How Can I Trust Firefox? 1464
TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"
Security? (Score:3, Interesting)
Comment removed (Score:5, Interesting)
Verisign Code Signing Certificate (Score:5, Interesting)
Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).
So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.
Why support Verisign? (Score:5, Interesting)
The real question. (Score:3, Interesting)
How can I trust Microsoft?
Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.
Re:IE? (Score:5, Interesting)
There are solutions to this. PGP signing each patch would at least let you track down who submitted what. You'd probably need to grab the source as a set of patches, though, so you can individually verify each submitter's PGP key against their code. Ugh.
One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time!
He doesn't care. (Score:5, Interesting)
He sure has a lot to say about something he doesn't care about.
He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.
Re:Verisign Code Signing Certificate (Score:2, Interesting)
Problem, Verisign is the enemy! (Score:5, Interesting)
Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.
These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.
False security? (Score:4, Interesting)
Re:Yeah, right. (Score:5, Interesting)
However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.
I agree ... (Score:5, Interesting)
Installing Firefox requires downloading an unsigned binary from a random web server
Installing unsigned extensions is the default action in the Extensions dialog
There is no way to check the signature on downloaded program files
There is no obvious way to turn off plug-ins once they are installed
There is an easy way to bypass the "This might be a virus" dialog
Okay, if I read this correctly, the gist of his argument seems to be that the Internet Exploitme warnings say the Firefox installation is unsafe, he had a few redirections and such to get the download, and therefor, a sucessful Firefox installation encourages unsafe behavior. As the parent stated, most internet content is unsigned, and thus would also be considered unsafe. The more relevant question is which is safer to use once installed? I didn't really see that addressed. Did I miss something again?
Random servers (Score:5, Interesting)
Now I know the usual answer is going to be "well you can download the source yourself!" or "you can check the md5sums!" The 9.3 million of those 10.1 million Windows downloads probably won't bother. You see how they already clicked through IE's multiple warnings in order to get Firefox installed.
I'll kick in $20 to Firefox if it goes toward a signing certificate.
Before you mod this too far down, keep in mind I run Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041115 Superunicorn/1.0 (All your Firefox/1.0 are belong to Firesomething)
How I can trust Firefox, by TWX (Score:5, Interesting)
In the recent debacle of Microsoft's Internet Explorer and the numerous security vulnerabilities, I can trust Mozilla Firefox. The development history and tradition can be traced back to the early nineties, when a small company entitled Netscape produced a commercial web browser, the first real commercial browser, complete with shrinkwrapped packaging in big box stores like Best Buy and Target, designed to run on Windows 3.11 for Workgroups, Windows NT, and MacOS 7. This product revolutionized the Internet experience, not through doing anything completely new, but through bringing it to the public in a relatively non-technical way, through retail channels. On an ancillary note for the time, UNIX and Linux versions of the popular browser grew as well, and became the dominant browser in all markets. The product did have its faults, including nonstandard tags like blink, but for the most part Netscape ("pronounced Mozilla" according to the company itself) played fairly nice with others.
In 1996, Microsoft decided that The Web was The Way To Go. They obtained licensing to the losing browser at the time, Spyglass Mosiac, and rebranded it as Internet Explorer v2.0. No 1.0 release, no large chunk of original code from Microsoft. This kludge was bundled with Windows NT 4.0 Beta releases and final release, and later added to Windows 95 A, to replace the dead "The Microsoft Network" service.
In 1997, Microsoft decided to work hard to lay the better browser at the time, Netscape, in the fire. Microsoft modified Windows 95B (Aka OSR2) so that when installing the operating system, one was prompted with no obvious way to cancel to install Internet Explorer 3.0. Since the easy way was to just install the product and allow the resource-heavy shell "enhancements" to become the new norm most OEMs and users purchasing the OS for the first time installed it. It didn't matter that Netscape was still a better product and adhered to industry standards well at this point, Microsoft began to see significant market share.
