Forgot your password?
typodupeerror
Security Mozilla The Internet Microsoft Internet Explorer

How Can I Trust Firefox? 1464

Posted by timothy
from the how-could-anyone-trust-ie? dept.
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
This discussion has been archived. No new comments can be posted.

How Can I Trust Firefox?

Comments Filter:
  • Security? (Score:3, Interesting)

    by Canadian_Daemon (642176) on Monday December 20, 2004 @10:13PM (#11143150)
    what about md5 sums? have the install do a checksum of itself?
  • Why are blogs news? (Score:5, Interesting)

    by RobPiano (471698) * on Monday December 20, 2004 @10:13PM (#11143156)
    What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?

    Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.

    Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.

  • by AndyFewt (694753) * on Monday December 20, 2004 @10:14PM (#11143159)
    Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate [verisign.com].

    Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).

    So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
  • by Anonymous Coward on Monday December 20, 2004 @10:17PM (#11143186)
    I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.
  • The real question. (Score:3, Interesting)

    by Anonymous Coward on Monday December 20, 2004 @10:22PM (#11143228)

    How can I trust Microsoft?


    Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.

  • Re:IE? (Score:5, Interesting)

    by realdpk (116490) on Monday December 20, 2004 @10:23PM (#11143236) Homepage Journal
    It's happened before, within the last couple years. Unfortunately I can't find the reference to it. It wasn't Mozilla, it was some other software. Someone broke in to the CVS (or other) repository and made some change.

    There are solutions to this. PGP signing each patch would at least let you track down who submitted what. You'd probably need to grab the source as a set of patches, though, so you can individually verify each submitter's PGP key against their code. Ugh. :) Probably a better way could be devised, but as yet, none has been presented.

    One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time! ;)
  • He doesn't care. (Score:5, Interesting)

    by standards (461431) on Monday December 20, 2004 @10:24PM (#11143244)
    I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all

    He sure has a lot to say about something he doesn't care about.

    He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
  • by lewp (95638) on Monday December 20, 2004 @10:28PM (#11143277) Journal
    I'd rather they didn't waste the money. It's not like I trust who Verisign says it's from, anyway. Who knows how many more incidents like this [microsoft.com] have happened that we don't know about?
  • by Penguinoflight (517245) on Monday December 20, 2004 @10:28PM (#11143284) Homepage Journal
    I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?

    Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.

    These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
  • False security? (Score:4, Interesting)

    by zlel (736107) on Monday December 20, 2004 @10:29PM (#11143292) Homepage
    Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?
  • Re:Yeah, right. (Score:5, Interesting)

    by Supertroll (210165) on Monday December 20, 2004 @10:31PM (#11143307) Homepage
    It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.

    However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.
  • I agree ... (Score:5, Interesting)

    by wasted (94866) on Monday December 20, 2004 @10:38PM (#11143384)
    From the article:

    Installing Firefox requires downloading an unsigned binary from a random web server

    Installing unsigned extensions is the default action in the Extensions dialog

    There is no way to check the signature on downloaded program files

    There is no obvious way to turn off plug-ins once they are installed

    There is an easy way to bypass the "This might be a virus" dialog ...

    ...but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.


    Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
  • Random servers (Score:5, Interesting)

    by IO ERROR (128968) * <error@NosPAm.ioerror.us> on Monday December 20, 2004 @10:39PM (#11143390) Homepage Journal
    He's got a point though. I could volunteer my services as a random Firefox mirror and who's to know if I'm distributing doctored copies? And where's the digital signature? How can you trust that binary from 207.177.45.61?

    Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.

    I'll kick in $20 to Firefox if it goes toward a signing certificate.

    Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)

  • by TWX (665546) on Monday December 20, 2004 @10:41PM (#11143413)
    (Please pardon the elementary school essay feel of this)

    In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.

    In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.

    In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.

    In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.

    Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.

    Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
  • by QuantumG (50515) <qg@biodome.org> on Monday December 20, 2004 @10:44PM (#11143438) Homepage Journal
    Say I go download the source code for the FireFox search bar extension. Say I'm an ad company and I really wanna target my ads at FireFox users, so I'd like to know what they search for using the search bar extension. So all I do is put in some code that once a month sends the list of everything they searched for to my web site (say I have a really big web site cause I get lots of money from ad companies for doing evil things like this). How oh how will I get these unwitting FireFox users to download my search bar extension from me instead of downloading it from the official site? Well I could just offer it and see how many people download it from my site once Google indexes it. That would work. But more likely what I would do is put it in some random program that lots and lots of people download (say, Kazza) and enter into agreements with shareware web sites to embed it into all the junk people download from them (say, Download.com). When the user downloads the spyware infected shareware it will silently replace the official FireFox search bar extension with my evil snooping search bar extension. But won't someone notice?!! Well no, because the extensions are not signed are they?
  • Mr Torr (Score:5, Interesting)

    by Petronius (515525) on Monday December 20, 2004 @10:49PM (#11143478)
    Apparently just joined MS's crack security team [microsoft.com] last Thursday [msdn.com]... needless to say, he's a real expert!
  • More to the point... (Score:5, Interesting)

    by CausticPuppy (82139) on Monday December 20, 2004 @10:51PM (#11143505) Homepage
    Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?

    More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?

    I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
    It's the people that were targeted by the NYT ad that we have to think about.

    In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."

    THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.

  • by XaXXon (202882) * <xaxxon&gmail,com> on Monday December 20, 2004 @10:54PM (#11143547) Homepage
    I think you've missed his point a little.

    The point isn't that you trust mozilla/firefox. The point is that you're not downloading it from them, you're downloading from a mirror. If the software was signed, you'd know it was tampered with and that you were getting software you thought you were trusting.

    The current system lets mirrors tamper with the software. You might trust mozilla, but you really have little idea of what the mirror may have done to it. This is at least what he's saying.. Firefox may have some sort of md5 or something posted..
  • Re:Yeah, right. (Score:1, Interesting)

    by Anonymous Coward on Monday December 20, 2004 @10:57PM (#11143570)
    Does anyone realize that Microsoft talking "smack" on Firefox is a GOOD thing? How, you may ask?

    1. They are acknowledging Firefox as competition.
    2. They are fighting for market share that they are losing, the right way.
    3. Although their points may be invalid, they see Firefox on the level now.

    Doesn't anyone realize what this means? We (Firefox supporters) won. M$ knows we exist and have our foot in the foyer.
  • Re:Yeah, right. (Score:3, Interesting)

    by tomhudson (43916) <.barbara.hudson. ... bara-hudson.com.> on Monday December 20, 2004 @11:03PM (#11143615) Journal
    You asked for an example. Try Outlook. I get so much spam from zombie winboxes ...

    FTFA:

    (Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)
    To a lot of us, Bad Guy == Bill Gates, and Microsoft == Convicted Monopolist.
  • by Anonymous Coward on Monday December 20, 2004 @11:05PM (#11143639)
    Not only that, but let's look at where those IPs are located (which companies?) Just use whois
    level3, CWIE LLC, Savvis... now do you even know who those companies are or what they do? So which is more scary to you, this or depaul.edu?
    Given the way level3 harbors spammers I would much rather trust any .edu over microsoft's download pool.
  • Re:IE? (Score:3, Interesting)

    by zoloto (586738) on Monday December 20, 2004 @11:13PM (#11143697)
    What I like from his blog.
    If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

    Once the Mozilla org. starts signing their binaries, Microsoft will apply an update to their certificates library to totally not trust FF to install or run.

    Yeah, way to go. Not falling for that one.
  • From the article:

    >Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

    This is a work of art. I'm sure these guys tampered the Firefox intall SO BAD (unplugging the network at critical moments, etc...) so that they achieved their desired results.

    In other words, they're portraying the Firefox WORST CASE SCENARIO.

    Now. Would you like us to portray the IE6 worst case scenario?
  • by Anonymous Coward on Monday December 20, 2004 @11:25PM (#11143783)
    Everybody keeps talking about looking at the source code. I want to know: How many people here have actually downloaded the FireFox code and looked at it. Not just looked at it as in, "Therrrre she is!" But as in followed some piece of code.

    This is not to support either side. Just a general curiousity. I refuse to believe that everybody here that keeps on drumming on about looking at the open source has actually downloaded and looked at the code, let alone successfully compiled it.

