How can I trust Firefox?

How can I trust Firefox?

Rate This

[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it's time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...). Since "You should only run software from publishers you trust" and since the publisher cannot be verified, I should click Don't Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog

It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I'll try the Ocean's 12 official web site, www.oceanstwelve.net, which detects that Flash isn't installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.

But the thing that makes me really not trust the browser is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the "This might be a virus" dialog

This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

  • I needed a good laugh... this artical shows how you can't outsmart "human stupidity". What morron goes "hmmm, this could be a nasty program that will screw my computer over" and then clicks "RUN"? If this is how a person blindly clicks away with the mouse, it won't matter what browswer they use... but at least with Firefox they won't have crapware loaded up just from viewing a webpage. 1800search anyone?

    The artical sounded more like you were TRYING to induce a problem yet failed to. Why not juggle bricks while standing on the hood of your car and then whine about your broken windshield?

    Lets now have an artical about how AOL is soo great because AOL users can get a "free virus scanner"! Remember how cool it was when AOL announced you could email "pictures"... WOW, groundbreaking!

    Pencilneck blah blah blah
    ---I don't make typos... they are "eastereggs".



  • Do you know what else comes from a "numeric IP address"?
  • "I have no issues w/ spyware and malware, I browse sites I know are not sending me stuff and I keep Spybo Search & Destory up to date, schedule Virus Scans and Updates and don't have an issue"

    I have no issues with spyware or malware or viruses. But I don't have Search and Destroy programs, or even a virus scanner installed, and haven't for four years. I'm on 24hr broadband with a one-line firewall script.

    Sounds like you have to do a lot of work to prop up your leaky system; I just get on with doing my work under Linux. Try it, you just might like it!
  • Funny, when the Spyware installs on my machine through IE, I never even get a dialog telling me that the source isn't trusted.
  • So, I want to know why you use a virtual PC. Eases the system crashes does it? Would be great if tools for verifying binaries were distributed as core windows packages. If that were true I wouldn't need to install cygwin to verify my checksums.
  • emerge firefox

    Gets me the sources, checks the md5sum,
    which came from a different and trusted mirror server from the one which hosted the source. Builds those sources into the binaries which I then run.

    Do I trust the Gentoo Portage system?
    Yes I do, absolutely!
  • You say the defaults in IE is not to run any unsigned software, however there are many that are signed or even unsigned that instantly run WITHOUT user intervention. Unlike the common belief in Microsoft's little world, programs like MySearchBar and many more simply install by visiting a site.
    The only way in IE to prevent these from installing is to disable activex all together or to make it so it asks you before it runs. This means that if you want to have any flash pages show up in IE the only secure way is to say yes I want to run flash every time a page is loaded.

    The problem is not that people are agreeing to install spyware accidently, the problem is that it installs without user intervention.

    The next thing you might say is install XP SP2, however did you know that several drivers simply stop working as well as the fact that it screws up several applications.
    Next you might say buy certified hardware, however did you know that many people are not made of money contrary to popular belief and other hardware does the job just as well, if not better than the hardware twice as expensive.
    Finally you might say the hardware manufacturers should put out new drivers, however did you happen to realise they also are not made of money and putting out drivers may take some time due to budget constraints.

    All in all monopolies like Microsoft should not be so anti-competitive and slander everything about smaller companies. Of course small companies don't have an unlimited budget and small things like being unsigned is an offence according to the great laws of Microsoft doesn't really matter. If you want to go slander someone fix your own stuff up first.
  • Hi. 99.99999% of content on the internet is unsigned. So, to only allow access to signed content is to limit yourself to an extremely small part of the internet. Of course, code signing can be faked- easily. You shouldn't need to pay someone to sign your code. That helps only a few people, certainly not any developers.

    If the default install of IE doesn't allow unsigned code to run, obviously the guys who make the code are getting it signed, or they are faking the signatures.

    In your clearly anti-Firefox post on your blog, you seem to not be trusting a download from depaul.edu. If you had half a brain, you would realize that this is Depaul University.

    There are no signed extensions, the reason for this is that 1.) All extensions are made by users and not all users are trustworthy. 2.) Signing is insecure because it can be faked.