In 1998, Microsoft continued revising its web browser, beginning to lean heavily on non-W3C-compliant tags, ActiveX, and other technologies proprietary to Microsoft web development suites and Microsoft web browsers. Netscape attempted to continue to compete, but was unable to maintain enough percentage of userbase due to the explosive growth of the new computer market, all running bundled Microsoft OSes with Internet Explorer now firmly the user shell. Netscape still enjoyed dominance on Macintosh and POSIX compliant platforms, but that was no real help. Netscape was bought out, to eventually end up in the hands of America Online.
Fast forward to the beginning of the wane of the tech boom. Mozilla as a standalone product is released and opensourced, based on attempts to revise the aging Netscape 4.0 engine to a 5.0 version which proved unworkable. Netscape 6.0 and Mozilla beta/1.X begin to work in tandem to create a community written browser capable of being turned into a quasi-commercial product. Influxes of free development make the product respond fairly rapidly to new market conditions. Being a standalone product, and not using Microsoft's proprietary ActiveX keeps Mozilla and Netscape 6 installations from infecting computers wholesale, while Microsoft's browser continues to suffer from exploit to exploit.
Today, Microsoft's browsers are responsible for delivering Spyware/Malware/Adware payloads to millions of people worldwide. Microsoft claims that security is their new thing, but they have orphaned new development for platforms other than their most modern to reduce the problem. Microsoft's maintenance of even the newest product, Windows XP (through Service Pack 2) still infects users' computers down to the service level with spyware, malware, and adware. Microsoft still has no true fix for these problems, and their ActiveX system is st
Just for argument sake (Score:3, Interesting)
Mr Torr (Score:5, Interesting)
More to the point... (Score:5, Interesting)
More to the point... how do I know that the unsigned binary Firefox installer, which I'm downloading from a random web server, was actually compiled from the legitimate source code?
I'm a Firefox user and I'm never turning back to IE, but the author of the article does have many valid points.
It's the people that were targeted by the NYT ad that we have to think about.
In its current form, Firefox will actually make running unknown, unverified, and unsigned software seem "OK" to the average user. Think about it, your grandma downloads and installs Firefox, because everybody in her family tells her it's more secure and better, but now she's greeted with "This is unsigned!" and "Run at your own risk!" every step of the way. Those messages (OK, not the exact wording) would be rather scary and intimidating to a first-time Firefox user who doesn't know much about computers. So what do we tell grandma? "Just click OK."
THIS is precisely programmers are not the people who should be the sole ones generating requirements for software that is supposed to be used by "everybody." Things that make perfect sense to programmers can boggle the minds of regular users. Did the Firefox contributors do any usability testing with volunteers who didn't know the software? Well if they didn't get that kind of feedback before 1.0, they will certainly get plenty of it in the months to come.
Re:Trust is earned.... (Score:5, Interesting)
The point isn't that you trust mozilla/firefox. The point is that you're not downloading it from them, you're downloading from a mirror. If the software was signed, you'd know it was tampered with and that you were getting software you thought you were trusting.
The current system lets mirrors tamper with the software. You might trust mozilla, but you really have little idea of what the mirror may have done to it. This is at least what he's saying.. Firefox may have some sort of md5 or something posted..
Re:Yeah, right. (Score:1, Interesting)
1. They are acknowledging Firefox as competition.
2. They are fighting for market share that they are losing, the right way.
3. Although their points may be invalid, they see Firefox on the level now.
Doesn't anyone realize what this means? We (Firefox supporters) won. M$ knows we exist and have our foot in the foyer.
Re:Yeah, right. (Score:3, Interesting)
FTFA:
To a lot of us, Bad Guy == Bill Gates, and Microsoft == Convicted Monopolist.Re:How can I trust Microsoft (Score:1, Interesting)
level3, CWIE LLC, Savvis... now do you even know who those companies are or what they do? So which is more scary to you, this or depaul.edu?
Given the way level3 harbors spammers I would much rather trust any
Re:IE? (Score:3, Interesting)
If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.
Once the Mozilla org. starts signing their binaries, Microsoft will apply an update to their certificates library to totally not trust FF to install or run.
Yeah, way to go. Not falling for that one.
