH sides need to be mature and compete fairly, may the best product win.

    Why does one side need to "win"? 50/50 market share (or close to it) would be ideal for everyone, surely?

  • by rabbit994 (686936) on Tuesday December 21, 2004 @01:48AM (#11144671)
    Download the source, check the source for whatever your curious about and COMPILE IT YOURSELF. If your that untrusting, then you can be as paranoid as you want. Besides, last time I downloaded "trusted" IE software, I got some spyware....
  • by emmenjay (717797) <[ua.moc.piz] [ta] [yajnemme]> on Tuesday December 21, 2004 @02:13AM (#11144778)
    The general tone fo responses to this article is somewhat alarming. It mostly consists of "how dare they criticize us?".

    Let's make no mistake: IE is a mess and does a lot of things wrong. Firefox makes a fairly good attempt at avoiding IE's errors. However that doesn't mean that it can't be making other mistakes.

    The original article is by a MS employee, and there is no doubt that he has his own agenda. Notwithstanding that, he's made some valid criticisms and to ignore them would be downright stupid.

    I guess that the use of mirrors is unavoidable. Given the demand for Firefox, it could not be hosted in a single place. However it does create a possible security problem. How does a (possibly non-technical) user know that a mirror is safe? This is particularly troublesome if the mirror has only a numeric address (like 207.126.111.202).

    If any mirror is untrustworthy, they could easily produce a hacked version of Firefox and distribute it widely.

    There are many possible approaches to this problem, but it is certainly worth some research. Users need to know that they are getting a safe version of the software.

    The dodgy dialogs sound like bugs. Rather than getting offended, it would be better to contact the author and try to repro the bugs. Maybe the bugs are in IE or in Virtual PC, but they might be in Firefox. It would be foolish to say that Firefox has no bugs.

    One of the biggest criticisms of MS is their arrogant (lack of) response to user feedback.

    Let's not be like them.

  • by Aractor (710862) <Aractor AT gmail DOT com> on Tuesday December 21, 2004 @02:24AM (#11144821) Homepage
    Just go search for any random Rom, porn, or warez site on google in IE. You'll have yourself enough popup messages in 5 minutes to last you a life time. ;)
  • Re:I agree ... (Score:5, Insightful)

    by boodaman (791877) on Tuesday December 21, 2004 @02:28AM (#11144837)
    If you want to discuss pre and during installation, then you need to discuss the browser he was using for the "pre" and "during" steps and that's IE, not Firefox.

    I only scanned the article quickly (its late), but it seems to me his points are all from the perspective of what "we" think is correct. The "we" being Microsoft. Is Microsoft correct? Debatable. He also is quick to point out problems with mirror sites (his gripe about the 403, for example), and does so in such a way as to imply it is Mozilla/Firefox's fault, when it obviously isn't.

    Mirror sites are not controlled by the primary vendor. When you consider all of the software downloaded every day from mirror sites (iBiblio, all of the Apache mirror sites, etc) without issue, I'd say beefs about mirrors and not recognizing FQDNs are irrelevant. That leaves his points about signing the code.

    When you consider other ways you can verify code (he never once mentions doing a MD5 checksum and verifying the result, for example), I consider his further points about verifying the code to be almost non-issues as well. Is signed code automatically trustworthy? IE is signed code...do you trust it? I don't. So what does the signing do for me?

    He also gripes about Firefox's preferences and settings not being in the same location as IE's (his remarks about Tools->Options, etc), yet never points out where to actually find the settings.

    All in all, his article doesn't impress me one bit from a debate perspective. It only makes "sense" if you are him: an employee of Microsoft who wants to imply, using open-ended questions and personal innuendo, that anything other than Microsoft is dangerous and risky.

    I think it is ironic that he gloats about what his team is doing. How long did it take them? Years. How long did it take Microsoft to get SP2 out for XP? Years. Yet his article acts like the state of Microsoft's software today (fully patched, because retail versions don't have the updates) is the state its always been in, which is false.
  • Re:Fun Facts Time! (Score:5, Insightful)

    by MrLint (519792) on Tuesday December 21, 2004 @02:33AM (#11144851) Journal
    Frankly i dont need verisign (that company that tried to redirect all non existent web domains to its own site) to tell me whats good or not. Verisign is equally as much of a problem.
  • Re:I agree ... (Score:5, Insightful)

    by TheSpoom (715771) * <[ten.00mrebu] [ta] [todhsals]> on Tuesday December 21, 2004 @02:37AM (#11144869) Homepage Journal
    Just to state the obvious, I'll just give a rebuttal to some of these statements.

