How Can I Trust Firefox?

TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"

Extensions are EASY to uninstall

[Anonymous Coward]

Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?

Re:Multiple Firefox Security Flaws Discovered

[Anonymous Coward]

Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!

WHAT A FUCKING MORON

[Anonymous Coward]

Have you never heard of PGP [207.200.85.49] signatures (Windows [207.200.85.49], Linux [207.200.85.49], Mac [207.200.85.49]) or hashes (SHA1 [207.200.85.49], MD5 [207.200.85.49]) you cocksucking M$ whore?!

The answer is simple :P

[kryogen1x]

Type "1" in Google [google.com] and hit I'm feeling lucky. Hint: It's not the IE page. Please don't mod me off topic.

Re:IE?

[arkanes]

It happened with Linux (the kernel itself). A security exploit was entered. It's worth pointing out, however, that this exploit never made it into any kernel release or build, as it was noticed practically instantly by Linus and others and immediate steps taken. The only reason we know about it at all is because of the open development process.

IE only enterprise app. that is a black box - why?

[gelfling]

While it is somewhat problematic for individual users to perform certainly corporate users could download and verify their own distro copy and distribute to their own users from that. It's more important to understand what the application does and that can only be achieved by examining or at least verifying the code and all of it's APIs.

Why is this important? Because the browser, any browser, is really an enterprise application as pervasive and critical as SAP, PeopleSoft, Websphere, Tivoli or any of the other so called enterprise application suites.

Yet IE is the only one that's not a toolkit, can't be verified internally or altered or tuned or customized in any meaningful way. It's as if you installed an Oracle DB and Oracle told you how many tables you could have, what they can look like and hid all the background processes from the developers, and didn't even publish the full API.

It's a fucking joke what you've been lead to accept. IE is the only enterprise app that's a black box and none of you, NONE of you should accept that.

Microsoft's criticism of how Firefox is distributed is pure smoke screen. They would have you believe you can't trust an app because you can't be sure where it came from whereas you're supposed to trust an app you can't verify, examine or debug on your own.

He should tell the DoD the same thing.

[X-rated Ouroboros]

Visit a secure .mil site some time.

It has always amused me when I get "The authority of this registrar is not recognized" when visiting sites the US Gov or DoD has signed themselves.

Re:Extensions are EASY to uninstall

[QuantumG]

but really it is true.. cause a plugin is unrestrained native code.. it can modify the browser to prohibit uninstalling. It can modify other plugins to do its dirty work. It can do anything.

Default Settings.

[hardlined]

The problem is IE is set at default to install third party plugings, which was handy before spyware and adware came along.

When I try to install extensions or anything else to firefox, I first have to add the site to my trusted sites list.

Knowing what I am installing and where it comes from means more then some signature I can't read.

Re:This guy is right. Listen to him.

[Saint Stephen]

Other platforms do not use Microsoft's propritary technology ("Authenticode") for signing binaries. They use MD5sums. MD5Sums are available for firefox (ftp://ftp.mozilla.org/pub/mozilla.org/firefox/rel eases/1.0/MD5SUMS) all firefox releases.

Moreover, they give you this little thing called the SOURCE CODE that let's you be pretty darn sure what you're running. Read the code, and compile it yourself, or trust others to look at the code and check MD5 signatures.

Re:IE?

[The Kiloman]

You are probably thinking of Sendmail 8.12.6.
Someone trojaned the source tarball so that the make process built, installed, and ran a trojan horse. Here's a link to the CERT advisory:

CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution [cert.org]

Re:He should tell the DoD the same thing.

[Anonymous Coward]

I can elaborate on this a bit (posted AC for obvious reasons). I develop some email software that is routinely used by DoJ network techs. I was surprised to get an email from a military guy praising me for designing the software to NOT inherently trust any central SSL signing authorities.
The military uses lots of self signed stuff, not through Verisign or whatever. Their point being (and one which I agree with too), would you trust some third party like Verisign over yourself for authority?
Obviously though this is one of the more extreme positions; for us paranoid people. The risk of blindly trusting any certificate authority (as has become clear with spyware bypassing install warnings) is that you are giving power to a foreign entity. If that's what you want to do, fine.

