Discussion of general topics about Mozilla Firefox
http://blogs.msdn.com/ptorr/archive/200 ... 27511.aspx
"...But the thing that makes me really not trust the browser (Firefox) is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions."
Well, where to start with someone who doesn't care about the security of the original code?
Presumably the curious user will trust the the product that has been advertised in the NYT and has been downloaded 10 million times, rather than the one that's simply purchased a certificate for a few hundred dollars.
The writer had problems with his/her installer, I haven't had one problem since version 0.4 (including the inbetween version numbers). The writer shifts from the particular to the general, and throws in a bit of scary stuff too
As for the extensions: the writer is obviously unaware of the white list policy. A site has to be OK'd before FF will install the XPI. If you don't trust the site, don't download the extension. So this:
Is simply untrue, unless s/he means signed by VeriSign, and that depends on how valuable you feel the VeriSign system is. Incidentally:
I agree that Getfirefox's unannounced use of a mirror is a bad thing, but the writer seems to distrust mirrors in general, which would limit the amount of downloads one could make!
As for the (unconnected) Flash stuff: delete the plugin or install this extension (trust me, it's fine!)
Strikes me as a rather silly article.
So essentially his whole argument boils down to "Firefox is not a digitally signed application." And yet even he states "just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software".
I disagree with his logical terms ("it is a necessary but not sufficient condition for trusting software") though. Given that only a minute percentage of all software applications are digitally signed -- including Microsoft's own -- I would be more surprised seeing a digitally signed application than an unsigned one.
I don't know how to respond - I am laughing so hard I can't keep my hands on the keyboard. Written by a person who hasn't yet actually used Firefox only tried to install it. Not only is his nose brown but in attempting to crawl further up M$s backside (or insert your own euphenism) his ears have turned brown also.
.msdn.com that's an independant of Microsoft domain - right?
Thanks for the link, I needed a good laugh.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
I guess that's why Apache is more secure than Windows server, not enough people use it
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8)
Gecko/20050511 Firefox/1.0.4 (MOOX M3)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7)
Gecko/20050421 Firefox/1.0.3 (Debian package 1.0.3-2)
Quote from a comment posted in response.
"... FF is just as insecure as IE."
Oh my, that's a good one!!
*wipes tear streamed eyes*
There are some valid critisisms, but I'm not sure how much of an issue unsigned extensions are, considering that most people don't install extensions, and can't install them from anywhere other than update.mozilla.org by default, signed or not.
The download manager will also support digital signing before Firefox 2::
http://wiki.mozilla.org/index.php/Firef ... ad_Manager
Are any of you going to read those comments and take them on board, or are you going to sit here and make juvenile comments? I have no doubt that Firefox is more secure than Internet Explorer, but this is about trust, not security. There are valid points raised, and we would be foolish not to take them on board.
Excuse me while I go and do something constructive with my time relating to this post, like ensuring that appropriate bugs are already on file. In fact, I think I'll start a new thread in the Tech forum, since this one is going to get trashed.
I don't use (because I no longer seem to need), anti-spyware of any kind.
What valid points and bugs?
Bug: Looks like there's installer errors... I use zip builds exclusively, so I wouldn't know, but this should be investigated if it's true, and I seem to remember a problem like this before... could be a regression.
Point: Mirror URL is unrelated to getfirefox.com or mozilla.org
Point: Binary is unsigned, triggering WinXP SP2s warning.
Point: Extension system should support signing
Note: It will before Firefox 2.0
Point: If you want to make users more security aware, giving them secure tools (such as Firefox) isn't the only solution. Several steps of the processes outlined could directly lead to false trust in unsigned binaries and lead users to ignore otherwise useful warnings.
An inexperienced user following the same process would get the following facts:
1) It's ok to install from unidentified sites
2) It's ok to install unsigned binaries, despite Windows warning me that it could be anything.
3) It's ok to install extensions that are unsigned.
To an extent, yes, it's fine if you do those things with Firefox and get extensions from update.mozilla.org, but in essence it's training users to ignore security measures.
Not everyone who critisises Firefox does it in a frankly ridiculous manner with little basis to their arguments. Firefox might be more secure, and the article may not be correct in all of it's assertions (installer errors?) but it's basis is spot on.
I think the reaction so far to this post has been disgusting. I found the MSDN post before I saw this thread, and I sure know which community looks the more mature at this stage. Clue - it's not MozillaZine.
While there is some scaremongering in the post and the comments, there are some highly valid points raised. If the Firefox community cannot take those points on board then there is a serious problem.
http://colinramsay.ath.cx - Mozilla, CSS, .NET
keep in mind he was installing under virtual pc. this could be the cause.
so they shouldn't be allowed to use mirrors? many other sites do so, including big name download sites. i think microsoft even does.
if it wasn't for SP2, i'd say this is no problem. because of SP2 displaying a big warning, though, I think this might be nice to take care of.
it doesn't now? sure, all the extensions out there are unsigned, but just the fact that it says this seems to indicate that it isn't always the case.
none of those security measures does you much good, though. any "hacker" could get their app or extension signed.
there are a few valid points, but it seems like this guy just has way too much faith in the signing system, even though he admits it doesn't really mean anything. and remember, the vast vast majority of apps out there are unsigned.
Oh no! You mean the page redirected you?!?! Let's make a suggestively negitive comment about it, since those sloppy codeing bastards at Mozilla can't even write a webpage without redirecting...
Someone give me a good reason to keep reading this peice of propaganda, i mean, "Journalism".
Great point. I mean what was it Sophocles wrote?
Explain to me how we're soooooooooo immature. And even if we are, how that invalidates the arguement that this article is a piece of crap.
Who is online
Users browsing this forum: derekhunter and 0 guests