Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Can I Trust Firefox?

timothy posted more than 9 years ago | from the how-could-anyone-trust-ie? dept.

Security 1464

TheRealSlimShady writes "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay 'How can I trust Firefox?' He raises some interesting security related points about the download and installation of Firefox, some of which should probably be addressed. The focus is on code signing, which Microsoft is hot on. Of course, the obvious question is 'Do I trust Firefox less than IE?'"

cancel ×

1464 comments

Sorry! There are no comments related to the filter you selected.

First kumquat! (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11143137)

First kumquat [slashdot.org] !

soggy toast posts first (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11143138)

made with firefox - now with 100% more man-juice content!

Re:soggy toast pwn3d by t3h kumqu4t! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143175)

Gotta get up earlier. The kumquat [slashdot.org] does more before 8:00 than most citrus fruits do all day.

Poll Troll Toll (1, Troll)

PollTroll (764214) | more than 9 years ago | (#11143139)

What's better...

Internet Explorer [calcgames.org]
Firefox [calcgames.org]
Sex with a mare [calcgames.org]

Re:Poll Troll Toll (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11143196)

Mod parent up. It provides valid statistical information while eliminating Mac users to the relevant data being collected.

Yeah, right. (5, Insightful)

kngthdn (820601) | more than 9 years ago | (#11143140)

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust.

Hello? Microsoft? 99% of the stuff on the Internet is unsigned. Downloading software from DePaul University's FireFox mirror doesn't scare me.

What scares me are those freaking awful dialog boxes that IE allows. The ones that say "You MUST click okay to use this site!" or "Do you want to set CrappyAds.ru to be your homepage?".

And even if I press no, I *still* get spyware. Why? IE Sucks.

After I finally got rid of my beloved CoolSearchWeb installations, I installed FireFox for good. I've been spyware free ever since, and I download a lot of unsigned data. No IE, no spyware.

Microsoft is never going to get it.

Re:Yeah, right. (0)

Anonymous Coward | more than 9 years ago | (#11143165)

99% of the stuff on the internet is also not downloaded by 11 million people.

Answer: Openness <==> Trust (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143243)

In the case of Microsoft, the code for Internet Explorer is closed and is known only to the developers who work on the code. One of the developers could be Taiwanese and might put a trojan horse or malware into the code at the request of Beijing [phrusa.org] . The unsuspecting user would then inadvertently be transmitting her social security number and other personal data to Beijing.

In the case of Firefox, the code is open. So, millions of Western eyes will see anything suspicious in the code. The bottom line is that openness implies trust, and the reverse is also true.

Re:Yeah, right. (0)

Anonymous Coward | more than 9 years ago | (#11143288)

That doesn't even cosider the malware that is installed without the user's knowledge, let alone trickery. Microsoft can keep their signed ActiveX plugins.

Re:Yeah, right. (0)

Anonymous Coward | more than 9 years ago | (#11143320)

Examples please?

Re:Yeah, right. (5, Interesting)

Supertroll (210165) | more than 9 years ago | (#11143307)

It now happens with Firefox too. One site I visited tried to force me to install an xpi extension complete with a "you must click yes" pop up box. Dismissing it still let me access the link however.

However, when this happens with IE, you have to terminate the browser process to get out of the "you must click yes" mousetrap.

hhuhuhuhuh (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143142)

frosty penis

Multiple Firefox Security Flaws Discovered (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143144)

Too bad I can't trust Firefox due to the fact that Firefox is full of gaping security holes [getfirefox.com] . Firefox has so many security flaws [getfirefox.com] you could drive a truck through them. These horrible security failures [getfirefox.com] include:

-Installing Firefox requires downloading an unsigned binary from a random web server
-Installing unsigned extensions is the default action in the Extensions dialog
-There is no way to check the signature on downloaded program files
-There is no obvious way to turn off plug-ins once they are installed
-There is an easy way to bypass the "This might be a virus" dialog

For more information on these flaws, Click Here [msdn.com] for information.

Re:Multiple Firefox Security Flaws Discovered (5, Informative)

Anonymous Coward | more than 9 years ago | (#11143187)

Heh, I know someone who happens to work for a spyware company. The company has a Verisign cert and signs their software with it. Gee, that was hard!

