How can I trust Firefox?

How can I trust Firefox?

Rate This

[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it's time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...). Since "You should only run software from publishers you trust" and since the publisher cannot be verified, I should click Don't Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog

It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I'll try the Ocean's 12 official web site, www.oceanstwelve.net, which detects that Flash isn't installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.

But the thing that makes me really not trust the browser is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the "This might be a virus" dialog

This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

  • Bottom Line:

    Microsoft has had almost a decade and millions of dollars to make IE work perfectly. They haven't touched it for years. Oh, they have? That's right -- they have to keep creating security updates, and even with that, IE is still unsafe, and it is possible for malicious code to easily do something as nasty as taking over a user's computer and erasing all the drives. I have had to fix Windows systems that were literally slowed to a halt because of spyware -- all installed by malicious code, without the user's premission. You can use any terms you want, you can say any thing about Firefox you want to.


    The bottom line is that for years IE has been proven insecure, and MS has not EVER effectively made it safe. Firefox, by simple design, includes a sandbox that keeps your computer safe -- something MS, with billions of dollars and years of time to code, has NEVER been WILLING to do.

    Oh, and the latest MS solution to security, if you're not running XP SP2? Buy a new computer. Who, besides a MS employee, or someone trained by them, would consider that safe?


  • You sir, Peter Torr, are a tool! You REALLY need to take the time you spent analyzing Firefox, and do the EXACT same thing with ALL MS software prior to XP SP2. IE only gained its current level of security as a result of SP2 which has taken HOW many years to reach this level? Think about it.
  • Take a look: http://it.slashdot.org/article.pl?sid=04/12/21/0038235&tid=172&tid=154&tid=109&tid=113&tid=1
    Your very own Slashdot thread...
    on a side note, I wouldn't trust Verisign with a plastic spoon.
  • To run Internet Explorer, I must trust that Microsoft won't do something bad to me via their software.

    To run Firefox, I must trust that the Mozilla Foundation won't do something bad to me via their software.

    So far, the Mozilla Foundation has had a much better track record for bug fixes and holes than Microsoft has.
  • The solution is perfectly obvious. Entice a acquaintance to download and install everything before you; then get the binaries from he or she once you have determined everything to be safe and sound.

    Everyone needs a guniea pig. A naive co-worker, gullible little brother, perhaps one of your elderly parents if you're the ungrateful type. But regardless, the result is the same: Better them than you!

    In fact, I don't trust this webpage.. it's running asp.net. I'm outta here.
  • I never heard of Firefox until this blog.

    I installed it and like it better than Internet Explorer now.

    Thanks for the tip guys. I'll make sure to tell everyone about Firefox now.
  • 4 Words - Lesser Of Two Evils

