How can I trust Firefox?

How can I trust Firefox?

Rate This

[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it's time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...). Since "You should only run software from publishers you trust" and since the publisher cannot be verified, I should click Don't Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog

It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I'll try the Ocean's 12 official web site, www.oceanstwelve.net, which detects that Flash isn't installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.

But the thing that makes me really not trust the browser is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the "This might be a virus" dialog

This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

  • unbelievable. unbelievable to see a post that has deconstructive criticism that shouts for "i'm so cool to post this".

    the arguments laid are flawed and prejudistic of what's not been said.

    it's pointless to start a flame war with you, simply 'cuz you've set your heart and mind to counter and turn around. even if i have perfectly flamed your @$$ you would still turn around and deny/ignore it honorably. so what's the point? ;)

    next time if ya have some meat to flame, please make it worthwhile for my read. i don't have time to look at your flawed useless ineffective petty flames. :)

    either you should keep your mouth shut 'bout your incompetent general understanding of the product, or keep at it to amuse yourself, those whom you follow, and those who follow you.

    have a nice life. ;)
  • Well, this has been interesting reading that leads me to reiterate my long standing recommendation on PC usage.

    Get a MAC.
  • Whoever wrote this article ...( I didn't even finish reading it because it began to make me sick so I don't know who you are or care) is CLEARLY a fuckin fool. <br>BECAUSE:: ANYONE will tell you of the benefits of having a browser other than internet explorer. You can patch and fix internet explorer all fucking day and it will still ruin your life. I haven't even tried firefox im still so happy with its predecessor Mozilla. No hassle, WAY fucking faster and I now don't spend 3 days of every week trying to remove shit off my pc. Internet Explorer will be dead soon... how do I know... coz even clueless people nowadays are putting mozilla/firefox on their pc. Its no big secret... <br> <br>&quot;How can you trust firefox?&quot; You'd probably trust them if you had to pay for it ya gimp, with your lame versign arguement and ridiculous claims about site mirror and such. Anyone that believes this fool deserves to be stuck with that stupid fuckin IExplorer. <br> <br>Its extremely annoying to find this so high in google, Firefox deserves to be praised not badly publicised by some 'ohhh i'm not sure if i can trust it bullshit'. Its people like you that keep huge monopolys in business so they can abuse the life out of us then with lame high priced products that everyone thinks theres no alternative to. Alternative media players, alternative browsers, alternative operating systems.....bring them all on yeee hawwww and death to these money grabbing pricks like microsoft and friends. <br> <br>Anyone any problems with what im saying??. just try firefox and see... go on just try it.... <br> <br>Don't bother adding comments to this...let this shitty arse thread die
  • Let's wait for a few years until FireFox becomes as common thing as IE, and then will count its security flaws in comparison with IE... :-)
    For ex., I won't try to hack program that nobody uses
  • Your post about Firefox makes me cringe. You are obviously deluded into thinking that using IE is a safe and secure experience. Just running IE makes me scared. All the things that it randomly collects and then leaves them on your computer is just fascinating if they were not MalWare. Running AdAware after browsing the Net with IE should make you scared if you are not.

    Strangely enough the link you specified for Firefox download is not the default.

    The site specified is a mirror that is endorsed by the original site. If you do not want to download it you do not have to.

    Your link Microsoft's SD3+C campaign - why would I want more random programs running on my computer- from a company that releases software with security holes the size of Mars?

    As for your extensions comments - why are installing them if you think they are bad? You can turn them off uninstall them with the Extension manager. IE automatically installs ActiveX controls without asking. This is te default. UNLESS you have "upgraded" to SP2 for XP which requires IE to do so.

    Peter da Silva's comment is brilliant. It makes a mockety of your statement.

    Lastly I am intrigued as to why you advocate IE as a browser worthy of the name browser? IE fails to follow W3C standards properly. It has security flaws in it that are only patched and this signed nonsense is just a knee jerk reaction to the symptoms and is not treating the cause. Oh and why on earth do you want to use a browser that how no Tabbed Browsing?

    Adam Kimber

    ***Use Mozilla if you don't like Firefox***
  • As a developer, nothing compares to firefox!!

    The security "concerns" you cited pale in comparison to the countless spyware that will infect your computer using IE, even if you do have spyware detection software running.

    If you want your homepage to keep changing then keep using IE!!

  • The real answer to this IE/Firefox issue couldn't have been more eloquently put...GET A MAC! Now you have no excuses with the Mac Mini.
  • Firefox may have some issues, but those compared to IE is EXTREMELY minor. Any fool using IE still recognising the flaws of it should check the facts first. And let's face it, If we were as picky as this guy when using the internet, the only place we'd consider safe is the HTML files on the hard disk.