1st! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11143147)

1st?

whoa wait! (5, Funny)

Korgrath (714211) | more than 9 years ago | (#11143149)

it's against the rules when Microsoft starts flaming back!

Re:whoa wait! (1)

Vampyre_Dark (630787) | more than 9 years ago | (#11143264)

Not when they fight back with FUD, it's just funny.

Don't trust the Firefox download? Two words... (0)

Anonymous Coward | more than 9 years ago | (#11143321)

Gen too.

Security? (4, Interesting)

Canadian_Daemon (642176) | more than 9 years ago | (#11143150)

what about md5 sums? have the install do a checksum of itself?

Re:Security? (1)

Bastian (66383) | more than 9 years ago | (#11143297)

If I'm going to go through all the trouble of putting a payload in FireFox and then masquerading it as the real McCoy, it's not really any extra effort (at all) for me to take out the checksum phase of the install, or to fake it.

Re:Security? (2, Insightful)

bunratty (545641) | more than 9 years ago | (#11143315)

That's what OpenOffice.org uses. [openoffice.org] The article is less about trusting Firefox, and more about trusting every mirror to provide an unhacked copy of Firefox. How do we know the mirror wasn't broken into and the mirrored copy tampered with? It's a valid point.

niggers (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143151)

aint shit, but bitches.

FIRsT!! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11143152)

first postie!

Re:FIRsT!! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#11143167)

so fail it

IE? (5, Insightful)

Anonymous Coward | more than 9 years ago | (#11143153)

A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes.

Re:IE? (1)

kryogen1x (838672) | more than 9 years ago | (#11143199)

True! I was laughing at the blank dialog box. Someone tell me how that is the Mozilla foundation's fault, and not a problem with, say, IE/MS Windows?

Re:IE? (1)

NanoGator (522640) | more than 9 years ago | (#11143201)

"A better question is, how can we trust anything from Microsoft. Without the source code, who knows what their software is doing behind the scenes."

Alternatively: How can we trust FireFox if any old fool can go in and install exploits into the source code?

(Actually, I'm genuinely curious as an answer to that. I don't know much about OSS development, and I imagine people like me have a similar concern.)

Re:IE? (3, Funny)

Anonymous Coward | more than 9 years ago | (#11143210)

If any old fool can do it, let's see you try.

Re:IE? (2, Insightful)

kryogen1x (838672) | more than 9 years ago | (#11143216)

The same way we can trust wikipedia articles (but save that for another arguement). More eyeballs = fewer errors.

Re:IE? (4, Interesting)

realdpk (116490) | more than 9 years ago | (#11143236)

It's happened before, within the last couple years. Unfortunately I can't find the reference to it. It wasn't Mozilla, it was some other software. Someone broke in to the CVS (or other) repository and made some change.

There are solutions to this. PGP signing each patch would at least let you track down who submitted what. You'd probably need to grab the source as a set of patches, though, so you can individually verify each submitter's PGP key against their code. Ugh. :) Probably a better way could be devised, but as yet, none has been presented.

One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time! ;)

Re:IE? (1)

ticktockticktock (772894) | more than 9 years ago | (#11143313)

One thing that amuses me is sites that include the MD5 checksum on the download page. Yes, because if someone got in and changed the tarball, they sure wouldn't even bother updating that MD5 string at the same time! ;)

One such site is TheOpenCD's download page [sunsite.dk] . See any md5sums for their iso's on anything but the mirrors themself? While projects like OpenOffice [openoffice.org] gets things done right [openoffice.org] .

Re:IE? (2, Insightful)

maskedbishounen (772174) | more than 9 years ago | (#11143262)

Well, to get code into most OSS projects, it has to checked in. They usually use CVS to do this. Someone submits a patch and a dev or two does a once over on it.

If it looks good, it goes in. If it's bad, or blatantly obvious malware, it won't.

In theory you might be able to run across a rogue dev with enough access to bypass this process -- yet OSS is based on trust; unlike getting your product out quickly to keep your job, it's done by people who love the project or cause.

