How can I trust Firefox?

[michaell522]

But anything can be signed simply by paying the fee. There are no tests involved; a signature only proves that it was signed by the person it says signed it (and even that could be faked by using a stolen credit card). Plenty of spyware is signed.

But that's the point here - if people know they trust mozilla.org, then if something is signed by mozilla.org they know they can trust it, even when they're downloading from a random mirror with a name they don't know (or no name at all in some cases, as this guy pointed out).

There are no magic solutions (though Firefox's whitelist seems a sensible route to me - it places the burden of trust on the end user)

There aren't any magic solutions. Firefox's whitelist is a good thing, but again - that's not a security feature as such. It's based on the referring site, and doesn't tell you anything about the destination site, or who made the software.

[shakey_snake]

If he doesn't like the installer, he should just get the zip.

[DuncanL]

But that's the point here - if people know they trust mozilla.org, then if something is signed by mozilla.org they know they can trust it, even when they're downloading from a random mirror with a name they don't know (or no name at all in some cases, as this guy pointed out).

For the main Firefox app itself which comes from a known large entity (Mozilla) I can see that this offers a certain level of trust and so it wouldn't hurt to use it there.
However, I don't think it helps with extensions (which is the comparison he was making with XPIs versus ActiveX controls) - each extension/control is written by a different individual, who cannot be expected to afford a $400 Verisign cert; and even if they did why would that make me trust them any more? Extensions are not tested or approved by Mozilla.org and they don't have the resources to do so (which is I think why the code signing that is already in Firefox has never actually been hooked up to anything). How does a cert for "Joe Blogs Software" tell me anything about the actual (rather than the stated) intent of the extension?

[elmorte]

You should note that MSDN stands for Microsoft Developers Network...so the guy is getting paid by Bill Gates. Saw someone ask this earlier so I thought I'd mention it.

Anyone, I'm a long time user of IE, and never liked other browsers, but that article by Torr made wanna download FireFox (well that, and the fact that when I was browsing this thread IE would give me an error when I tried to find (Ctrl+F) some text on the 2nd page of this thread). However, I couldn't find that piece of text with FireFox (using it right now to post) either as I can't figure out how to search for substrings

Anyway, it seems that Torr's article was written for 10 year olds as the way he presents his bias annoyed the crap out of me (and I LOVE IE).

I'd like to mention as well that I had no problem downloading and installing FireFox, and it seems nice. If at any point I did leave mozilla.org, IE certainly never alerted me to it. Gonna look for a quick start-up guide or something to lemme get used to using this FF interface (need to find keyboard shortcuts asap, sick of clicking on tabs).

El Morte

[thebigfish]

This morning, I want to the bakery, but I was affried that the baker had spit in my food, I mean I picked up the food myself.
Whom of "normal" users check if the files they download er signitured?

I am an opera user, But it is clear (for me) that he is just jealous at firefox.

The problems he teels about, is more general problem for everybody, not just firefox.

and

"despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk."

Isent that a total lie?.. I am not much around in the firefox communtiy, but one thing I know is the mozilla always publish ALL bugs.
but maybe I am wrong?

[dgrimm1]

Just for clarification there are a few bugs in firefox that are not available to the general public. From what I have heard they generally involve strategic or security issues. I learned this a while back when trying to query a bug through Bugzilla that I could not access

[schapel]

"despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk."

Isent that a total lie?.. I am not much around in the firefox communtiy, but one thing I know is the mozilla always publish ALL bugs.
but maybe I am wrong?

No, that's not a lie. Whenever you report a bug, you can classify it as a security problem. Once that's done, only a few people on the security team can see the bug until they declassify it. They make security bugs public after a patch is available, but until then it's kept secret.

Like he said, this is not a bad thing. Making all unpatched security bugs public would be irresponsible.

[adam_ady]

I think that extensions should be signed by someone and using certs from people like VeriSign does not verify that the extension is safe and secure. I think the best people to do it would be Mozilla, they could check the code and then verify it when they feel it is safe. This could improve users confidence and security in extensions and FireFox in general.

----------------------------------
Adam
Firefox 1.0 / Thunderbird 1.0

[BillyG]

All I'm gonna add to this thread, before I "stop watching it" due to petty bickering, is the fact that there were some valid points brought up, I'm pretty sure they will be addressed ASAP and that the author of that "journalism" , "article", etc. was a Microsoft employee, writing in his blog. Believe me, I doubt it is being closed anytime soon and I think that that is a good thing!

Know what you are reading and treat it as such, or don't read it at all.

[BenBasson]

I thought you were in Reading (about 120 miles from me). It's certainly not just past midnight here in Colchester!

*Rolls eyes*...

Posted: Tue 21st Dec 2004 1:20am

However, assuming Mozilla signs certificates relating to Mozilla products, then that's great. I mean, why should Mozilla get Microsoft to sign its products?

Presumably the process is done via Verisign's Code Signing Digital ID system, or something similar.

[shakey_snake]

"despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk."

Isent that a total lie?.. I am not much around in the firefox communtiy, but one thing I know is the mozilla always publish ALL bugs.
but maybe I am wrong?

No, that's not a lie. Whenever you report a bug, you can classify it as a security problem. Once that's done, only a few people on the security team can see the bug until they declassify it. They make security bugs public after a patch is available, but until then it's kept secret.

Like he said, this is not a bad thing. Making all unpatched security bugs public would be irresponsible.

for clarity's sake:
yes the fact that where it is and the fact that it is a bug is hidden until a security update is issued,
But the source with the bug in it is still avalible.
You just half to find it first, to exploit it.

[David H]

All I really see from this article is an attempt to gloss over the very real major security flaws of Internet Explorer by vastly overstressing the very minor possible security weaknesses of Firefox. And even then, he mostly focuses on weak points in distribution, rather than the software itself.

The only question I have is whether this guy was actually told to write an anti-Firefox diatribe, or whether he really believes the BS he's spouting.

[DuncanL]

I think that extensions should be signed by someone and using certs from people like VeriSign does not verify that the extension is safe and secure. I think the best people to do it would be Mozilla, they could check the code and then verify it when they feel it is safe.

The problem is (as I said) they simply do not have the time, money or manpower to run such a scheme. There are hundreds of extensions (admittedly many are not updated any more but that's beside the point) and examining every line of code in every extension before approving it is not going to happen. Code signing simply provides an audit trail; it does not (and isn't supposed to) verify the quality or purpose of the code.

[whitebirds]

http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

"...But the thing that makes me really not trust the browser (Firefox) is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions."

This guy continues to making more bullshxt here:
http://weblogs.asp.net/ptorr/archive/20 ... 28377.aspx

"Q: Mozilla can't afford bandwidth, so it needs the mirrors

A: But they can afford two-page ads in the New York Times? "


"Q: Mozilla can't afford code signing certificates

A: But they can afford two-page ads in the New York Times?

Oh and they can apparently afford an SSL certificate. "

"Q: Why don't you just use Firefox?

A: Because my blog doesn't display properly... "

I am very angry about his attitude of judging a software that he doesn't even use.

[digger662]

I don't care what somebody else has to say FF or TB. They can be a little slow at first, but have a lot of features that the user can choose on their own. I am finding that if I just follow the forums and use common sense the Mozilla products are a a great alternative to big brother. "have it my way" Watch out here we come.