    At least you have to actively choose to install things with Firefox, instead of bugs in IE allowing anyone to install things
  • When its filled with ridiculous bugs that MS admits that it will not fix? When simply opening up the home page of some Internet sites automatically installs spyware? When you can download, install, and RUN a virus, merely by sliding a scrollbar?
    I'm sorry, I'm not drinking your Koolaid, and less and less people are these days, thank $DEITY.
  • How can I trust Firefox? Because it came with SUSE 9.2.
  • Face it..all your arguments against FireFox have been bashed by evidence show by the people who have posted above. <br> <br>IE has not been secure for a long time, and the security threats keep on piling up. When FireFox came out, Microsoft came out with the huge SP2, which made IE a little better with its pop up blocker, but still it is the worst browser you can have period. <br> <br>The Mozilla team has worked hard to correct any of the small number of bugs that exist on FireFox. It is updated periodically (Heck, you can get nightly snapshots!) and is very secure. It is also secure, because it is open source (download the source, read it- if you feel it is secure, compile and run it!!). <br> <br>Besides the security issue, FireFox is the Best browser that i have seen (features, ability to customize,etc..). <br> <br>Microsoft is a company that loves to make something and then charge everyone a lot of money for it and then not update it in the least and then flame another product for being better instead of actually doing something to fix the problem (Please-dont tell me about the new pop up blocker- so lame, it could have been coded years ago..Oh wait..there already have been pop up blockers made by people years ago because it was a problem..) <br> <br>FireFox is a much better product in every way than Internet Explorer. <br> <br>BTW, I am writing this from inside Firefox. ;)
  • I don't think this article is going to fool anyone into believing Firefox is somehow less secure or less prone to spyware than IE. The simply fact remains, [b]despite these cosmetic shortcomings, terrible design decisions in IE are the reason it has so many security woes[/b] and most people savvy enough tor ead this article will know that. <br> <br>Several of your points amount to the same thing. So, you download firefox from university servers? You don't know whether you can trust the executable? This can all be solved by verifying that the executable matches a secure hash. This would be a sufficient condition to determine the executable you downloaded is kosher. <br> <br>You talk about how IE only allows signed ActiveX apps to be installed. Well, let's hope no badguys can get signed ActiveX controls. Let's hope no bad guys get signed ActiveX controls, because there would be no reason not to trust them, right? Firefox doesn't install activeX controls at all, so I guess that point, which you brought up, would be a score for everyone's favorite browser. <br> <br>You also mentioned that you don't like how firefox will not allow you to execute files right from within the browser. This is what they call a 'good design decision'. You know, the kind of things Microsoft learned a little bit about before they released XP's service pack 2. The idea behind this is that even if Firefox is tricked into downloading spyware, as IE often is, it [b]cannot[/b] execute that software from within the browser, like IE commonly does, but at best the automated process allows you to download it. <br> <br>Then, the user, who was unaware that their browser downloaded software and attempted to install it (IE would've succeeded, FF would've failed) would have to track down that file and decide to run it themselves. <br> <br>Now before you talk about how unlikely drive-by spyware installations are, know that they happen in IE more than you want to believe. The program Cool Web Search, for instance, has been known to have drive-by installations from some sites (taking advantage of IE security holes). This program is particularly malicious and particularly hard to get rid of as Cool Web Shredder, the piece of anti-spyware specifically written to get rid of Cool Web Search, often fails. <br> <br>You have to remember: you cannot trust bad guys not to do anything. If there exist known exploits in IE, as there do, then they'll try to take advantage of them. If the only layer of security IE sports is, &quot;Hey, look, we only trust signed software by default&quot; then I'm a little afraid you're in for a world of hurt. Haven't you learned anything? <br> <br>I don't do my work in the Windows world myself, and all of my downloads come from a trusted server (I emerge my software from a public mirror that I maintain), but as far as my family is concerned: they all run Firefox. And why? Because I hate working with Windows and I hate 'fixing' Windows installations.
  • This is some of the best FUD that I've read... Kudos!!!
  • I've used Firefox since .7 and haven't touched IE since. I've never had my computer run so smoothly since I got rid of Microsoft's web browser. You knew you could get your copy of Firefox from the source but you you already knew where you could get a illegitimate copy from somewhere else. Which you knew you wouldn't install correctly. You are not dumb, so don't act like we are. People would have more respect for Microsoft if your company would stop spreading half-truths and misconceptions.
  • It is for this very same reason that Microsoft suffers from improper security implementations - Their employees do not understand that simply signing code with "Verisign" certificate does not mean you should trust it. What the heck? If I had money I could simply buy Verisign certificate and sign some piece of code which erases the end user's hard drive. Even Microsoft signs it's own code - which has flaws which are exploited time and again to screw end users. Why should I trust the Microsoft signed code then?
    Thank you - we do not need your flawed certificates and signed code - We trust Mozilla.org more than Microsoft - for they aren't after my money.
  • Simple. To borrow a phrase from the X-Files, "Trust no one".

    That being said, I have no reason *not* to trust Firefox at the moment. It's been good to me, hasn't misbehaved, and "appears" to be relatively secure.

    On the other hand, Internet Explorer and Microsoft in general have abused my trust on numerous occasions - viruses, security flaw after security flaw, odd behavior / instability, etc. So despite all the Verisign certificates in the world that Microsoft might own, I will never trust IE again.

Page 4 of 94 (1,408 items) «23456»