Could it be a problem? Yeah, in theory. But without the source, how would we ever know how many times this has gone on at MSFT, signed code or not?

Re:IE? (1)

Mornelithe (83633) | more than 9 years ago | (#11143265)

Because every old fool doesn't have commit rights to the Firefox CVS repository. You have to submit patches somehow, and they have to be reviewed and accepted by some team of trusted developers.

It's the same with the Linux kernel. If you want to get patches in the main branch, you need to send them to the mailing list, where they'll be tested by people and eventually added if they're worthy. They don't get in the main branch without going through someone trusted, or at least as trusted as any proprietary code-jockey would be.

Re:IE? (1)

JanneM (7445) | more than 9 years ago | (#11143280)

Sure, you could add some exploit code in your copy, if you want. Your "special" code would of course have no chance whatsoever of actually being accepted into the real browser, so you would need to somehow fool people into thinking it is the real version.

But then, how would you spread it? The vast majority of people that get Firefox gets it from the Firefox/mozilla site directly, one of their mirrors, or from their distribution repositories (in the case of Linux or BSD). Just as with adding stuff to the source, you don't have any access to those reputable channels.

If you put it up on some random webpage you may get a few people to download it. But then, you could put any kind of software up there with a malicious load and get a few people to download it - no need to go through Firefox for it. In fact, you probably have greater success fooling people with an app that is not so widely available from reputable sites.

Re:IE? (5, Insightful)

Kyouryuu (685884) | more than 9 years ago | (#11143289)

The obvious answer - you can't. There is no such thing as a 100% exploit-proof undertaking as significant as a web browser.

There are two sides to the coin:
- Firefox is generally trustworthy because a lot of eyes look at the code and changes are logged in public view. Most developers are benevolent. People have tried to create exploits with the Linux kernel, but they have been weeded out.

- Ideally, Internet Explorer would be generally trustworthy because as a business, Microsoft's reputation rides on the quality of the program. In a capitalist society with an element of competition, commercial demands would force Microsoft to close exploits. However, Microsoft lives in a monopolistic universe. And as we all know, companies that live with little competition generally aren't benevolent and don't give a rip about corporate reputation. When a company has 90% market share with a web browser, they often rest on their laurels and get sloppy about it. Until a vastly superior browser like Firefox effectively turns the tables - say 60/40 - Microsoft probably feels no obligation to react and will continue to act like Firefox is no threat.

Re:IE? (0)

Anonymous Coward | more than 9 years ago | (#11143252)

According to this drone, "Microsoft's reputation depends on it".

Uhm. That doesn't really say much. Microsoft has so much market proliferation and so many customers heavily invested in their platform that they could have the most insecure software on the planet and still (for the most part) keep their customers. Oh, wait...

Do I trust Firefox more than I trust IE? (0, Redundant)

BlackEyedSceva (798150) | more than 9 years ago | (#11143154)

Simply put, no.

Re:Do I trust Firefox more than I trust IE? (1)

vgaphil (449000) | more than 9 years ago | (#11143287)

Why?

Why are blogs news? (4, Interesting)

RobPiano (471698) | more than 9 years ago | (#11143156)

What surprised me most about this article, is that its a blog posting where the guy asks a simple question: Why has Firefox not purchased a VeriSign code signing certificate. Why did the poster not take the time to state this very simple sentence?

Well, regardless of the empty implications, the blog posting is not really that exciting. It is really an attempt for this guy to validate his existence as a guy who thinks about security stuff. His job is to say signing software is the only way to really be safe and this is exactly the kind of thing that makes sense when you hear it in a business meeting.

Great, I just want two things from both parties. From the poster: I want an uneditorialized explanation digest linking to a story and from the Microsoft security expert I want actually statistics and case studies on the importance of code signing.

frst post (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143158)

first post

Verisign Code Signing Certificate (5, Interesting)

AndyFewt (694753) | more than 9 years ago | (#11143159)

Peter Torr makes the point that Mozilla should get a Verisign Code signing Certificate [verisign.com] .