Re: I am then greeted with this dialog: (Score:3, Interesting)
>Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?
This is a work of art. I'm sure these guys tampered the Firefox intall SO BAD (unplugging the network at critical moments, etc...) so that they achieved their desired results.
In other words, they're portraying the Firefox WORST CASE SCENARIO.
Now. Would you like us to portray the IE6 worst case scenario?
Re:How can I trust IE? (Score:1, Interesting)
This is not to support either side. Just a general curiousity. I refuse to believe that everybody here that keeps on drumming on about looking at the open source has actually downloaded and looked at the code, let alone successfully compiled it.
No (Score:3, Interesting)
Google for "windows update error" and you'll see that many users have to go figure out what their x803833828 codes actually mean from sites other than Microsoft.
Here's what I got as a result of clicking a Microsoft link in a search for "download IE":
http://www.gravito.com/sheepdot/IE1.gif
Why do I get cookies from Microsoft websites other than the ones I'm going to?
http://www.gravito.com/sheepdot/IE2.gif
Don't get me wrong, this guy has somewhat of a point, but it's lost in the fact that he's using IE to download Mozilla. Microsoft won't even let Mozilla users download IE. I think that it's pretty obvious that they don't have any intention of getting people to switch, let alone "switch back". I currently use a program called "nLite" to strip IE and IE core from my XP installations. This only started recently due to the lack of a fix for an iframe crashing bug that allowed spyware companies to bypass all those fancy "don't run the exe" windows and just drop malware into the stack. Two weeks for a fix, Microsoft. Two weeks! Mozilla devs have had serious issues like this resolved within a day, sometimes in hours of the first report. The heap overflow in rendering images is another example of how seriously open source developers take security risks.
Lastly, the Flash and especially Java install with IE is a quagmire as well. What happens when the mirror takes longer than 30 seconds to kick in? Well, I click the link and it asks if I really wanted to run/save the EXE. Who cares about signed content, Spybot isn't signed and I need that. Nor is half the open source software. But Gator is signed. Hell, somewhere around 10 to 20 percent of spyware is signed!
Also, the double security windows issue regarding downloaded EXEs in IE is more of a hindrance than a help. Especially when it's been shown that malware authors can write ActiveX to just run it outside of asking the user if it is okay anyway.
Does anyone else find this funny... (Score:4, Interesting)
Yet in the screenshots, IE allows the user to "Run" the executable.
Also...
"But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs."
Obviously didn't try very hard... how about looking in Edit, Preferences, Downloads and then select the Plugins option. From here you can see what plugins are installed and disable them individually.
Last I checked IE doesn't provide a list of Browser Helper Objects that you can individually enable/disable - In fact, the user has no way of knowing that a Browser Helper Object has been installed and worst, has no way of being able to remove or disable it.
Finally, installation of Windows software follows this paradigm, in general. A lot of 3rd party utilities, games and applications can be downloaded and most are not signed. In fact, the Windows Installer does enforce any form of signature or hash.
Security Zones (Score:3, Interesting)
This is a fairly good point. I was never a big IE user but Internet Zones is a good idea. Is there an extension for FF that allows this?
I know about the block flash extension, but just speaking in general terms, the ability to label some sites as most trusted than others to a fairly low level is a good function.
Re:Yeah, right. (Score:3, Interesting)
You can make something well recognised without a self explanatory name, but you invariably need money or the backing of people with money to reach the people not immersed in the industry.
The point the poster was making is that IE has every advantage over Firefox. It comes installed with your computer, so you already have it. It has a name that instantly conveys the function, and on top of all that apparantly tells you that downloading Firefox will kill your children (looking at the article). The poster also made the point that Firefox has managed to raise the money for only one major advertisment, and probably most people didn't see it.
It's not that Firefox couldn't be recognised easily if a lot of money was poured into that goal, it's that it hasn't happened.
the right way (Score:2, Interesting)
The wrong way... Their products bad, use mine instead, oh and did I tell you how bad their product was, you must be a fool if you use it... did I say fool, I mean genius for switching to my product.
People generally don't trust someone if all they have to say is how bad the other person is.