    P.S. I use Firefox, and I have no problems using it so far. The ease of use on Firefox is fabulous and I wish IE was like this. The guy who posted the blog needs to look clearer...
  • Tudo bem... concordo com pontos em que diz que o navegador não é seguro, mas qual realmente é!? Com todos estes anos em que o IE está no mercado, ainda assim temos gamas e gamas de atualizações de segurança. A Internet é um meio vulnerável, por mais louco e paranóico em segurança que você seja. O grande problema nisso tudo é que o nosso autor apenas "bombardeou" o navegador do Firefox. Agora eu faço apenas uma pergunta crucial: O Firefox é um programa gratuito e de código aberto... muito contrário do IE que, não é código aberto e não temos como verificar se realmente existem backdoors e não podemos fazer melhorias por si só!!! Deixo bem claro que não estou dizendo que o IE tem backdoor (por que, como disse antes, não tenho como ver seu código fonte), ou spam ou Malícias dentro dele. Mas saibam todos que poderia muito bem ter tudo isso e muito mais. Pensem um pouco... Vocês sabiam que existe uma versão de Excel que existe um programinha (jogo) dentro dele. É só você digitar algo certo em uma célula certa.... não vou falar mais que isso... Me compromete! Mas se quiserem saber mais, busquem na Internet! Não senhores, não fui eu que fiz isso, pode ver na sua mídia ORIGINAL do OFFICE que você vai ter a prova. E então pergunto, porque não o IE? Pode ter sim, algo muito parecido. Não precisamos ir muito longe... Querem uma prova!? Se vocês usam uma versão mais "nova" do Windows, algum dia vai ser surpreendido com uma mensagem dizendo que o Windows ja fez o download das atualizações necessárias de segurança e mais alguma coisa. Não sei exatamente a mensagem, mas na pergunta seguinte é que é interessante. Quer atualizar o Windows agora?. PERAI, MEU!!! Cadê os arquivos que foram feitos download? Quais arquivos são esses? Quais são os ítens de seguranca que ele atualiza? Qual é o seu conteúdo? Depois de descompactados o que ele registra nos registros do Windows? E a principal... COM A ORDEM DE QUEM ESSA P... DE WINDOWS USOU MEU ACESSO A INTERNET PARA FAZER DOWNLOAD DE UM ARQUIVO QUE EU NÃO PEDI!??? Essas e muitas outras perguntas que surgem com uma simples atualização que eu não pedi e nem sequer sei do que se trata. Emfim, vai do usuários "ter a sorte" de escolher os botões sim ou não. Pois é, como posso confiar na MS? Independente da pessoa ser leiga ou não em "informática", ela tem o direito de ver, e ter estas informações (e muitas outras mais), porque um bom entendedor de "informática" vai saber analisar estes ítens e sabe se lhe convém ou não a atualização. E, pasme ainda mais... Quando você clica no botão SIM da questão acima, ele vai fazer a atualização. O Windows mostra uma janela com uma barra de status... MAS AINDA ASSIM NAO MOSTRA O CAMINHO DOS ARQUIVOS NEM O NOME DELES. A grande maioria dos programas, abaixo da barra de status mostra a raiz, o caminho e o nome do aruivo a ser copiado e configurado. Pois a MS se nega até isso... Como confiar então! :( Estou atualizando algo que eu nem sei para onde vai. hahaha, e de se dar risada mesmo!! A minha impressão é que a MS quer que coloquemos uma venda nos olhos e siga confiante no seu caminho... Mas ela pode me levar tanto para um campo florido (estilo Teletubbies) como me deixar cair em um Abismo sem fim... O nosso autor não comenta destes casos porque não convém a ele. Suponho eu, que este caso é muito antigo para ser comentado (do joguinho do Excel), mas depois que eu realmente comprovei e (desculpe pela redundancia) vi com meus próprios olhos, não mais confiei em nenhum produto MS como nenhum outro. Não vou "bombardear" o navegador nem mesmo a empresa, só quero lhes deixar uma opinião pessoal. O MAIS POPULAR É MUITO MAIS CONHECIDO E VULNERÁVEL. Por isso, senhores, escolham um navegador e programas que lhe satisfaça, que seja código aberto onde você possa mexer e fazer alterações a seu gosto, que você possa implementar sua segurança e que não seja BEM "popular". Por este motivo que eu acho que o FIREFOX, apesar de ter seus erros, é muito mais seguro e confiável do que programas provenientes de uma empresa tão popular como a que criou o IE.
  • A Microsoft está é com medo..do firefox..o programa teve grande aceitação no mercado... 90 milhoes de downloads em poucos menos de 30 dias...
  • How can you not trust Firefox? Well, I suppose one could have their reasons but these ones are just meant to start a flamewar.
  • Ping Back来自:www.donews.net
  • How can I trust Firefox? This is the summary of an in depth look at configuring Firefox to block spyware, etc. It also compares Firefox and Internet Explorer approaches to the problem. To continue my benevolent fairness, I actually think...
Page 91 of 94 (1,408 items) «8990919293»