Well they managed to raise the cash for the NYT article then they could raise the cash needed for a cert. Verisign list the CodeSigner Standard at $400 and the CodeSigner Pro at $695 (which includes $100k of protection, express delivery and some keynote audit). This is far shorter than what was raised for the NTY article (I couldnt find the exact figure though).

So I think spread firefox or mozilla should consider making this the next aim or someone donate them $400-695 to pay for it.

Why support Verisign? (5, Interesting)

Anonymous Coward | more than 9 years ago | (#11143186)

I don't feel any love for that company. They could always donate a cert to the Mozilla foundation, too. Nice tax write-off for them.

Re:Why support Verisign? (1)

AndyFewt (694753) | more than 9 years ago | (#11143291)

If I had the $695 spare I'd donate it to them. I support Mozilla and Firefox!

Yes I admit I used IE for a long time as my primary browser. I always had firefox installed from the early 0.5 days (if I recall) and started seriously using firefox when it was 1.0 preview release. I finally switched firefox to my primary browser when it went 1.0 and havent looked back.

The only time I have loaded IE since then was when a site I went to was saying how firefox is unsupported (although they supported mozilla :/). That one time I *did* load IE, I somehow got a virus downloaded to my pc. Considering my email is read on a linux box and virus scanned by two different machines before I read it (plus I'm not dumb enough to run attachments), I have to conclude it was the result of some IE usage. My firewall blocks all outside traffic to me plus a bit of non public ip ranged NAT would discount the usual Windows ip range scanning worms.

Put simply, I wont use IE ever again. Unfortunately I havent been able to convince my dad to get rid of IE because he is scared of change and insists all his IE settings wont get imported (I know better). Although I've managed to convert him to other things before so I guess I'll keep on with firefox :)

Re:Verisign Code Signing Certificate (2, Insightful)

fred fleenblat (463628) | more than 9 years ago | (#11143239)

It probably isn't a good long-term strategy to respond to microsoft this way. Open source software needs to find an open-source signing mechanism.

A good starting point might be for www.mozilla.org to host unmirrored checksums for itself and its plug-ins.

Re:Verisign Code Signing Certificate (5, Insightful)

freeze128 (544774) | more than 9 years ago | (#11143251)

If mozilla buys a cert, then they are openly supporting the idea of PAYING VERISIGN FOR CERTS. Isn't that just supporting another monopoly? Of course Microsoft wants you to pay for the cert... they can certainly afford one. But what about all the little guys who write code for free?

Re:Verisign Code Signing Certificate (2, Insightful)

Dorsai65 (804760) | more than 9 years ago | (#11143255)

Considering how much BS Verisign has instigated (the "your domain is gonna die if you don't renew with us" letters, hijacking DNS, etc.), their certs don't mean squat to me anyway.

Re:Verisign Code Signing Certificate (1, Funny)

Anonymous Coward | more than 9 years ago | (#11143267)

Why should I trust Verisign?

Re:Verisign Code Signing Certificate (2, Interesting)

lewp (95638) | more than 9 years ago | (#11143277)

I'd rather they didn't waste the money. It's not like I trust who Verisign says it's from, anyway. Who knows how many more incidents like this [microsoft.com] have happened that we don't know about?

Problem, Verisign is the enemy! (5, Interesting)

Penguinoflight (517245) | more than 9 years ago | (#11143284)

I dont know anyone that trusts verisign. You'd think a security company would practice legitimate business, who would have guessed?

Verisign has a lot against them. The only thing I can think of now is using fake domain name "renewal" notifications to steal business (and cheat users) from legit domain registrars.

These renewal notices were sent at random, to people who did not have domains registered with verisign, and whose domains were not soon expiring.

Re:Verisign Code Signing Certificate (5, Insightful)

ip_fired (730445) | more than 9 years ago | (#11143303)

And why would signing the code make it more
secure?

You can know that it is an official binary and
hasn't been tampered with. However, I can
accomplish this without paying Verisign money
using a standard fingerprint.

When you sign it with a Verisign certificate, the
trust then moves up the chain. So, the question
becomes, do I trust Verisign?

No.

In my opinion, this isn't even a problem. I make
sure I download files for sources that I trust,
and they make sure that those files remain clean
as a matter of site security.