Re:Yeah, right. (Score:2, Interesting)
Re:Random servers (Score:4, Interesting)
You're right, at least 9.3/10.1 wouldn't bother. But you can bet that some percentage, perhaps one in 1000, will. And those people will be really anal about it -- checking the
And when that file doesn't match, you can bet they'll scream bloddy murder.
Contrast that to microsoft's setup. Every update is 'required' to pass an MD5 checksum, but what's the bet that the update is allowed to unpack itself first, and since it is running as administrator it will be allowed to overwrite the location of the system call for the checksum.
The point I'm making is that Microsoft's security is easy and automatic, but little more than a facade. Firefox's use of GPG makes it unbreakable, but it is so hard to use very few users will bother. I know I would rather have solid security than a veil of semi-security, but I can understand the journalist missing the superficial security.
Of course, Firefox could have integrated superficial security as well. And firefox could have made the true GPG security a little easier to test.
why do they have to pay verisign? (Score:3, Interesting)
Re:Yeah, right. (Score:2, Interesting)
Re:Yeah, right. (Score:3, Interesting)
Not to mention the fact that they all KNOW about Microsoft. They know the name. They know it's been around for quite a while. Therefore it must be good, right? (not my opinion, but it is the view of people that I have known)
You know what I tell people in this situation?
"Hey - tired of spyware? Well, remember Netscape, from back-in-the-day? This is what it evolved into. It's not closely tied to windows, so there's less chance that hackers can get their software on your computer. Try it out."
People that don't know "mozilla" or "firefox" know "Netscape". Plus, it uses some simple buzzwords, like "hacker" and "software" and "computer", so that you can get your point across to your audience without insulting their intelligence, and yet still let it be known that you know what you're talking about.
~Wx
Re:Why use VPC ? (Score:1, Interesting)
Re:Yeah, right. (Score:2, Interesting)
Tried That (Score:2, Interesting)
They don't blame the people who wrote the site either. They blame the browser for not working with the site. Even if I explain that the people who wrote the site are locking others out for no reason (it's not like it uses ActiveX or anything, the site works perfectly in firefox).
Next time I go there, I will see an IE icon on the desktop again. *sigh*
Can I get rid of executeable permissions on IEXPLORE.EXE without horrific consequences?
Digital Signatures not the solution! (Score:5, Interesting)
[Being a Linux and Firefox supporter, I cannot understand that]
But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user - and the thought of understanding it well is probably too technical for many technical computer users. SSL has similar problems.
Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren't signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".
So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You're going to go download it and all of it's spyware.
If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you're going to ignore every Unsigned notice error you get to see it run.
The goals of Microsoft are Noble - and Firefox needs to follow it's own recommendations, but I don't believe digital signatures will ever be the solution to the problem.
The masses just want their computers to work. They don't want to have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what - it's russian roulette.
So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.
You'll just end up with lots of people creating their own signing certificates and the users will have to get a pop-up saying "I don't know the Certificate Authority that signed the signer certificate." Yea, guess what... the average user has no idea what a CA is.
--Twivel
the certificate... (Score:3, Interesting)
Firefox is signed with Mozilla's PGP key, which is just as secure as a certificate. The difference is, you need a secure way to get the public key to you first, so it's not much more secure than MD5.
But, someone could just as easily have handed you a forged Windows install disk, or forged one with your computer, which had a public key for their own spoofed certificate authority, and thus undermine the whole thing.
The point is, you want to reduce the points of failure as much as possible. I think "Download one PGP key and hope it's good, then download anything from mozilla.org and know it's as good as that key" is better than trusting Verisign (and Gator and BonziBuddy).
Re:Real slashdotters never RTFA! (Score:3, Interesting)
then clearly the problem lies with this 3rd party app. And if you claim you got the same error you used it also. Having a 3rd party app on the system when doing alleged "sensitive security matters" seems to be contraindicated. Besides IIRC XP (which hes using) has the ability to unzip built in.