  • No (Score:3, Interesting)

    by Sheepdot (211478) on Monday December 20, 2004 @11:36PM (#11143864) Journal
    Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

    Google for "windows update error" and you'll see that many users have to go figure out what their x803833828 codes actually mean from sites other than Microsoft.

    Here's what I got as a result of clicking a Microsoft link in a search for "download IE":
    http://www.gravito.com/sheepdot/IE1.gif

    Why do I get cookies from Microsoft websites other than the ones I'm going to?
    http://www.gravito.com/sheepdot/IE2.gif

    Don't get me wrong, this guy has somewhat of a point, but it's lost in the fact that he's using IE to download Mozilla. Microsoft won't even let Mozilla users download IE. I think that it's pretty obvious that they don't have any intention of getting people to switch, let alone "switch back". I currently use a program called "nLite" to strip IE and IE core from my XP installations. This only started recently due to the lack of a fix for an iframe crashing bug that allowed spyware companies to bypass all those fancy "don't run the exe" windows and just drop malware into the stack. Two weeks for a fix, Microsoft. Two weeks! Mozilla devs have had serious issues like this resolved within a day, sometimes in hours of the first report. The heap overflow in rendering images is another example of how seriously open source developers take security risks.

    Lastly, the Flash and especially Java install with IE is a quagmire as well. What happens when the mirror takes longer than 30 seconds to kick in? Well, I click the link and it asks if I really wanted to run/save the EXE. Who cares about signed content, Spybot isn't signed and I need that. Nor is half the open source software. But Gator is signed. Hell, somewhere around 10 to 20 percent of spyware is signed!

    Also, the double security windows issue regarding downloaded EXEs in IE is more of a hindrance than a help. Especially when it's been shown that malware authors can write ActiveX to just run it outside of asking the user if it is okay anyway.
  • by farzadb82 (735100) on Monday December 20, 2004 @11:47PM (#11143942)
    "In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download."

    Yet in the screenshots, IE allows the user to "Run" the executable.

    Also...

    "But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."

    Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.

    Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.

    Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.

  • Security Zones (Score:3, Interesting)

    by sparkhead (589134) on Monday December 20, 2004 @11:50PM (#11143951)
    But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available.

    This is a fairly good point. I was never a big IE user but Internet Zones is a good idea. Is there an extension for FF that allows this?

    I know about the block flash extension, but just speaking in general terms, the ability to label some sites as most trusted than others to a fairly low level is a good function.

  • Re:Yeah, right. (Score:3, Interesting)

    by SetupWeasel (54062) on Tuesday December 21, 2004 @12:00AM (#11144038) Homepage
    Yeah, but out of the examples you have stated, only Google does not have multi-million dollar television ad campagins telling people what it does. However Google has made deals with a good many people to offer search on other sites to increase name recognition and capture the type of user that would never type google.com in their address bar.

    You can make something well recognised without a self explanatory name, but you invariably need money or the backing of people with money to reach the people not immersed in the industry.

    The point the poster was making is that IE has every advantage over Firefox. It comes installed with your computer, so you already have it. It has a name that instantly conveys the function, and on top of all that apparantly tells you that downloading Firefox will kill your children (looking at the article). The poster also made the point that Firefox has managed to raise the money for only one major advertisment, and probably most people didn't see it.

    It's not that Firefox couldn't be recognised easily if a lot of money was poured into that goal, it's that it hasn't happened.
  • the right way (Score:2, Interesting)

    by oliverthered (187439) <oliverthered@hotm a i l . c om> on Tuesday December 21, 2004 @12:05AM (#11144069) Journal
    The right way... My product is great, it can do this, and this, and it's secure and you'll love it and....

    The wrong way... Their products bad, use mine instead, oh and did I tell you how bad their product was, you must be a fool if you use it... did I say fool, I mean genius for switching to my product.

    People generally don't trust someone if all they have to say is how bad the other person is.
  • Re:Yeah, right. (Score:2, Interesting)

    by FEEBLE*BMX (695853) on Tuesday December 21, 2004 @12:13AM (#11144124)
    They can call the shortcut anything they want. Just call the desktop icon Firefox Internet. Problem solved. (Except that the other browser comes pre-installed on everyone's Windows machine.)
  • Re:Random servers (Score:4, Interesting)

    by lakeland (218447) <lakeland@acm.org> on Tuesday December 21, 2004 @12:26AM (#11144209) Homepage
    "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother.
    You're right, at least 9.3/10.1 wouldn't bother. But you can bet that some percentage, perhaps one in 1000, will. And those people will be really anal about it -- checking the .asc using a master key they get from gpg --recv-keys which is automatically verified through their web of trust.