It all boils down to this:

1) Normal users don't care about signed code, as
they happily click on "Yes, download this!"
without bothering to check anything.

2) Power users can verify the integrity of their
code without shelling out big bucks to Verisign.

Extensions are EASY to uninstall (5, Informative)

Anonymous Coward | more than 9 years ago | (#11143172)

Tools > Extensions > Choose extension and UNINSTALL. And I don't know anyone who ever stopped installing something they downloaded because it wasn't signed. Perhaps if 99% of Windows users weren't running as admin, this wouldn't be a problem?

Re:Extensions are EASY to uninstall (0, Troll)

QuantumG (50515) | more than 9 years ago | (#11143312)

I don't get your point. Once native code runs on your machine it can do just about anything. For example, it could change one the extensions you already have installed to do its nasty work.. or Mozilla itself. People can do the same with IE (and do) but that's not the point here. Five times over the last two days I've heard people shouting from the rooftops that everyone should use FireFox cause you don't get spyware. This is so stupid. The reason you don't get spyware is because it's a waste of freakin' time for the spyware makers to target 5% of users instead of 95% of users. If 95% of people were using FireFox there would be just as much spyware for FireFox as there is for IE. So shut the hell up about spyware already.

Code signing? (1, Redundant)

Dorsai65 (804760) | more than 9 years ago | (#11143189)

Signed buggy insecure crap, or unsigned open source? Hmmmmmmm - let me think on that....

Read and compile??? (2, Insightful)

quaker5567 (841639) | more than 9 years ago | (#11143192)

Re:Read and compile??? (1)

OverlordQ (264228) | more than 9 years ago | (#11143286)

Can Any J. Normal User do this? I dont think so, so how will reading the source and compiling help them be more secure? Answer, It Wont.

Anyone need a Gmail invite still? (-1, Offtopic)

jmcmunn (307798) | more than 9 years ago | (#11143197)

Check the link below. These are honest to goodness invites. There are 30 of them...so move fast.

http://www.jiggybyte.com/gmail.htm [jiggybyte.com]

Enjoy. Sorry for the offtopic post.

I think what he is really trying to say is (0)

Anonymous Coward | more than 9 years ago | (#11143198)

Can you trust Anonymous Coward

Anyways, anyone notice he was using 7-zip.. Seems to me he's just ranting and likes microsoft too much that he is blinded.

WHAT A FUCKING MORON (1, Informative)

Anonymous Coward | more than 9 years ago | (#11143204)

Have you never heard of PGP [207.200.85.49] signatures (Windows [207.200.85.49] , Linux [207.200.85.49] , Mac [207.200.85.49] ) or hashes (SHA1 [207.200.85.49] , MD5 [207.200.85.49] ) you cocksucking M$ whore?!

Oh well (0)

Anonymous Coward | more than 9 years ago | (#11143209)

Well the whole premise of the article seems that the UI (dialogboxes, etc) is not very streamlined.

Everybody knows that open source tools do not havy jazzy UI as MS tools may, simply because there are no 60K per year fulltime UI designers.

MS products may be better in this regard, but its like saying that since my steering wheel's heavy and my back view mirror's fogged up, my ferrari is fucked up.

MS Code signing (0)

linuxislandsucks (461335) | more than 9 years ago | (#11143213)

Most when presented with MS code being signed and the other choice of having s ecure product unsigned..choose the latter..

Maybe Ms should try actually ore hours on fixing the MSIE corrupted SpyGlass code they have instead of pretty code signing smoke screens..

MS has $40 Billion to fix these problems..instead they spend more omney on bad PR instead..

Give a finger to Bill todya.. DOWNLOAD FIREFOX AND DO NOT LOOK BACK

Has anyone in the slashdot community... (5, Insightful)

john_g_galt (522650) | more than 9 years ago | (#11143217)

Seen any of these errors? I've installed Firefox on several pc's with no problems at all.

I also noticed this comment:

"and not caring if my Virtual PC image dies a horrible death"

(emphathis added)

Could this person be having a virtual pc problem?