I call shenanigans on you
uninstalling extentions (Score:2, Interesting)
1) go to Tools -> Extentions
2) Click the extention you want to get rid of
3) Click uninstall
Lets compare that to uninstalling programs in windows shall we?
1) Go to Control Panel -> Add/Remove Programs
2) Click the program you want to get rid of
3) Click uninstall
Now, if he wants to pretend that theres no obvious way in firefox to remove extentions, and thus is bad - he should concede that windows has no obvious way to uninstall programs - and is thus bad.
Re:Fun Facts Time! (Score:1, Interesting)
Re:I agree ... (Score:5, Interesting)
http://www.halcyon.com/mclain/ActiveX/Exploder/
Q: Doesn't Code Signing and Microsoft's AuthentiCode technology prevent people from distributing malicious ActiveX controls?
A: No. Code Signing simply attempts to identify who signed the control. Anyone can go out and get a code signature. It's a pretty much automatic process. You go to a web site, give them a name, address, credit card number and some other stuff (none of which have to be yours), click "I Agree" on a page full of legal jargon, and pretty soon you get an e-mail with the information you need to sign the control in it. Once you have your Digital ID, you can sign any unsigned ActiveX control. Nobody reviews these controls! In other words, a signature doesn't tell you who wrote the control and it doesn't tell you if the control is safe or not. Heck, with the number of hot credit card numbers out on the net, it doesn't even tell you for sure who signed it. A danger is that seeing that a control is signed will give folks a warm fuzzy feeling about the control, and encourage them to run it, even though it does not guarantee their safety!
Re:IE? (Score:3, Interesting)
It is for another usage. I occasionally download big packages (knoppix iso, just released kernel etc) from bt. To verify I am in fact downloading something original, I go back to the main site to check the md5sum. The assumption is I trust the main site but not p2p.... Anyway, the main sites do get hit by cracker sometimes.... But, once some guys discover that the news will appear in slashdot
Re:I agree ... (Score:5, Interesting)
That is a real problem, and it has happened to other free software projects.
What a choad (Score:4, Interesting)
1. Off an official website, hashed, with checksums to make sure you're safe.
2. No, it's not.
3. Yes, there is. There are several internet standards, including MD5 hashing. Question -- why doesn't Firefox show the MD5 has automatically for any files it finishes downloading (in the download box?) Perhaps some good can come from this troll for hire.
4. Just because he didn't look doesn't mean there isn't a way.
5. As opposed to all the multitude of ways IE spyware can bypass user intervention alltogether? Right.
I wish I could get paid to troll the intarweb. Maybe Somethingawful's hiring.
How about automating checksum checking? (Score:2, Interesting)
The originating web site could post an XML file containing a checksum and a list of mirror sites. The FireFox download manager would take care of choosing a mirror (or asking the user to choose one), downloading the file, and checking the file against the checksum. If the checksum doesn't match, the download gets a big red X through it and the user gets a very serious warning if they try to open the file.
I'm sure someone will point out that BitTorrrent already handles many of these problems, and does it much more efficiently and powerfully. And I agree that it would be great to have a BitTorrent extension for FireFox. But the fact is that MD5 checksums and mirror sites are the de-facto standard for open source software distribution right now, because they're so easy to implement. Why not clean up this system a bit so that average users can benefit from it?
--Stuart
Reviewer Signature (Score:3, Interesting)
You'd still have the "know your dealer" problem, but it would be better.
Re:Security Zones (Score:3, Interesting)
Firefox doesn't have that level of integration, so it really doesn't need Internet Zones. And it does have "trusted sites." You can tell Firefox which sites to allow to install software, run Javascript, pop up windows (there is one site that I currently allow to do so). I don't remember what the default was any more, but I suspect it was disallow everybody from doing anything.
Digital Certificates (Score:3, Interesting)
Overconfidence in Signatures (Score:3, Interesting)
Signing just indicates that the source validates what is packaged. Simply, signed Microsoft install packages come from Microsoft. However this does not indicate anything about the quality of the package. This is the heart of MS's problems since it was never a question of the package source but the quality of content. They've burned so many not by fake IE packaging but by the fact IE is "junk" in the first place. Anything beyond this (all of the malware, hacks, and bugs) is just a side effect of design and code in IE not of the fact IE is a hacked install.