Re:False security?

[MrZeebo]

I've studied computer security at the graduate level, so I have some background in this stuff.

When you have a certificate, only YOU can sign software with YOUR certficiate, and once someone changes the data, the certificate becomes "corrupt" (heavily simplified). So, if you receive a program which is signed by the Mozilla foundation, either a) it was truly signed by the Mozilla foundation and is the same data that the Mozilla foundation intended to release, or b) Someone bought a certificate and claimed to be the Mozilla foundation. There are security measures in place to prevent case b from happening, so signed data can be assumed to be the actual data intended to be distributed by the signing party. (So now the problem becomes, do you trust the Mozilla foundation to release non-malicious code?)

On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file -- if someone maliciously altered the original data, they could just also alter the MD5 sum that goes along with it so that it matches. Basically, if you already don't 100% trust the data you are getting, you probably shouldn't trust the MD5 sum you are getting either. MD5 sums are useful for checking for transmission errors, but not so much for security. Of course, if the MD5 sum and data are stored on two different physical computers, the chances of this attack happening can be reduced.

So, certificates guarantee that the data is what the signer wanted you to get (which could be intentionally malicious!), and MD5 sums guarantee that what you downloaded is what's stored on the server (which could have been replaced with something malicious!).

The moral of the story is, when you study computer security too much, you become really paranoid about everything ;-)

Real slashdotters never RTFA!

[lastberserker]

What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate.

It's not even remotely funny how many readers here missed other valid points: redirection to numeric ip, 7-zip error and that empty message box. I saw the last two myself - weird behavior for such well known, thoroughly tested and peer reviewed OSS project.

As for "Trust the Source!" Well, how many of Firefox users build it from said source? For that matter, how many would care (or know) to check MD5? And know where to get a valid MD5 and trusted digester in the first place?

Obligatory disclaimer: I write this from Firefox with about a dozen extentions and, yes, they are great. Nevertheless, read TFA and above.

Re:IE?

[LnxAddct]

This guy's information is so distorted its not even funny. That blank diaglog that he blamed on Firefox is cause by McAffee Activescan. It scans for certain types of overflows and sometimes things set it off when there is no overflow, it has no information to put in the dialogue since no overflow exists. It is being patched and supposedly getting updated soon, but thats a problem with a completely different software suite and he blamed it on Mozilla. What a moron. Besides, his whole argument is based on signing code. I'll go buy a cert, grab a copy of the latest virus, sign it, and send it to any one I know using IE. They'll all see the nice little dialogue saying that its perfectly okay to not only download, but run right away because its signed. He acts like signing code is magic. What a bunch of bull.
Regards,
Steve

So that explains those weird attempts to access...

[Tajas]

While I was still using Firefox 0.10 I noticed strage behavior with Firefox constantly trying to access somwhere in Asia. I assumed this might be part of an extesion trying to update itself so I told Norton to allow it access. While using a packet sniffer I noticed that this activity could not be decoded by my packet sniffer and assumed even more so that this was an extension trying to update itself. I have yet to find out what the real reason is behind this and I updated Norton and therefore the logs are no longer on my system. I ask, "Really, how secure is Firefox compared to IE?" The article definitely makes some very good points to lacking security with Firefox installation and use.

Re:Yeah, right.

[mikeswi]

That's been fixed for several versions. If the site is not whitelisted, the installation is canceled without a prompt.

Re:Yeah, right.

[tomhudson]

Lets see, Outlook blocks executables, therefore all those zombies must be because of Outlook. After all, a spambot wouldn't lie in it's headers. Great thinking tex.

Outlook blocks executables my ass. Every day I get 5 copies of the same spam from one customer's machine. We know who its from - he mis-typed the boss's name in a specific way in his address book, so even his legit mail ends up in the catch-all account.

So now I have to sort the legit from the spam, and forward the legit. I know damn well it's not from a spambot faking the headers. Its from this specific customer, running M$ products and Outlook.