    And when that file doesn't match, you can bet they'll scream bloddy murder.

    Contrast that to microsoft's setup. Every update is 'required' to pass an MD5 checksum, but what's the bet that the update is allowed to unpack itself first, and since it is running as administrator it will be allowed to overwrite the location of the system call for the checksum.

    The point I'm making is that Microsoft's security is easy and automatic, but little more than a facade. Firefox's use of GPG makes it unbreakable, but it is so hard to use very few users will bother. I know I would rather have solid security than a veil of semi-security, but I can understand the journalist missing the superficial security.

    Of course, Firefox could have integrated superficial security as well. And firefox could have made the true GPG security a little easier to test.
  • by the-build-chicken (644253) on Tuesday December 21, 2004 @12:55AM (#11144382)
    Why can't they just whip themselves up a self signed root CA with openssl, call themselves the firefox signing authority, and use it to sign extensions that way?
  • Re:Yeah, right. (Score:2, Interesting)

    by IdleGod (811284) on Tuesday December 21, 2004 @12:56AM (#11144385)
    What I wanna know is whats preventing XPI from turning into ActiveX? I know alot of security problems come from ActiveX and users clicking yes when they should click no. I've done it several times myself when I'm barreling through sites. I use Firefox exclusively. I've even installed it on my USB flash drive so I can use it at school.
  • Re:Yeah, right. (Score:3, Interesting)

    by zerocool^ (112121) on Tuesday December 21, 2004 @01:01AM (#11144427) Homepage Journal

    Not to mention the fact that they all KNOW about Microsoft. They know the name. They know it's been around for quite a while. Therefore it must be good, right? (not my opinion, but it is the view of people that I have known)


    You know what I tell people in this situation?

    "Hey - tired of spyware? Well, remember Netscape, from back-in-the-day? This is what it evolved into. It's not closely tied to windows, so there's less chance that hackers can get their software on your computer. Try it out."

    People that don't know "mozilla" or "firefox" know "Netscape". Plus, it uses some simple buzzwords, like "hacker" and "software" and "computer", so that you can get your point across to your audience without insulting their intelligence, and yet still let it be known that you know what you're talking about.

    ~Wx
  • Re:Why use VPC ? (Score:1, Interesting)

    by Anonymous Coward on Tuesday December 21, 2004 @01:06AM (#11144456)
    This is a MS guy, so odds are he's running VPC for Windows on top of XP or Longhorn. And also because he's an MS guy, all non-MS software must be run in a virtual PC as not to defile the sacred cow. Moo.
  • Re:Yeah, right. (Score:2, Interesting)

    by ZhuLien (150593) on Tuesday December 21, 2004 @01:06AM (#11144459) Homepage
    what I hate most about MSIE and is the main reason I use Mozilla is that it doesn't let me say 'Never Trust anything from this Vendor' when an Active X control pops up. I don't trust Microsoft, neither do I trust Adobe or the company behind Shockwave, yet in MSIE, I cannot tell it I don't trust them. Boy do I hate that.
  • Tried That (Score:2, Interesting)

    by ibentmywookie (819547) on Tuesday December 21, 2004 @01:09AM (#11144484)
    However, the University site for getting student details requires IE to get into. So even though I installed the User Agent Switcher extension and taught them how to use it to fool the site into thinking they are IE - they forgot how to do that, and next time I was there there was a "Shortcut to IEXPLORE.EXE" icon on their desktop.

    They don't blame the people who wrote the site either. They blame the browser for not working with the site. Even if I explain that the people who wrote the site are locking others out for no reason (it's not like it uses ActiveX or anything, the site works perfectly in firefox).

    Next time I go there, I will see an IE icon on the desktop again. *sigh*

    Can I get rid of executeable permissions on IEXPLORE.EXE without horrific consequences? :)
  • by twivel (89696) on Tuesday December 21, 2004 @01:18AM (#11144526)
    Microsoft's efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don't sign their own program?

    [Being a Linux and Firefox supporter, I cannot understand that]

    But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.

    Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".

    So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.

    If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.

    The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.

    The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.

    So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.

    You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.

    --Twivel
  • the certificate... (Score:3, Interesting)

    by SanityInAnarchy (655584) <ninja@slaphack.com> on Tuesday December 21, 2004 @02:01AM (#11144721) Journal
    The md5 is only as secure as the file, but the Certificate is only as secure as the Certificate Authority. Read other comments here, and you find that Verisign isn't that trustworthy.

    Firefox is signed with Mozilla's PGP key, which is just as secure as a certificate. The difference is, you need a secure way to get the public key to you first, so it's not much more secure than MD5.

    But, someone could just as easily have handed you a forged Windows install disk, or forged one with your computer, which had a public key for their own spoofed certificate authority, and thus undermine the whole thing.

    The point is, you want to reduce the points of failure as much as possible. I think "Download one PGP key and hope it's good, then download anything from mozilla.org and know it's as good as that key" is better than trusting Verisign (and Gator and BonziBuddy).
  • by MrLint (519792) on Tuesday December 21, 2004 @02:45AM (#11144905) Journal
    if as you assert hes using a fresh image (how you can know that is beyond me), AND assuming ff doenst use this 7-ziphttp://www.7-zip.org/ [7-zip.org] thing at all (which it appears to be a stand alone program )

    then clearly the problem lies with this 3rd party app. And if you claim you got the same error you used it also. Having a 3rd party app on the system when doing alleged "sensitive security matters" seems to be contraindicated. Besides IIRC XP (which hes using) has the ability to unzip built in.

    I call shenanigans on you
  • by Phil246 (803464) on Tuesday December 21, 2004 @03:17AM (#11145016)
    uninstalling extentions in 3 easy steps
    1) go to Tools -> Extentions
    2) Click the extention you want to get rid of
    3) Click uninstall

    Lets compare that to uninstalling programs in windows shall we?
    1) Go to Control Panel -> Add/Remove Programs
    2) Click the program you want to get rid of
    3) Click uninstall

    Now, if he wants to pretend that theres no obvious way in firefox to remove extentions, and thus is bad - he should concede that windows has no obvious way to uninstall programs - and is thus bad.

  • Re:Fun Facts Time! (Score:1, Interesting)

    by Darkangael (748682) on Tuesday December 21, 2004 @03:47AM (#11145118)
    Actually, most non-tech users probably don't even know what a verisign signature is. I also read somewhere (in the comments on the site hosting the article iirc, and they provide a link) that firefox will have signature support before version 2.0.
  • Re:I agree ... (Score:5, Interesting)

    by ocdboy (842249) on Tuesday December 21, 2004 @04:06AM (#11145193)
    I completely agree - The whole essay is full of misleading information and assumptions based on the premise that Microsoft's code signing system works- whish is untrue. I dug up this link somewhere (prolly following a link from slashdot :) ) it explains not only why Active x is a problem, but also how useless code signing actually is

    http://www.halcyon.com/mclain/ActiveX/Exploder/F AQ .htm

    Q: Doesn't Code Signing and Microsoft's AuthentiCode technology prevent people from distributing malicious ActiveX controls?

    A: No. Code Signing simply attempts to identify who signed the control. Anyone can go out and get a code signature. It's a pretty much automatic process. You go to a web site, give them a name, address, credit card number and some other stuff (none of which have to be yours), click "I Agree" on a page full of legal jargon, and pretty soon you get an e-mail with the information you need to sign the control in it. Once you have your Digital ID, you can sign any unsigned ActiveX control. Nobody reviews these controls! In other words, a signature doesn't tell you who wrote the control and it doesn't tell you if the control is safe or not. Heck, with the number of hot credit card numbers out on the net, it doesn't even tell you for sure who signed it. A danger is that seeing that a control is signed will give folks a warm fuzzy feeling about the control, and encourage them to run it, even though it does not guarantee their safety!
  • Re:IE? (Score:3, Interesting)

    by AtomicBomb (173897) on Tuesday December 21, 2004 @04:13AM (#11145220) Homepage
    One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time! ;)


    It is for another usage. I occasionally download big packages (knoppix iso, just released kernel etc) from bt. To verify I am in fact downloading something original, I go back to the main site to check the md5sum. The assumption is I trust the main site but not p2p.... Anyway, the main sites do get hit by cracker sometimes.... But, once some guys discover that the news will appear in slashdot ...
  • Re:I agree ... (Score:5, Interesting)

    by jonbryce (703250) on Tuesday December 21, 2004 @04:15AM (#11145231) Homepage
    Essentially, what he is saying is that someone could set up what they claim is a firefox mirror and put spyware infected code on there.