    Installing Firefox requires downloading an unsigned binary from a random web server

    It's a web server that mozilla.org directs you to. If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.

    Installing unsigned extensions is the default action in the Extensions dialog

    There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.

    There is no way to check the signature on downloaded program files

    Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.

    There is no obvious way to turn off plug-ins once they are installed

    This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.

    There is an easy way to bypass the "This might be a virus" dialog ...

    There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do. ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

    This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above). Firefox is demonstrably more secure than IE and has far fewer vulnerabilities [secunia.com] than Internet Explorer [secunia.com].

    To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?
  • Re:Yeah, right. (Score:2, Insightful)

    by ytpete (837953) on Tuesday December 21, 2004 @03:05AM (#11144974)
    The average user should not have to "know how to use IE" to do things like that. You act as if this is an important feature, but it's actually a flaw in the browser that such traps exist at all.
  • Re:Fun Facts Time! (Score:3, Insightful)

    by dcocos (128532) on Tuesday December 21, 2004 @03:09AM (#11144987)
    Actually as someone who recently moved from a use what ever editor you like as long as Ant still ran. To a VS environment I would have to disagree. Eclipse is a great dev env, it has things like knowing that if you change a method signature where you are going to screwed over, if you change an member var name it will ask about updating all of your getters and setters and where they are called, it has some level of built in versioning that understood method changes apart from your just plain edits that also allowed for undo beyond control Z couple that with real CVS integration and you have a kick ass system. VS doesn't even integrate with Source Safe well.
  • Re:I agree ... (Score:5, Insightful)

    by Too Much Noise (755847) on Tuesday December 21, 2004 @03:17AM (#11145019) Journal
    If firefox wants to sell security, they need to appear secure.

    That was his argument, alright. Appear secure. Sell security. Yep, that's what MS is doing, too - selling products that appear secure. They'll be selling Palladium next, too. Not that it would be a lot of help, but that's not the point, as it's pretty much meant to help their bottom line.

    This is by now already redundant, but a signed binary is nothing to the average user. Heck, Verisign means nothing to the average user, either. They will happily check the "always trust" option for self-signed AX controls without wondering what it means.

    On the other hand, if you do understand a little about security, you have the option of getting the (in this case win32) binary together with the .asc signature from ftp.mozilla.org [mozilla.org], then get gpg, import the appropriate key from a public server, verify the signature and, if matching, run "Firefox Setup 1.0.exe" to install a verified, trusted version of the program.

    I agree, however, that unsigned extensions don't seem trustworthy. However, until some peer review mechanism is adopted for "official extensions", this is again a rather moot point. Do you trust an extension that's signed by foo@bar.com? even if this is somehow endorsed by mozilla.org (key signing, etc.) how do you know that foo does follow at least minimal security practices? and so on. It all depends on your paranoia level. Luckily, with javascript extensions, at least some people have the time/interest to unpack it and pore over the code to make sure it isn't trojaned. For stuff like flash, you have to trust the vendor, which makes it about on the same level of 'security' as claria et al.
  • Re:Yeah, right. (Score:3, Insightful)

    by Buran (150348) on Tuesday December 21, 2004 @03:18AM (#11145023)
    It has one, in prefs -- Advanced section in my copy, which is a recent one.
  • by Jugalator (259273) on Tuesday December 21, 2004 @03:36AM (#11145076) Journal
    They ask themselves who you can trust Firefox when they haven't answered: How can I trust ActiveX?

    In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download.

    An ActiveX control with no signature can also be harmless and useful. Most are actually unsigned and most aren't spyware-related. And I'm sure companies like Gator, or whatever they're called today, have already made the money to be able to sign their ActiveX controls. I can't see how these are related to security at all. It's more related to money than anything else.

    How are you supposed to tell which are harmful or not until after they're installed? Wouldn't it be best to make them able to do less? You don't *have* to use ActiveX for stuff like Windows Update hardware identification. Why not replace it with a standalone installer app?
  • by AmberBlackCat (829689) on Tuesday December 21, 2004 @03:37AM (#11145080)
    Any website on geocities is untrustworthy as to how reliable the information is in my opinion.

    No, it's okay. The geocities page was digitally signed.