Re:Has anyone in the slashdot community... (1)

thebes (663586) | more than 9 years ago | (#11143305)

He's probably using the before SP1 version of VPC, which needed a fscking .bat file to install the network drivers AFTER the main installation. SP1 of VPC actually works quite nice. The pre-sp1 version sucked goat.

repeating the past? (1)

bird603568 (808629) | more than 9 years ago | (#11143220)

was it me or am i just confused, didnt netscape run a big camppign similar to the one Microsoft is running now? i can really rember i wasnt old enought to really understand what was going on. according to the trends mozilla is gaining huge grown. hopefully ie will follow what nn did.

Hmmm Lets see here... (0)

Anonymous Coward | more than 9 years ago | (#11143221)

I open and use IE for 5 minutes and I get bent over and have spyware up the ass with no lube or I use Firefox and worry about a mirror... hmm... that's a tough one.

Code signing (2, Insightful)

pair-a-noyd (594371) | more than 9 years ago | (#11143223)

sure says a lot for IE security, doesn't it?

Defend IE? Huh? (0)

Anonymous Coward | more than 9 years ago | (#11143224)

WTF? How can they even DEFEND IE given its horrible track record? FireFox is by no means perfect (and I'm sure it's got a number of flaws of its own), but how can any pro-Microsoft drone complain about the security of another browser when their own beloved browser has a plethora of problems?

Something reminds me of a certain biblical "speck/plank in the eye" phrase.

this dude hasn't heard of the first amendment (0)

Anonymous Coward | more than 9 years ago | (#11143226)

he moderates every single post to the blog - no wonder there are onyl microsoft lovers' comments

Hmm...this is an easy one... (0)

Anonymous Coward | more than 9 years ago | (#11143227)

..trust software created by the biggest monopolist in the history of humankind who has been known to booby trap their operating system against other developers INCLUDING Netscape (who happens to be the developer in question), OR trust an organization that was cheated, destroyed, and screwed over by said monopolist and who has since created a browser MUCH MORE secure than Internet Explorer. If you need to spend more time than it takes to read this post, you need some serious cranial evaluation.

The real question. (3, Interesting)

Anonymous Coward | more than 9 years ago | (#11143228)


How can I trust Microsoft?


Even if I get a secure dl of Exploder, the company has always done what is best for its interests, with little regard for mine.

Just because it's signed... (4, Insightful)

capn_buzzcut (676680) | more than 9 years ago | (#11143230)

doesn't mean it's good for you. I recall seeing prompts to install "Web Gator" software and other such junk, all of which were signed by somebody. Despite the fancy certificate though, it was still crapware.

The dialog box of mystery. (1)

eclecticgeek (832915) | more than 9 years ago | (#11143231)

I love the blank dialog box. It's just as, if not more informative, than some of the MS dialogs that appear on a Windows machine. Seriously though, most of the issues around IE etc do not stem from the download source, it's the holes that are in program to start with. That's why I don't trust IE.

But... (5, Insightful)

mstefanus (705346) | more than 9 years ago | (#11143232)

Some spywares are also signed with Verisign... Gator, Bonzibuddy, etc.

What's the point?

Feeling threatned? (0)

Anonymous Coward | more than 9 years ago | (#11143234)

1) Make browser
2) Write article on why other browsers suck
3) ???
4) Profit

This guy is right. Listen to him. (4, Insightful)

Animats (122034) | more than 9 years ago | (#11143235)

This guy makes some good points. His main point is that the distribution process for FireFox is very insecure. The "traditional open source approach" of voluntary mirrors (perhaps with manual MD5 checks) isn't good enough for high-volume end user products. The FireFox team needs to work out a much more secure install sequence.

One approach might be to have users download an small installer from "firefox.org" (only!) which then verifies the downloaded file (which can come from anywhere). The download site on "firefox.org" should have an SSL certificate good enough for code signing.