    That is a real problem, and it has happened to other free software projects.
  • What a choad (Score:4, Interesting)

    by _KiTA_ (241027) on Tuesday December 21, 2004 @04:35AM (#11145296) Homepage


    Installing Firefox requires downloading an unsigned binary from a random web server

    Installing unsigned extensions is the default action in the Extensions dialog

    There is no way to check the signature on downloaded program files

    There is no obvious way to turn off plug-ins once they are installed

    There is an easy way to bypass the "This might be a virus" dialog


    1. Off an official website, hashed, with checksums to make sure you're safe.

    2. No, it's not.

    3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.

    4. Just because he didn't look doesn't mean there isn't a way.

    5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.

    I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring. :P
  • by samalone (707709) on Tuesday December 21, 2004 @08:20AM (#11145896) Homepage
    The discussion here got me thinking: Why not codify and automate the existing practice of posting MD5/SHA-1 checksums at the originating web site, and then storing the full content on mirrors? If this were built into FireFox (or an extension), wouldn't this go a long way to making the downloading of open software safer?

    The originating web site could post an XML file containing a checksum and a list of mirror sites. The FireFox download manager would take care of choosing a mirror (or asking the user to choose one), downloading the file, and checking the file against the checksum. If the checksum doesn't match, the download gets a big red X through it and the user gets a very serious warning if they try to open the file.

    I'm sure someone will point out that BitTorrrent already handles many of these problems, and does it much more efficiently and powerfully. And I agree that it would be great to have a BitTorrent extension for FireFox. But the fact is that MD5 checksums and mirror sites are the de-facto standard for open source software distribution right now, because they're so easy to implement. Why not clean up this system a bit so that average users can benefit from it?

    --Stuart

  • Reviewer Signature (Score:3, Interesting)

    by RabidChipmunk (19279) <stuart AT subQ DOT org> on Tuesday December 21, 2004 @08:52AM (#11146012) Homepage Journal
    What if, instead of having the author sign it, all plugins are signed by one or more reviewers? Then you can choose to only use plug-ins who have been vetted by someone you trust.

    You'd still have the "know your dealer" problem, but it would be better.
  • Re:Security Zones (Score:3, Interesting)

    by White Roses (211207) on Tuesday December 21, 2004 @10:52AM (#11146882)
    Alright, it's a good idea. But the problem is, that good idea is merely a response to a gaping wound, like growing a scab. ActiveX controls, and the tight integration of IE with Windows is the gaping wound in the security of most Windows systems. I'd rather they fixed the problem at a fundamental level, over putting a pretty bandage on a gangrenous gash and saying the patient won't lose his arm.

    Firefox doesn't have that level of integration, so it really doesn't need Internet Zones. And it does have "trusted sites." You can tell Firefox which sites to allow to install software, run Javascript, pop up windows (there is one site that I currently allow to do so). I don't remember what the default was any more, but I suspect it was disallow everybody from doing anything.

  • Digital Certificates (Score:3, Interesting)

    by reking2 (813728) on Tuesday December 21, 2004 @10:56AM (#11146931)
    I find Microsoft's dependence on digital certificates hilarious, given that Verisign issued a couple of valid certificates for Microsoft to a hacker a couple of years ago. Makes you kind of wonder about the whole system and value of the verification procss they follow.
  • by EXTomar (78739) on Tuesday December 21, 2004 @11:28AM (#11147300)
    I am struck by the audacity of Torr to suggest that you can trust Microsoft install packages but not Mozilla's simply because of signing.

    Signing just indicates that the source validates what is packaged. Simply, signed Microsoft install packages come from Microsoft. However this does not indicate anything about the quality of the package. This is the heart of MS's problems since it was never a question of the package source but the quality of content. They've burned so many not by fake IE packaging but by the fact IE is "junk" in the first place. Anything beyond this (all of the malware, hacks, and bugs) is just a side effect of design and code in IE not of the fact IE is a hacked install.

