How can I trust Firefox?

[MonsterTruck]

Hehe, that article was such a laugh... but anyways, the dude wants security, ON A M$ PLATFORM!!! If he's that paranoid, he should be using a Linux distro in the first place! So much for digitally signed, my ass.

[xexagon]

http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

"...But the thing that makes me really not trust the browser (Firefox) is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions."

This guy continues to making more bullshxt here:
http://weblogs.asp.net/ptorr/archive/20 ... 28377.aspx

"Q: Mozilla can't afford bandwidth, so it needs the mirrors

A: But they can afford two-page ads in the New York Times? "


"Q: Mozilla can't afford code signing certificates

A: But they can afford two-page ads in the New York Times?

Oh and they can apparently afford an SSL certificate. "

"Q: Why don't you just use Firefox?

A: Because my blog doesn't display properly... "

I am very angry about his attitude of judging a software that he doesn't even use.

Well, at least he's responding, and he's taken the time to look through this thread. I still dont agree with his central idea (that buying various certificates would make Firefox safer), and the fact his website doesn't display properly is probably not FF's fault (although it looks fine here). Also, the dig at the documentation is wrong: I think it's quite clear how to disable plugins. Navigating to help>search>'plug' worked for me! Logical enough, I think, and try doing the same in IE6 - nada!. But he has found a valid bug (I think):

Firefox only installs extensions from white-listed sites, and only update.mozilla.org is trusted by default.

Simply not true.

I downloaded the FlashBlock extension from http://mozdev.xmundo.net/flashblock/fla ... -1.2.5.xpi and "Install Now" was the default button (hint: try typing that URL into the address bar of Firefox and see what happens).

When I click on the link, I get a message telling me that Firefox has stopped the website (weblogs.asp.net) from installing software on your computer. Ditto when I try to install it from the Flashblock website. However, when I copy and paste the .xpi address into the address bar and press Enter, Firefox offers to install the extension.

The only valid reason for this occurrence is that mozdev.xmundo.net is part of one of the 3 domains I allow to install software (www.mozilla.org, www.extensionsmirror.nl and update.mozilla.org). Of course, it's unlikely anyone would copy and paste the link rather than simply click on it, and Firefox still warns about installing it, but still . . .

[Fender178]

You cant trust on what microsoft says about Fire fox.

[PJohansson]

This is only indirectly related to the thread topic, "How can I trust Firefox", but WHY is Firefox listening on port 1456?

[DuncanL]

This is only indirectly related to the thread topic, "How can I trust Firefox", but WHY is Firefox listening on port 1456?

It's completely unrelated....
Firefox uses a local port to communicate between different components. See this for a bit more info.

[chapas]

Some of us should start wearing tin-foil hats, yes?

[adam_ady]

I think like many others that Mozilla.org should use a mozilla subdomain for mirrors. I personally think that Mozilla could quite easily set a system up like SourceForge, at SourceForge the download link is whatever.dl.sourceforge.net, whatever being the mirror name. Mozilla could use something similar like whatever.mirrors.mozilla.org. That would be better than being presented with some random website address or ip address.

Adam

[VirtualLarry]

I never claim that Firefox is 100% secure; what browser is? Although he does make some valid points, he obviously didn't spend too much time using Firefox. His complaints about flash didn't seem reasonable:

get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

He feels inconvenienced by this security measure.

This is a "Security Manager" at MS, and he clicks "run" inside of IE? What, is this guy nuts!?!
And the part about "warn me about unsigned programs" - does it do that for *any* executables now, in XP SP2? Most prior versions of IE that I've used, would dutifully run the executable directly, no warning or prompting. In fact, IE used to have a problem with a buffer-overflow, in the certificate dialog itself! Your box could get "0wned" simply by having that dialog pop up. Gives you a nice warm feeling about IE, doesn't it?

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

That has nothing to do with Firefox. Send a complaint to Macromedia.

At least FF prompts; most older versions of IE would not. As far as "trust" - well, plenty of malware publishers seem to easily be able to get a code-signing certificate from Verisign. Implying that, because something is signed, or that the credentials attached to that signature somehow make something "secure", is incredibly misguided.