    End User License Agreement

    i. By reading this text, you agree to mod it as insightful due to its illustration of the problems with the argument against unsigned media.

    ii. By reading this text, you further agree that it is relatively entertaining material, given the number of hours the posting individual has been online without rest, before contriving the post.

  • by Alan (347) <arcterex@@@ufies...org> on Tuesday December 21, 2004 @03:52AM (#11145132) Homepage
    This is of course assuming that the program lets itself be uninstalled. Because it's installed as a "normal" program, it controls it's own uninstall behaviour, and as we all know spyware always lets you uninstall it (note for the sarcasm impared... it doesn't).

    Firefox's extensions however seem to be controlled totally from the browser itself, which means that the browser controlls what's installed and uninstalled, and therefor is theoretically safer. Of course anytime that you allow third party sites to install software there's always a danger that someone'll write something nasty, it just seems a little safer with Firefox.
  • Re:I agree ... (Score:3, Insightful)

    by araizen (810918) on Tuesday December 21, 2004 @04:13AM (#11145219)

    "Cogito cogito ergo cogito sum (I think that I think, therefore I think that I am.)"

    Bad Latin. You mean "Cogito me cogitare, ergo cogito me esse".

  • by leuk_he (194174) on Tuesday December 21, 2004 @05:01AM (#11145376) Homepage Journal
    Why isn't firefox a signed application? Well first there is the technical point: You can buy a verisign certificate, but it only tells You are the mozilla corporation. It does not tell you that all the source in firefox is OK. It is nothing more than a fancy MD5 hash. And i wonder if a signed executable is portable to other OS'es?

    But then who is going to apply the ditital signature, is there still someone who understands ALL of foxfire's code? No jsut as there is noone who understands all of i.e. code.

    Do you trust mozilla foundation more than MS? As ptorr explains there is no reason to. So what is this signature worth in the end?

    But he does have SOME valid points.
  • Re:Yeah, right. (Score:3, Insightful)

    by Spy Hunter (317220) on Tuesday December 21, 2004 @05:15AM (#11145420) Journal
    Yes, making things hard is a great job. Running random code should be hard because the consequences can be disastrous. As soon as you allow some code to run it has complete and total control over your computer. Unfortunately, users don't understand this. They judge the consequences of an action by the difficulty of performing that action. Therefore actions with big consequences should be hard to perform so that users don't perform them flippantly or accidentally.

    Why would you uncheck "Allow websites to install software"? The whitelist is already plenty secure, as we have just been discussing. If you uncheck that box on purpose, then you have no right to complain when Firefox doesn't allow you to install Flash from the web. Of course, an error message would be nice, but the plugin installer has always been flaky; it is one of the worst parts of Firefox IMHO. Hopefully it will be fixed up in 1.1.

  • 1 very good reason (Score:4, Insightful)

    by polyp2000 (444682) on Tuesday December 21, 2004 @05:29AM (#11145466) Homepage Journal
    People in glass houses should not throw stones - perhaps they should ask the question how to repair the loss in trust people have in IE before casting uncertainty about other browsers.

    Here one very good reason why we can "trust" firefox over IE

    We have the source code - and as such it gives confidence that the firefox team have no evil to hide - and that any software bugs can be repaired by anyone who cares.
  • Re:Fun Facts Time! (Score:3, Insightful)

    by the angry liberal (825035) on Tuesday December 21, 2004 @05:52AM (#11145512)
    Verisign is equally as much of a problem.

    So? Just because a school may be flawed, that is no excuse not to get a degree.

    If FF wants to be a real player, it has to play by the established rules many organizations follow.

    I know of quite a few firms, financial institutions, and state government offices which do not allow employees to use anything other than IE; much of the reasoning coencides with what this article is saying. They all use intrusion prevention services and just have the helpdesk clean up the occasional mess caused by a sneaky spyware install or virus infested laptop trying to vpn in. This, in conjunction with AV protection (which you need regardless of IE), make for a feasable solution to these guys. They aren't getting hacked into, the employees don't worry about their workstations and the companies go make money like they should be focused on doing.

    Even the lowliest of helpdesk personnel had best know how to remove any spyware which exists. I know this is mostly a Linux board, but some of us started with Linux and had to learn Windows so we would understand the IT world better so we could move above the limitations imposed by a "wINDOWS THE SUCK. LOONIX RULEZ!!!" mentality. Back to the topic at hand: There are only a few places in the Windows registry where Spyware and other malware can load upon boot and from the browser. It takes about a minute to flip through them all, disable the ones which don't have anything "extra", remove the associated files, reboot.