History (1)

techstar25 (556988) | more than 9 years ago | (#11143237)

If for no other reason, we use Firefox because it is new and hold the promise of a better experience. Too many of us have lived through Windows 95, 98 and ME's contant crashes, penchant for attracting virii and ease of spyware takeovers. Microsoft has never given us a reason to trust them in any way, shape, or form. After paying my hard earned cash to MS for buggy software, I'd trust a room full of monkeys to code a better web browser. Sorry, Microsoft, but history has doomed you and it's too late now.

are you kidding me? (1)

Vash_066 (816757) | more than 9 years ago | (#11143238)

I would trust Charles Manson to have a "Surprise" waiting for me at a party he's throwning more than I would trust IE to stay safe and keep popup adds of my systme. While Firefox might not be perfect it's leaps and bounds over what IE offers.

Worrywart (2, Insightful)

Askjeffro (787652) | more than 9 years ago | (#11143242)

Of Course he can't trust Firefox, its trying to take his job away. Does a Ford Engineer trust Chevy trucks? Well maybe, but you sure as hell won't see a Ford engineer driving one...

He doesn't care. (4, Interesting)

standards (461431) | more than 9 years ago | (#11143244)

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all

He sure has a lot to say about something he doesn't care about.

He does suggest that Microsoft code signing technology somehow controls adware and spyware. Sadly, it doesn't seem to work yet, given that my brother-in-law's rather new XP laptop was loaded with the crap.

"Numeric IP address" ? (4, Funny)

theefer (467185) | more than 9 years ago | (#11143245)

I download the software again (this time coming from -- I kid you not! -- a numeric IP address [...]

As opposed to what? A graphical IP address? A string IP address? A musical IP address?

I hope this kind of remark does not reflect the technical skills (or lack thereof) of the author, although the content of the lame flamish post seems to lead us to the same conclusion.

And the obvious answer is: (0)

Anonymous Coward | more than 9 years ago | (#11143247)

No.

what's wrong with this picture? (1)

spir0 (319821) | more than 9 years ago | (#11143248)

shouldn't people at Microsoft be more concerned with securing their own product and making it a better program rather than just spreading the usual FUD?

Surely by now even the common-folk are tiring of this rhetoric.

The Answer (1)

kjots (64798) | more than 9 years ago | (#11143250)

Yes.

Any more questions? No? Good.

--
Make way Evil! I'm armed to the teeth and packing a hamster!

Er.. (0)

Anonymous Coward | more than 9 years ago | (#11143253)

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

I suppose the fact that the link is a mirror posted on getfirefox.com would make most people trusting of it. Then again, I guess we should never trust downloading anything from any organizations that can't afford the massive webspace and bandwidth to allow millions of downloads of a browser.

Only huge conglomerates like Microsoft which can afford to do that have trustworthy software. I mean, the download is coming from Microsoft.com! And that's who wrote it! How much more secure can you get?!

Microsoft inspires Stockholm Syndrome (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11143254)

I don't run their software period and I suggest you all just Zero your M$ infected drives and walk away.

Come fishing, hiking, swiming and all the really good things in life.

Heck become a bartender in some tropical oasis, anything, just get away from your tourmenter.

Let M$ flush itself down the toilet. The sooner the better.

Trust is earned.... (4, Insightful)

King_TJ (85913) | more than 9 years ago | (#11143256)

Paying for a commercial entity to "code sign" your software seems much to me like trying to buy someone's trust. IMHO, trust can't really ever be bought. It's something earned.

How can I trust FireFox? Basically, I only trust it because other people who came before me reported back on their success with it, and in my own trials, it has done well for me. (The fact that the source code is available for open examination is a comforting factor too, of course.)

Ultimately, I think almost all of us choose the software applications we run based on how satisfied we are with the results they give us. The fact that a package is "signed" or "unsigned" has very little bearing on my confidence in using a particular program.

I guess... (1)

camooT (820852) | more than 9 years ago | (#11143260)

I should just put off using the internet until microsoft decides to distribute some of their dough that goes into purchasing 1600 dollar Verisign certificates.

Because, hell, did you think Firefox was a non-profit organization or something? Sheesh, naive slashdotters!

Valid Points (2, Insightful)

ehack (115197) | more than 9 years ago | (#11143263)

Opens Source was designed, like the internet protocols, for people who trust each other - the developers of shrink-wrap executables need to learn to think paranoid when they deal in user binaries.