There are legit complaints about the Moz distribution and install proceedure. I would like to see a "self validating" install to insure the package is legit however alone signing isn't the solution. Signing is only useful for indicating the install package has not been tampered. It never indicates whether or not the software installed works. No amount of code signing from MS will fix IE's damaged reputation for misbehaving.
ps. I'm loathe to think Mozilla needs to fork out money to anyone to prove anything. They should be seeking free (beer and freedom) ways of package authentication.
Re:Fun Facts Time! (Score:1, Interesting)
Does this include the new VX/LM rootkit? Yes, I called it a rootkit because it loads a dll in the HKLM\Software\Microsoft\WindowsNT\CurrentVersion\
Oh, did I mention that it downloads and installs other spyware for you on its own? After ~two hours there were 50 different pieces of spyware installed.
Chop
This just in! (Score:3, Interesting)
I've noticed a pattern of behavior from MS marketing: they don't seem to want to acknowledge linux, firefox, et. al. as actual products - and so a wry smile crept onto my face when I saw the image referencing the Mozilla Foundation as "Unknown Publisher." [winisp.net]
This entry is probably an attempt at "payback" for all those "My Windows Installation Nightmare" anecdotes populating the 'web. However, his story seems just a *bit* contrived. I've installed firefox on multiple PCs and multiple windows versions and experienced 0% of the problems he's describing. Huh?
Re:I agree ... (Score:0, Interesting)
It would be easy to hijack the browser in some way to redirect you on visiting mozilla.org.
If you're downloading Firefox, you need to trust mozilla.org. Likewise, if you're downloading Internet Explorer, you need to trust microsoft.com.
His point is that Internet Explorer is signed, so you can trust it. You're saying people need to trust Mozilla, just because.
There's also a two (three?) second timeout and this dialog only appears when either the site is whitelisted by default (only updates.mozilla.org is) or by the user, or if the user clicks the yellow bar at the top to specifically access this dialog.
That's not good enough.
Boo hoo. Authenticode isn't that big of a deal when ActiveX isn't turned on in the first place, considering that that's where 95% of Authenticode is used.
He's talking about Firefox, where there is no ActiveX and anything goes.
This one is just uneducated. Tools -> Extensions. Wait... that's, um, more obvious than IE. Oh well, someone wasn't wearing their glasses.
RTA. He did that. There is no way to disable an extension. A lot of your response sounds like reactive bashing to the fact that IE does more stuff to protect the user from unsigned executables and extensions.
There is an easy way to do that on IE as well. It's called clicking Run. Seriously, you're going to quibble over IE having one more warning than Firefox? Go develop a decent browser first and call me when you do.
See, now this is what I just talked about. Instead of acknowleding that, yes, IE does warn the user more than Firefox, you make some vague criticism about making "a decent browser first." Firefox can't even display Slashdot correctly, but that's irrelevant to the topic.
This statement is built upon previous assumptions that are false (such as Firefox being downloaded from a "random website", see above).Firefox is demonstrably more secure than IE and has far fewer vulnerabilities than Internet Explorer.
Firefox is also used by far fewer people, which is alarming considering the amount of vulnerabilities it has, including those secretly marked "confidential" that we don't know about--you know, the very thing Microsoft gets criticized for doing.
To the Microsoft employee who created the original article: Rather than trying to convince people that something they know is inferior that it is not, why don't you try to make it... not inferior? Innovation speaks louder than marketing. Surely you can do better than a bunch of geeks spread across the globe, right?
See? Instead of addressing the points, you degenerate into a bunch of random bashing about "geeks" and "innovation." Firefox isn't THAT great of a browser over IE. I know visiting Slashdot for years can shape your perception, but there is a software world outside of this place. You don't ever state what actually makes IE so inferior. A very huge lot of people use it. Firefox has a miniscule userbase in comparison, and sometimes I use IE instead of any other browser because I choose to.
I use Opera most of the time, by the way.