    I know, I'll get modded a troll even though I just made clear a rare point on /. that spyware is tremendously easy to defeat. Keep that in mind when the next "intelligent linux guy" comes out and says he had to reinstall Windows over spyware. Then think about it, all the guy had to do was hit Google for a few minutes and his problems would have been solved. But no, he approaches it like a moron since he just because he wants to use a product he refuses to learn. But hates the product, yet appears to be hooked on using it.

    Fix those registry entries here: HiJackThis [spychecker.com] (that is, if you work with Windows and are too lazy to RTFM)
  • by bhima (46039) <Bhima DOT Pandava AT gmail DOT com> on Tuesday December 21, 2004 @05:58AM (#11145529) Journal
    Please let me summarize this rant: Corporations just don't give a fuck about anything but making money.

    Yeah... you're right.

  • by master_p (608214) on Tuesday December 21, 2004 @06:13AM (#11145577)
    No download is ever safe...people can put out malicious software under any name! if you search good enough, you will find versions of Microsoft Windows that are totally hacked to include zombie, spyware, ftp servers and anything you name in the installation!

    The empty Firefox dialog he showed has never appeared for as long as I use Firefox (from version 0.7 and onwards).

    I never had any problems with Firefox extensions, simply because I never needed one. The most important "extensions", popup blocking and the search engine bar are intergrated in Firefox.

    Microsoft must really feel the heat of open source software...some may say that Microsoft has the right to complain, just like the rest of the world is complaining about their products. The difference is that open source supporters complain because they like quality software and Microsoft isn't of the expected quality; Microsoft complains because it sees profits going down and market share lost...
  • Re:I agree ... (Score:2, Insightful)

    by markandrew (719634) on Tuesday December 21, 2004 @08:31AM (#11145936)
    "Innovation speaks louder than marketing."

    er, i think you'll find that marketing speaks louder. Betamax, anyone?
  • Re:Yeah, right. (Score:3, Insightful)

    by mausmalone (594185) on Tuesday December 21, 2004 @09:37AM (#11146234) Homepage Journal
    Here here! I mirror your sentiments exactly! The article spends a lot of time bitching about how Firefox doesn't do enough to disuade you from running stuff from the internet. Apparently, though, the only real difference is that in Mozilla, the default button is "ok" meaning "yes, do what I told you." He also bitches that it doesn't become active for a second or two, but it was easily ready to go when he finished reading the dialog. The point was to make you read the dialog instead of blindly clicking yes or no like almost every IE user out there.

    Other points:
    • Don't bitch about the "difficult" install process when I don't even have the option to remove your browser. I'm sure if your browser had any installation process at all, it would suck.
    • Don't bitch about it having bugs when running in VirtualPC. You're reporting stuff I've never ever seen, and I've installed on dozens of different computers.
    • Don't complain that users can mistakenly install spyware from Mozilla, when most of the spyware I get from IE arrives unnanounced through a security flaw with no option of blocking it. I don't like starting up IE for the first time in 3 months only to find that there's 7 or 8 spyware programs installed (even though I never use the thing).
  • Re:IE? (Score:1, Insightful)

    by Anonymous Coward on Tuesday December 21, 2004 @11:03AM (#11147009)
    It's circular in that only noticed problems are noticed problems (duh), but the fact that the only problem that was ever noticed was noticed almost immediately and never managed to do any harm is cause for optimism.

    As long as no long-standing, intentional security holes have been found in any reputable open source project, I'd say that the argument that "anyone could insert a security hole" is bogus. Not anyone can modify the code of "official" distributions, those who can are long-time contributors (not your random "anyone") and when accepting patches from other people, they verify the changes.

    Note that one previously closed project even had a long-standing backdoor exposed the moment it was open sourced.
  • Code Signin=SQUAT (Score:3, Insightful)

