How can I trust Firefox?

How can I trust Firefox?

Rate This

[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it's time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...). Since "You should only run software from publishers you trust" and since the publisher cannot be verified, I should click Don't Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog

It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I'll try the Ocean's 12 official web site, www.oceanstwelve.net, which detects that Flash isn't installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.

But the thing that makes me really not trust the browser is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the "This might be a virus" dialog

This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

  • You may recall last November, when former Encyclopaedia Britannica editor-in-chief Robert McHenry heavily criticized Wikipedia in an article entitled "The Faith-Based Encyclopedia." The article caused a good deal of controversy. Wikipedia represents the new free, open source mentality of information...
  • Debating this is completely pointless. There is no debate. This is a blatant attempt to undermine the credibility of firefox. It's already been discussed elsewhere. This is NOT a good article is it pure FUD. Anyone reading this know that this guy is a *** and deserves all the flames he can get. Please don't listen to him, this article is complete bullshit. Firefox conforms with internet standards, IE does not for reasons that people who know anything about microsoft already know. It's their attempt to hijack the internet. Firefox has more features. What can you say to that? No it doesn't? Any idiot can see that it does. There's no arguement which browser is better. The arguement is how long will it take pig fuckers like this guy to stop spreading FUD for microsoft? Actually, the simple answer is, when they stop paying him. It's all about money for these pigs. This is the exact reason why software in general today is trash.
  • That last re was done by a moron who is kissing Mozillas ass. He is obviously closed minded when it comes to any issue. We can all see your fat ass!
  • So, you enjoy using shitty software that is hardly ever patched?
    Come on, it's people like you who are poster boys for capital punishment.
  • wow, i couldnt even get to a fraction of the logic errors you have in this blog buddy!

    "It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?"

    the extension comes from the mozilla.org ftp site, it wouldnt install like that if the packet were invalid, fake, f*cked up, filled with malicious code and it sure as hell wouldnt come from a mozilla dev site if it wasnt CHECKED...extentions and themes are the only things that install that way and they should only install that way if they come from a trusted site...thats why it says..."you should only install software from sources that you trust" becuase if you are dumb enough to download open-source software from pirate/warez sites and some little kids angelfire page, then you deserve all the malicious code they can throw at you.

    2"(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go)."

    there is your safety blanket right there, it wont let you do sh*t until you look at it, or at least stare blankly at it like you've been huffing thinner now that its "ready to go" and youve studied it... do the smart thing and CLICK YOUR OPTION LIKE EVERYONE ELSE INSTEAD OF PRESSING ENTER, its not a paragraph for christ's sake

    "Firefox prevents me from running the executable straight away, and forces me to save it to disk." dude...do you have a problem with paying attention, the extention is .exe the prompt says what?....OPEN WITH! open with what? again...use your brain, its not rocket science!


    and this one is a dooozie!

    "According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content."

    unsigned (open-source, free to use, made at home, blood sweat and tears for your smiles and nothing more so quit your bitching) software!



    "Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error;"

    because it has been updated and they havent fixed the directory yet...what do you think open-source guys get paid in dude...give them a break!

    "luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it."

    most likely you needed to reSTART firefox twice because you are impatient and didnt give it time to exit your systems memory....good old windows!

    "To be fair, the extension is pretty cool,"
    uh-huh

    "but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted?"

    wow...you are paranoid!

    "And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?"

    WTF....you were downloading a flash blocker to protect your system from...what? your irresponsible browsing? come on dude!
    you were surfing while you were downloading a peice of software to protect you from your surfing!,
    thats like shooting up in rehab!

    "But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example)."

    again, you are missing the whole point of your own blog! its SAFER THAN IE.
    you are right just because they arent known about doesnt mean they dont exist. but the ones we DO know about are minimal, and corrected regularly!
    the ones in ie; people who arent informed will not know about those ones until it is too late, while firefox has allready corrected those issues!

    "Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users."

    no, buddy! first its not called a customer, we arent buying anything

    and for the truckload of ie users you need to think, how many people can exploit those via word of mouth and the abillity to study it in the years it was out, and firefox hasnt gotten the attention in that department yet, but the biggest securrity issues on ie ARE NEEDED FOR IT TO WORK...active x controls, etc

    "Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either."
    and bugzilla isnt for end users anyway...its for people who know what they are doing
  • I see the dialogs fine, in firefox.

    Valid points, but I suppose no matter what tools you give the user, how much you inform them, they are still going to make stupid choices. I have one client that I finally got to buy DeepFreeze because he kept infecting his computer with random spyware despite my best efforts to prevent him from doing so. I had him on IE, Netscape, Firefox, Opera, etc.. I had spyware removers/detectors.. everything I could think of. Though the 150$ DeepFreeze does the trick now, it was a little drastic. Overall, stupid pepople are going to continue to install these things weather we give them a blinking red sign or not. As for the rest of us, a little common sence will keep us in the green.
  • I see the dialogs fine, in firefox.

    Valid points, but I suppose no matter what tools you give the user, how much you inform them, they are still going to make stupid choices. I have one client that I finally got to buy DeepFreeze because he kept infecting his computer with random spyware despite my best efforts to prevent him from doing so. I had him on IE, Netscape, Firefox, Opera, etc.. I had spyware removers/detectors.. everything I could think of. Though the 150$ DeepFreeze does the trick now, it was a little drastic. Overall, stupid pepople are going to continue to install these things weather we give them a blinking red sign or not. As for the rest of us, a little common sence will keep us in the green.
  • You want to be sure of your copy version of Firefox? Then just download and analyse the code !
  • Have you thought that because Firefox has the following popular features and more - attractive modern interfaces, stability, high speed browsing, Internet standards compliance - it is subject to fewer attacks because these features are so nice that everybody who knows about Firefox loves it. In summary: Firefox doesn't need IE's security features because everyone who finds out about it loves it (think: OSS is software that is designed by a community of various people, to be popular to everyone).
  • My question, is what are you doing trying to open an .exe file with 7-ZIP, or any unzip program.
    I was under the impression that .exe meant it was EXECUTABLE, thus rendering unessecary to use an unzip program, and when opening the EXACT SAME version, Firefox 1.0 with 7-zip, it opened perfectly.
    And you later go on to say that you ran the INSTALLER, not opened it with 7-ZIP, but the INSTALLER. You are contradicting yourself.
    You can also install a malicious file in IE by clicking run, the same way you can in Firefox.
    And, only extensions from Mozilla.org are defaulted to Install Now.

    Do some reasearch you idiot. Microsoft has enormous security holes that have remained unpatched for months before work on patching them even began. I have literally updated one computer in the morning, only to go on 2 hours later and find that there are like 5 more IE updates to download, not counting the over 35 updates need per computer at my place of work, a computer repair business, where we routinely reformat systems and reinstall and update them, using the same version of windows as the previous secratary accidentally ordered 1000 instead of 100 units of XP profesional service pack one from the supplier.
  • ptorr wtf is 7-Zip? I think you ahve so much spyware already on your system, which is why you are getting pointless error messages that no one but you has ever seen before. In any case, the FireFox install is an EXE file, and you are clearly an idiot.



  • Sorry no comments have been getting through lately. They are all moderated by default,...
Page 92 of 94 (1,408 items) «9091929394