How can I trust Firefox?

Post by **BenBasson** » December 23rd, 2004, 5:12 pm

Since Firefox is open source, this is especially important. How do I know if I can trust a Firefox install from a domain? How do I know if it comes from Mozilla.org and not some wannabe hacker who's inserted some malicious code somewhere? This is where signing is important. Sure, a certificate saying "Mozilla.org" isn't a guarantee of trustworthyness, but it's better than nothing, and that's what's important.

I'm not sure whether I agree with you regarding a false sense of security... teaching users to ignore signed/unsigned application prompts is just as bad, if not worse.

scratch · Post by **scratch** » December 23rd, 2004, 5:38 pm

i suppose for the actual mozilla install, if it's coming from a mirror, this may be of some value. for extensions, though, it doesn't really make a difference if it's signed by joe extensionauthor.

i really don't think it is. i think that signatures on software are of little value in the majority of cases, and giving users the idea that a signature means it's safe is misleading at best.

Post by **BenBasson** » December 23rd, 2004, 6:24 pm

It doesn't mean it's safe... it means it's definitely from where it says it is, giving you a better idea of safety. That's my take, anyway. Admittedly, there's no point in extension authors individually signing their work, but if Mozilla.org moderators (such as those for UMO) could do so, it'd most likely be beneficial. The reason it's effective is not for the initial download/install, but if the files are kept for future use.

scratch · Post by **scratch** » December 23rd, 2004, 7:07 pm

but then that would require them to check each extension for malicious code before signing. in the case of some of the larger extensions, that might be a lot of work. i don't imagine mozilla.org would be up for the task without a lot more volunteers. i agree that, if it were to be implemented that way, it would help with security.

Robert S. · Post by **Robert S.** » December 23rd, 2004, 7:15 pm

Signing will guarantee that the file hasn't been modified since it was signed and if you view the org for the cert you can see who signed it which has no reference to the download site except if they happen to be the ones signing it. I could take a distribution, modify it, then sign it, and redistribute it. If an extension is installed from U.M.O. then the only additional assurance that signing will provide is that someone hasn't managed to replace an extension on one of U.M.O.'s download servers with their own which of course could also be signed. If this happens - and it is a big if - the time to resolution of this security breach will most likely be short. During this time people trying to install the extension will either

see the extension isn't signed if it isn't with some subset of these people
a) installing it anyways as they do today
b) will not install it because it isn't signed

or if it is signed with a different org some subset of these people will
a) notice this and not install it
b) another subset of users will see it is signed and install it
c) will install it and not notice if it is signed or not.

As for future use are you referring to if the extension is downloaded and then installed at some time in the future by the user? In this case the lifetime between releases of extensions reduces the value of this significantly and if the user's system is compromised to the point where someone can modify an extension there are much worse things that could / would happen before this would be the route someone would take.

JoJo Gunn · Post by **JoJo Gunn** » December 23rd, 2004, 8:17 pm

I'm just an average Joe, and here's my take - certs don't mean anything to me. They can be faked, so I just trust my instincts. As others have noted, considering how MS uses dead people to write letters to editors of newspapers and Congressmen, etc, why should I trust them? And didn't Verisign themselves have a fiasco about routing people to a search site around the first of the year?

Speaking of redirects, how about all those redirects in IE bookmarks, such as the Media folder, like when you upgrade to IE6?

xexagon · Post by **xexagon** » December 24th, 2004, 6:32 am

JoJo Gunn wrote:I'm just an average Joe, and here's my take - certs don't mean anything to me. They can be faked, so I just trust my instincts. As others have noted, considering how MS uses dead people to write letters to editors of newspapers and Congressmen, etc, why should I trust them? And didn't Verisign themselves have a fiasco about routing people to a search site around the first of the year?

Speaking of redirects, how about all those redirects in IE bookmarks, such as the Media folder, like when you upgrade to IE6?

Quite. I'd rather trust my (conservative) instincts than Microsoft. The way I see it, Microsoft is either trying to control my computer/internet usage (plus ca change), or it's trying to jump on some security bandwagon.

As for the idea of certificates in general, I only see it having any real value if Mozilla checks the code of extensions available on UMO.

adfergie · Post by **adfergie** » December 27th, 2004, 12:19 pm

And you trust Internet Explorer?