    by Chanc_Gorkon (94133) <gorkon@nOspAM.gmail.com> on Tuesday December 21, 2004 @11:30AM (#11147327)
    I trust MD5 Checksums more then I do a page that says it's signed by Microsoft, Verisign, or whoever. How many of us have to isntall drivers on Windows XP that pop up and say they are not certified by Microsoft? Utter crap. Code signing works the same was as trusting the website you download the code from. If you don't trust DePaul's website, then that's fine. If your really antsy about making sure what you run is absolutely the code being distrbuted by Mozilla.org, you have to know the MD5 Checksum that Mozilla got when it ran MD5. This also assume you put trust into the MD5 sumer you use. Trust is not something that can be readily handled by software. You can use tools to verify things, but if the tool is faulty and gives you the answer you expect, then it's possible you can still run code that is hostile. Even if you say but it has a Verisign certificate means nothing too because even the criminals can buy certificates or even steal valid ones. The only way you can be certain is if you download only from a web site you trust, or put your trust in the Mozilla project that they only have mirrors that they trust or that they verify are ok. Any of these situations or tools like MD5 sumers are not liekly to even be known by the semi computer illiterate. They also would not know or care about signed software either. They do what they do in real life....they trust IBM and other big companioes including Microsoft although Microsoft is gradually loosing their trust if they have not completely lost any trust they had. My brother has even switched to Firefox but not because of the security features.....he switched because of tabbed browsing and faster web page rendering.
  • WoW (Score:3, Insightful)

    by quakeroatz (242632) on Tuesday December 21, 2004 @12:34PM (#11148284) Journal
    He reviews the FF browser security and all he can talk about is binary signing?

    Is that all they have?

    This makes about as much sense as a Word review that criticizes scroll bar dimensions.

    Virtually irrelevant to the subject. It's great to hear MS whine about well executed free software, they truly have no ammunition against it.

  • by Anonymous Coward on Tuesday December 21, 2004 @02:30PM (#11149971)
    For reasons many others have pointed out, verifying the Firefox download is worthwhile. It allows you to make sure that the contents of your download are the same as that intended by someone at the Mozilla project, rather than an accidentally corrupted copy, or a maliciously changed copy.

    A few people have pointed out that there is a way to verify the Firefox download via GPG/PGP. How usable is this method, though?

    I am mainly familiar with GPG/PGP from apache.org and all the developer tools I download from there. Take ant.apache.org, for instance. Their "Binary Distributions" link goes to a page that begins with a suggestion to verify the download, a link to instructions on how to verify, and a link to the main distribution directory where the keys and signatures are available.

    So let's say I download Firefox and expect the same kind of experience. www.getfirefox.com takes me directly to http://www.mozilla.org/products/firefox/ where I am given a big "Free Download" link.

    Clicking the link immediately gives me firefox-1.0.installer.tar.gz from a mirror site, and my current Firefox browser prompts me to save it. So the download link doesn't point to anywhere with keys or signatures. The page text itself doesn't mention keys or signatures.

    Well, there is an "Other systems and languages" link, so perhaps that has a more detailed download page where the keys and signatures are. The link takes me to http://www.mozilla.org/products/firefox/all.html, where I am given a table of "Download" links for different languages and platforms. Clicking any of the "Download" links again immediately gives me the installer file for download rather than directing to a page that might have keys or signatures. And the whole download page has no text about keys or signatures either.

    The Firefox download experience seems to totally ignore GPG/PGP. I understand that the necessary info is accessible somewhere on the mozilla.org site, but the point is that the site doesn't relate the tasks of downloading the app and verifying it at all.

    Though you can argue that

    A) software publishers and users shouldn't buy into the whole commerical Verisign digital certificate thing and should instead use GPG/PGP verification, and/or

    B) automatic PGP/GPG verification by the program doing the download isn't necessary, or feasible to apply to every download program,

    I don't think you can argue that mozilla.org is effective at supporting PGP/GPG verification of the software it publishes.

    So why not:

    1. Have the mozilla.org site make the PGP/GPG verification of Firefox and other products as visible and clear as the product downloads themselves? They've done an excellent job with the download process, why not bring the verification process up to the same level?

    2. Work on a Firefox download feature that automatically attempts to PGP/GPG verify the download when a signature is available on the server? No matter how the Cancel/OK/Accept/Install/Ignore options are laid out or defaulted, the user would at least get worthwhile info. The browser would say that either "Hey! You have one of mozilla.org's keys and your download checks out according to them!" or "This download is signed by mozilla.org's keys, but you don't have any of them, maybe you should ask somebody for mozilla.org's keys and add them so you can check downloads!" or "This download isn't signed at all, maybe you should ask the publisher to get keys and sign it so you can check his downloads!" or "This download is signed by one of the mozilla.org keys you have, but it doesn't check out according to them, maybe you should check what site you are downloading from!"

"Our vision is to speed up time, eventually eliminating it." -- Alex Schure

Working...