Worse, I've written the rube a few times telling him he's got spamware on his box - but of course nothing has changed in 3 months. We get one legit email every few weeks, and 5 spams a day, all from him.

So keep it up M$ fanboy. We're not buying.

Re:Yeah, right.

[Darkangael]

Outlook only seems to block the executables which the user actually WANTS to execute. Ones they don't want, well it just executes them without any warning/question doesn't it.

This may have improved since last time I dealt with it, but I am not going to risk trying again to find out.

Re:How I can trust Firefox, by TWX

[Anonymous Coward]

There was an Internet Explorer 1.0, it was released in August 1995 [wikipedia.org]

Re:IE?

[ar32h]

What everyone seems to be missing is that Mozilla does sign their binaries.
They provide a GPG signature [mozilla.org] .
Sure, it is not from Microsoft's preferred partner, Verisign, but that does not change that fact that Moz signs their code with an accepted standard.
Not Microsoft's standard of choice to be sure, but still a standard.

Re:Answer: Openness Trust

[tekunokurato]

You are insane. Taiwan is not China, and Taiwanese programmers would probably not be sending code to beijing. Your sources are flawed and you are a troll.

Re:False security?

[gnuman99]

On the other hand, an MD5 sum is usually a file stored somewhere which is a hash of the file. However, an MD5 sum is no more secure than the original file

Generally in open source you have MD5 hash posted on the project's homepage. You download the files from mirrors. There are multiple locations to crack at the same time. It is easier said than done.

Furthermore, there could be an private developer machine checking the main page once every 5 minutes or so to see if the MD5 hashes on the main site are corrupted.

It is easier to buy a dummy vertificate and sign the modified file than to actually go though the trouble of changing files and MD5 hashes on multiple sites.

Unsigned Binary BS

[Lodragandraoidh]

Installing Firefox requires downloading an unsigned binary from a random web server

- from the blog.

That is not entirely truthful. You can also download the source from ftp.mozilla.org directly if you are paranoid, and build the release yourself. Most, if not all mirrors also carry the source code, so you can also validate the source on the outlying site against the original if there is any question in your mind.

So it does not 'require' an unsigned binary at all. In fact as the author of the blog admits, having a signed binary does not prove that the code contained in the archive is free of malicious code at all.

The issue of redirecting the download to another site - a University for example - is represented as less safe than downloading from a verisign registered site. This is hogwash, and avoids the critical argument that Microsoft wishes you to ignore: with a CVS snapshot of the source code I don't have to depend upon pre-compiled binaries and verisign to do my thinking for me. I can run the following command:

diff mysource.c questionablesource.c

- and know immediately if something has been tainted or not. If I must have a binary, I can always validate a checksum of the questionable binary against one provided by Mozilla. Sites that aren't on the up-and-up, or have poor security quickly lose credence in the community, and fall by the wayside.

Finally, most products of open source developers are PGP (Pretty Good Privacy) signed - which serves the same purpose as Verisign - without the attendant costs. A developer publishes a public key used to decrypt a signature encrypted using his private key. If you can not validate the signature - then it did not come from who it should have.

All arguments regarding security of OSS can be countered with the same argument on the closed source side - save one: OSS source code is free to peruse (and diff) as you desire - thus providing the trump card closed source shops can not duplicate or argue effectively against without some subterfuge. The fact is Microsoft wants you to be tied to costly closed security solutions, because then you will only be able to 'trust' a few (rich) closed source shops for your software needs - and small OSS projects will die from lack of patronage. Thankfully they are mistaken in their analysis of your willingness to accept their lies without question.

Re:Yeah, right.

[wdd1040]

If you run XP SP2, IE does this.... You have to whitelist a website before it will install anything.

Re:Yeah, right.

[Jeff DeMaagd]

Your comment does not fit reality as it is with Firefox. Individuals have to manually whitelist sites in Firefox in order to install an xpi. It isn't as if Mozilla isn't allowing third party extensions.

Re:Yeah, right.