    There are legit complaints about the Moz distribution and install proceedure. I would like to see a "self validating" install to insure the package is legit however alone signing isn't the solution. Signing is only useful for indicating the install package has not been tampered. It never indicates whether or not the software installed works. No amount of code signing from MS will fix IE's damaged reputation for misbehaving.

    ps. I'm loathe to think Mozilla needs to fork out money to anyone to prove anything. They should be seeking free (beer and freedom) ways of package authentication.
  • Re:Fun Facts Time! (Score:1, Interesting)

    by Anonymous Coward on Tuesday December 21, 2004 @11:38AM (#11147433)
    Instead of modding you I will comment:

    There are only a few places in the Windows registry where Spyware and other malware can load upon boot and from the browser. It takes about a minute to flip through them all, disable the ones which don't have anything "extra", remove the associated files, reboot.
    Does this include the new VX/LM rootkit? Yes, I called it a rootkit because it loads a dll in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\N otify key that then hides that registry key from regedit as well as hiding the files on the hard drive. I had to use a linux boot disk to find the hidden files in the winnt\system32 directory because the dll loads even with Windows in safe mode. I deleted the files and they came back on the next reboot; There was a hidden file in the All Users\Startup folder that puts everything back. I deleted that file and it still came back. It is/was hiding in at least three different places and uses a kernel module to hide all of them from the system. I gave up after spending 6 hours trying to get rid of it. I can give you a copy of the spyware if you want?

    Oh, did I mention that it downloads and installs other spyware for you on its own? After ~two hours there were 50 different pieces of spyware installed.

    Chop
  • This just in! (Score:3, Interesting)

    by cyranoVR (518628) * <cyranoVR AT gmail DOT com> on Tuesday December 21, 2004 @12:16PM (#11148015) Homepage Journal
    Microsoft actually acknowledges that an Open Source competitor exists! Film at Eleven.

    I've noticed a pattern of behavior from MS marketing: they don't seem to want to acknowledge linux, firefox, et. al. as actual products - and so a wry smile crept onto my face when I saw the image referencing the Mozilla Foundation as "Unknown Publisher." [winisp.net]

    This entry is probably an attempt at "payback" for all those "My Windows Installation Nightmare" anecdotes populating the 'web. However, his story seems just a *bit* contrived. I've installed firefox on multiple PCs and multiple windows versions and experienced 0% of the problems he's describing. Huh?
  • Re:I agree ... (Score:0, Interesting)

    by bonch (38532) on Tuesday December 21, 2004 @01:30PM (#11149175)
    It's a web server that mozilla.org directs you to.

    It would be easy to hijack the browser in some way to redirect you on visiting mozilla.org.

    If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.

    His point is that Internet Explorer is signed, so you can trust it. You're saying people need to trust Mozilla, just because.

    There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.

    That's not good enough.

    Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.

    He's talking about Firefox, where there is no ActiveX and anything goes.

    This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.

    RTA. He did that. There is no way to disable an extension. A lot of your response sounds like reactive bashing to the fact that IE does more stuff to protect the user from unsigned executables and extensions.

    There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do.

    See, now this is what I just talked about. Instead of acknowleding that, yes, IE does warn the user more than Firefox, you make some vague criticism about making "a decent browser first." Firefox can't even display Slashdot correctly, but that's irrelevant to the topic.

    This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above).Firefox is demonstrably more secure than IE and has far fewer vulnerabilities than Internet Explorer.

    Firefox is also used by far fewer people, which is alarming considering the amount of vulnerabilities it has, including those secretly marked "confidential" that we don't know about--you know, the very thing Microsoft gets criticized for doing.

    To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?

    See? Instead of addressing the points, you degenerate into a bunch of random bashing about "geeks" and "innovation." Firefox isn't THAT great of a browser over IE. I know visiting Slashdot for years can shape your perception, but there is a software world outside of this place. You don't ever state what actually makes IE so inferior. A very huge lot of people use it. Firefox has a miniscule userbase in comparison, and sometimes I use IE instead of any other browser because I choose to.

    I use Opera most of the time, by the way.

Recursion is the root of computation since it trades description for time.

Working...