    There is an easy way to turn off plug-ins... have you tried uninstalling them? IE works the same way, except that when the plug-in is malicious, it becomes extremely difficult to get rid of it.

    Next, the way to bypass the virus dialog, is for the user to set the server that the extension is coming from as "trusted."

    In short, you present a lot of misleading information by not giving people the whole story. This causes users to become mislead and only helps the malware author. No doubt, you have a biased opinion due to your employment at Microshit and if anyone caught you saying something pro-Firefox, you would be out of a job. However, this is not a reason to twist information to suit goals. If you are going to attack something, find a REAL flaw and give the full and objective story.
  • How can I trust you?
  • I have already helped address part of the problem. I submitted a patch for signtool will allow developers to sign their extensions with a digital certificate. Signtool is part of the <a href="http://www.mozilla.org/projects/security/pki/nss/">Network Security Services</a> project. While the patch was submitted this summer the next version of NSS (3.10 which includes the patch) has yet to be released.<br><br>

    My own FireFox extension is signed by my employer's code signing certificate.<br>
    <a href="http://www.j-maxx.net/abtrans/abextension.php">
    http://www.j-maxx.net/abtrans/abextension.php</a>
  • I find reading this quite funny, as i have spent the last 3 hours updating my fathers laptop.. installing SP2, removing spyware with AdAware and rebooting 6-7 times. Hes just the regular computer user but his computer got all messed up because he wasn't sure why that update thingy kept popping up.

    My finilization of this "update" is installing Mozilla Firefox, and replacing the Firefox icon with the IE icon. He will never notice, but it will save me the hell of "fixing" his computer in a couple of months.
  • Boy, after reading this I think I need to rebuild my system.. All of those unsigned driver installs are scaring me now. Who should I call to fix these?
  • obviously firefox is good becasue nobody uses it so there are no exploits made for it
  • I also deal with users in the 'wild'. The browsing policy at my company is basically up to the users, so we are at their mercy. The first question I have is the author's comment about a 'default' installation of IE6 denying ActiveX installations. Is this under XP SP2? What percentage of company, or even personal (which I imagine is far larger), PCs even have SP2 running yet? How many are even using XP? My company hasn't deployed SP2 yet because there are concerns about it breaking programs. In my experience, IE6's default behavior is to accept signed ActiveX controls. Even depsite the denial of these controls IE6 can still be hijacked and your PC compromised. The fact is that Firefox doesn't have hooks into the OS on the level that IE6 does.

    Granted, running untrusted code on a computer is going to put a user at risk anyway. This is the case with either browser.

    What is the difference between installing an 'untrusted' browser and installing an untrusted spyware remover? How many users have tried to fix the mess left by a malware attack by installing some piece of software that just happened to show up in a Google search? It's a fairly well known fact that 75% (or more) of the spyware removers out there contain malware or yield false positives to coerce users to install and buy their software...

    Competition is a good thing. Firefox is competition to Microsoft and IE. Articles like these, finding petty problems with quality OSS software (7-zip error? That isn't firefox's error, it's another of your OSS programs causing the problem... I've seen blank confirmation dialog boxes with no text in commercial software, that also isn't a firefox problem) are just spreading the FUD. If you want to get my attention (as joe user), create two test boxes (virtual PC). PC1 is a vanilla XP SP2 install (updated, of course) with no frills, no extra software. PC2 is the same as PC1, but with Firefox installed. Now, browse around to some of the known problem/spyware websites, make sure and do this with both Virtual PCs. Then show me the results of Adaware or HijackThis after 30 minutes or so of browsing these sites. Also, reboot a couple of times just for good measure.

    Trust certainly is an issue in this case. However, I think when it comes to using a Microsoft product most people do so begrudgingly. How many times do you hear someone complain or rant about a Microsoft product? Finally there is a product out there worth using, and it's making Microsoft take notice.

    Sorry I don't have a blog of my own set up. Feel free to contact me at cmdrtallon@gmail.com
  • Hmmm...my comments have not been put up yet....i have posted after that too.....very interesting....

    my test message to see if my posts were goin thorugh
    "LET THE SLASDOTTING BEGIN!!!"
Page 7 of 94 (1,408 items) «56789»