[mikeswi]

No, it gives you the same little info bar up top [spywareinfo.com] that Firefox does when you try to install an extension from a non-whitelisted site. Then it pops up the following dialog [spywareinfo.com].

Re:Yeah, right.

[fingerfucker]

However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.

Not true. Just hit Esc (which will imply 'No') and keep it pressed for a few seconds.

This stops even execution of JavaScript timer-based code.

Just because one doesn't know how to use IE while staying spyware-free doesn't mean IE is crappy. It means that the user is crappy.

I've used IE forever and never got any spyware in my life.

Re:The guy missed something...

[natrius]

Also, being able to turn on and off various plug-ins wouldn't hurt.

Edit -> Preferences -> Downloads -> Plug-ins
Uncheck the file types that use the plug-in you want to disable.

Re:Yeah, right.

[sabernet]

Well, for one, xp installer forces you to wait 5 secs before you can click install. And even there, you must click the little yellow bar at the top of the page with the plugin\extension warning to load up the pop up asking the question in the first place.

And finally, FF has much less control over your OS as IE does, so any harm from a moron who clicks the yellow bar, waits 5 secs THEN installs the extension, will still be minimal

Re:I agree ...

[7x7]

This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.


I dare you to diable Flash like that. I love FF, but the man has a point.

Re:Yeah, right.

[ThJ]

You've noticed too? I swear, people, this is true. Outlook ignores viruses and blocks friendly files. My dad can testify about this. He got a bunch of e-mails, most of them spam, some had bad stuff in them, and Outlook didn't grey those out. However, when a friend sent him an MP3, that was greyed out for some stupid reason, and we had to disable the "protection". How is it possible to write such stupid software?

Re:IE?

[Anonymous Coward]

Not just 1, but 4 stories for you. Sorry I'm too dead-assed tired to throw HTML tags in -- perhaps some helpful person can do that in a followup?

http://www.linuxsecurity.com/content/view/114934 /6 5/

Somebody busted into a CVS server which was downstream from the master bitkeeper server. Bitkeeper noticed the discrepancy.

The actual hack was some code in a system call:

if ((options == (__WCLONE|__WALL) && (current->uid = 0))
retval = -EINVAL;

Note that the expression with current->uid is an assignment of 0 to current->uid, rather than a comparison of current->uid to 0. If one reads the code in context and does not notice the difference between "=" and "==", then this bit of code blends into its surroundings reasonably well.

The kernel has several defenses against this. First, there's a source control system, based on signatures. At the risk of starting a Slashdot flamewar, I'll point out that the "signed trusted code" design endorsed by Microsoft is actually the protection system used for source code by the FSF and (I believe) by the Linux kernel these days.

Second, there are people who read and summarize kernel changes (I used to be one of them) -- it's a lot easier to spot these shenanigans in a diff than it is to read a whole kernel.

And third, there are a layer of people known as the "kernel janitors" who are interested in cleaning up the junk that accumulates in the kernel. It's likely that a janitor would spot this.

In another item:

http://hackvan.com/pub/stig/info/trojan-horses-o ld -yet-still-current

Read past the IE trojan spoof mail to the attack on ftp.win.tue.nl . Someone cracked the ftp server and replaced util-linux, which includes the "login" program, with a trojan version including a trojan "login" program.

http://ftp.gnu.org/MISSING-FILES.README

ftp.gnu.org was rooted and trojaned for four months before somebody noticed.

http://kerneltrap.org/node/1717?PHPSESSID=133746 01 967ed6db14ef68fc5dbc9f8b

Somebody broke into four machines of the Debian project. They sniffed passwords from unencrypted network traffic, and then elevated from user to super-user by exploiting an integer overflow in the brk() system call.

Re:Yeah, right.

[spectecjr]

WTF are you talking about? FF tells you clearly when a site is trying to install an XPI file, you just have to click the Allow button on the yellow bar on top of the page to whitelist the site before it will be allowed to prompt you for XPI installation.

This was done as a security measure to prevent malicious attempts to install unwanted (spyware) XPI files on sketchy sites, which started to happen. I wish to god IE would do the same thing with Browser Helper Objects, and any ActiveX objects for that matter.