Attempting to teach users to click "Run..." directly on downloads, and to simply look for a certificate and assume that the presence of such indicates trust which implies security, combined with the fact that any executable code that runs is native code, not run in a sandbox - those things combined are downright dangerous for security. It's not like malware providers will give the necesary details in the code-signing certificate info, "Hey Dumb User - This ActiveX Control is a Virus/Browser-Hijacker/Adware application - Do you want to install it?". To the average user, the certificate dialog is just another step to have to click "Yes" to, nothing more.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

Firefox won't actually run every executable that it downloads automatically, will it?

And how is that "don't ask me again" option, any different at all, between the checkbox in the certificate dialog in IE, "Always trust content from such-and-such". Especially considering how low the bar is to actually obtaining a cert. Kind of ironic, too, considering that Firefox has many internally-blocked executable filename extensions that it will not run directly, period, vs. IE, which for years and years would run nearly anything, with minimal prompting.

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog

So where is the "Tools - Manage - Add-Ons" dialog for all non XP SP2 IE users? Oh, that's right, MS left them high and dry with regards to the security features available in their browser, because they want to pad their profits more than secure their users. Whereas, Firefox's security features are cross-platform, and not hindered intentionally in search of greater corporate profits.

Wholistically speaking, it seems pretty bizarre and ironic, that MS has embarked on their "trusted computing" initiative, which also implies that you would have to trust the vendor of your "trusted" computer software too, wouldn't it? And yet, we have MS security people spouting mis-truths and half-truths about their competitors and security in general, and at the same time, at the corporate level, actually hiding "Critical" security patches that have left their customers (of their "trusted computing" OS - in fact the "most secure OS that MS has ever produced") and their personal shared data, completely exposed to the internet, for nearly four months. It is utterly incomprehensible, and reprehensible, that this information especially after the patch was developed, was swept under the rug like it was, and left out of the usual "MS patch day" patches.

When are people going to "wake up" and learn to deal with the lies, and learn to accept that they have been "suckered" into believing the lies for so long. It's very hard for someone to do, which is why so many still choose to stick with those that lie to them. It's truely sad.

[VirtualLarry]

Point: Binary is unsigned, triggering WinXP SP2s warning.

And? MS has been well-known to cause their OSes to generate "spurious" warnings when attempting to run competitor's code. Look at what Win 3.1's bogus error messages did to DR-DOS's market-share.

But, for the good of the clueless end-users, I tend to agree with making a concession here, and jump through MS's hoop.

[quote="Cusser"]Point: Extension system should support signing
Note: It will before Firefox 2.0[bquote]
I definately agree with that, it will make malware-blocking (and proper extension compatibility versioning!) much easier. Instead of forcing the re-packaging of components, or even indicating what versions of the browser that they should run on, internal to the package - they should instead not bundle versions at all, and have "whitelists" of tested-compatible extensions (based on digital sigs of the packages), and "blacklists" for the known malware. That would be the proper thing to do.

Digital signatures alone, in and of themselves, do absolutely nothing for security, and training users to believe otherwise is actually a detriment to security. However, given a proper framework of additional security-related features, digital signatures can be a quite useful tool indeed. I look forward to the addition of code-signing for extensions in Firefox. (Come to think of it, aren't the "official" auto-update packages signed? So some of the infrastructure is there already?)

[BenBasson]

And? MS has been well-known to cause their OSes to generate "spurious" warnings when attempting to run competitor's code. Look at what Win 3.1's bogus error messages did to DR-DOS's market-share.

We're not talking about bogus messages or selectively disadvantaging competitiors, it's a simple case of the code being unsigned. If it's signed, the message goes away. I think it's a good convention, already adopted by hundreds of software companies.

[scratch]

but the software is no more likely to be harmful if it's unsigned than if it's signed. it gives a false sense of security, and i think that makes it bad rather than good for average users.

[Robert S.]

scratch - exactly... and similar in some ways to how people just trust an application not to harm their system... just like IE or OE. Just as it is possible to sign a harmful extension it is also possible to sign a harmful activex control.

[Lost User 36785]

I equate this to getting a cup of coffee from a pot that you didn't personally prepare. Each morning at the office, I grab a cup (unsigned, of course) and have no idea who made it or what the preparer may have put in. When I make the pot, I know what ingredients went into the making, but I don't sign off on the pot either. This is all a matter of mutual trust, with a lot more at stake than a sick computer.

[scratch]

but even if you knew who made it, you still wouldn't know if you could trust it.

[Lost User 36785]

but even if you knew who made it, you still wouldn't know if you could trust it.

The point is, I don't think about it, and I'd bet you don't either.