Don't make the same errors again - if the designers of SMTP had thought about the users rather than the implementers, they woudl have built signature/encryption/sender authentication straight into the protocol and prevented the spam issue from ever arising.

Logical Error (3, Insightful)

nwbvt (768631) | more than 9 years ago | (#11143275)

"In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software)."

That would mean that every piece of software not signed would be bad. The logical definition of necessary is not "provides some evidence", but is a strict conditional. In other words software can be trusted only if it is signed. This is obviously false, there are clearly ways one can trust a piece of software without requiring a digital signature.

Emulation errors? or Windows SP2 issues? (1)

Blamemyparents (730461) | more than 9 years ago | (#11143278)

He says himself he's running in in Virtual PC. An emulator. Emulators can cause strange bugs. And only a small number of people actually run XP SP2. Half of the computers in the US are still 98 or below, and only small portion of the other half have been upgraded to/came with SP2. So the vast majority of users won't see the signature message. Should Firefox get a signature? I don't see how it could hurt, and it would help for situations like this.

Downloading Firefox w/ IE? (3, Funny)

fbg111 (529550) | more than 9 years ago | (#11143279)

Mr. Torr uses IE to download Firefox in his blog article. Why am I not surprised that IE has difficulties downloading Firefox? Next thing we know, an internal Microsoft memo will surface recommending that MS "cut off Firefox's air supply."

Ranting (1)

ZSpade (812879) | more than 9 years ago | (#11143290)

"Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!"

So we're supposed to stop downloading programs like this because they didn't pay $400 to release a FREE alternative.

False security? (4, Interesting)

zlel (736107) | more than 9 years ago | (#11143292)

Personally I trust MD5 hashes more than certificates... certificates give me an impression of false security... afterall, anybody can buy a certificate - or did i miss something?

That is like saying (2, Funny)

cspring007 (705809) | more than 9 years ago | (#11143293)

"Yeah sure, our boat is on fire, sinking and leaking radioactive waste
But look at their boat...
it's got a dent in its hull
also, why spend time trying to break into one car that has its windows rolled up..
when its sitting in a parking lot full of cars with their windows down and keys in the ignition

Certificates can be misgiven or expired. (1)

CygnusXII (324675) | more than 9 years ago | (#11143300)

"If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate."
He states.
What about expired Certificates or Certificates given out in error?
It has happened before.
http://amug.org/~glguerin/opinion/revocat ion.html
http://news.zdnet.co.uk/internet/securit y/0,390203 75,39118994,00.htm
This Gentlemans Story starts off on a bad foot initially and just stumbles along.

Looks like the Ad, sponsered by Firefox group, stirred up the great MS Blog Machine, and MS is doing some damage control. Not to mention this is on the heels of the MSN Search tool, AP story debacle where Firefox was shown being used instead of IE.

The answer is simple :P (3, Informative)

kryogen1x (838672) | more than 9 years ago | (#11143304)

Type "1" in Google [google.com] and hit I'm feeling lucky. Hint: It's not the IE page. Please don't mod me off topic.

(plu/s one Informative) (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#11143308)

of all legitimate new core is going if desired, we on baby...don't THE RESIGNATION bu7 I'd rather hear to underscore

The real reason (0)

Anonymous Coward | more than 9 years ago | (#11143317)

.. I use firefox is not because of the security aspects. Quite honestly the security provided by both browsers are quite adequate for normal users. No-one is secure from their own stupidity.

The real reason is the features. Take tabbed browsing for instance. Just that One feature is good enough for me to keep using firefox.

The real security issue is not so much the browser as it is the thing it runs on... Windoze!!

Code signing bla bla bla... (0)

Anonymous Coward | more than 9 years ago | (#11143325)

A couple of years ago there was a security advisory from Microsoft regarding to some vulnerability related to their certificates. Can't remember the details, but the solution presented in their buleting was to remove Microsoft as a trusted signer.

Redirection is the newest flaw in browsers (3, Insightful)

killerface (573659) | more than 9 years ago | (#11143326)

(from the article) First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/. Funny when I went to http://windows.com I got redirected to the real page at http://www.microsoft.com/windows/default.mspx
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?