IE does the same thing. In fact, Firefox copied the UI for their security feature wholesale from the IE version of the same said security feature.

Re:Yeah, right.

[Rits]

Making things hard is a great job? If I want to make an installation 'secure' by disallowing 'install from site' (the only option apart from the whitelist) then I can't install plugins, it fails without any explanation. Just try to install Flash or Java, where Firefox itself fetches the proper plugin files (so what risk?). I click 'install' and nothing happens.

Peter Torr's reply to comments

[Draculax]

Here is some of his reply [msdn.com] to the comments

Re:Yeah, right.

[SenseiLeNoir]

Wrong, XPI's CAN have the same permissions as Active X installers. If you download Java as an xpi, it can install fromt he same xpi file......

Re:I agree ...

[AusG4]

FireFox MD5 hashes are calculated based on the binary, as are all MD5 hashes.

I can easily recompile FireFox, re-hash and then dupe you into thinking that it's the legit firefox.

That said, there is a huge difference between an MD5 -hash- (hash is the key word, the MD5 hash is not a signature) and code signing a la Microsoft.

Code-signing is cryptographic in nature, and is public/private key based much like PGP or SSL. In order to create a "signature" for code, you need to first possess the private key. Without the private key, you cannot generate a signature that would be mathematically valid.

Any signature you -did- generate, sans private key, would immediatly send up alarm bells by anyone who tries to install it, as there would be a difference between the installed code and the signature that is posted (due to the lack of an authentic private key used to generate the sig).

This is, of course, much the same as PGP signing (though not necessarily encrypting) an e-mail message.

That said, as for the mirror->main idea... all it takes is one bad mirror and a lot of people get a bad FireFox.

Mod me down as a troll all you like (I'm sure someone will do it.. saying anything even remotely bad about FireFox, Linux, His Holiness Linus Torvalds or the GPL is automatic grounds for "troll" on /., regardless of how logical the argument), but an MD5 hash is worlds worse than Microsoft code-signing for the simple reason that the two of them aren't even the same thing.

All an MD5 hash is good for is proving, assuming you trust the hash, that what you downloaded and what the mirrored hosted are the same thing (ie, not corrupted during download). As a trust mechansism, it's useless.

Then again, there was an article on /. not long about a proven way of changing a file and maintaing the MD5 hash, so even MD5 hashes are a little dated useless now.

SHA1, my brothers.

Re:Yeah, right.

[prodangle]

I wish to god IE would do the same thing with Browser Helper Objects, and any ActiveX objects for that matter.

IE does, in fact it was implemented in IE first (with betas of SP2) - Firefox copied them.
"it's almost a carbon copy of the new Internet Explorer Information Bar" [mozillazine.org]

well lets see

[suezz]

you can use checksums to verify you binary when you download it. by the way my distro packages it and all my packages are signed on my Linux os. can we say the same for windows? this article is nothing but twisted fud.

Re:Fun Facts Time!

[Anonymous Coward]

Agreed, no one should do business with Verisign given their incompetent and unethical business practices. Unfortunately I don't think most businesses care about ethics anymore.

Wasn't Versign the registrar that gave out a Microsoft certificate to someone who wasn't Microsoft [pkiforum.com]?

Wasn't Verisign the one that sent domain renewal notices to other companies customers [theregister.co.uk]?

Screw Verisign; use someone like cacert.org.

Re:Fun Facts Time!

[jrumney]

If you think Verisign certificates makes code any safer, then you obviously aren't aware of this: [verisign.com]

VeriSign, Inc, discovered through its routine fraud screening procedures that on 29 and 30 January 2001, it issued two digital certificates to an individual who fraudulently claimed to be a representative of Microsoft Corporation.

Problems like that, and the fact that IE prompts you to accept certificates even for ActiveX controls that do not do anything potentially unsafe which just conditions people to click "Yes" without thinking, make code-signing a dangerous placebo rather than a real solution. Quite a few spyware authors have legitimate Verisign issued certificates BTW.