The comments from my last post are still coming in thick and fast. Thanks to everyone who didn't just swear at me (and if I didn't approve your comment, it was because it had too much profanity in it).
First things first: I was wrong about uninstalling plug-ins.
Thanks to several helpful posters, you can actually do this via Tools -> Options -> Downloads -> Plugins and clicking on the little blue arrows. Perhaps someone should tell the documentation writers because searching for "Disable" in the Firefox help (or looking for it in the index) found no hits. And I swear I thought I had poked every last option on that dialog in an attempt to find the plugin. Oh well.
Google didn't help much either, but maybe this post will get a good Page Rank and help the next poor guy (or girl).
·How to disable Flash in Firefox. Tools -> Options -> Downloads -> Plugins
·How to disable plugins in Firefox. Tools -> Options -> Downloads -> Plugins
·How to disable plug-ins in Firefox. Tools -> Options -> Downloads -> Plugins
Second thing: Complaining about the installation errors was probably a cheap shot.
Still, if the same errors had appeared during the installation of a Microsoft program, users would have picked them out and laughed at them. Someone mentioned that the blank dialog may have been caused by McAfee (except it's not installed) or by Virtual PC itself (could be, although I've never seen it before). Anyway, that was my installation experience; yours may have been better (just as everyone likes to give their "I browsed one web site and had 28 bajillion pieces of spyware silently installed on my machine!" when I've never seen anything like it. YMMV).
Third thing: I did actually say that Firefox was "a nice browser."
I was merely pointing out that the average user has no way of trusting that the thing they installed on their computer really is Firefox, or that the extensions / plug-ins they load into Firefox really are the genuine articles.
Fourth thing: Jeff Klawiter apparently has a plugin to let you sign Firefox extensions
Thanks for being part of the solution! :-)
Fifth thing: Yes my post was biased against Firefox.
Because every article written about IE or Windows or Linux is completely balanced, no?
OK, let's look at the most common replies:
I am an idiot
There were a lot of these kinds of replies, citing various reasons. But only my friend Pat got it right -- he can call me an idiot, but only due to personal experience.
I am an idiot because I don't know what depaul.e d u is
I guess if failing to have an encyclopaedic knowledge of all the universities in a country you didn't grow up in makes you an idiot, then I am guilty as charged. Seriously -- have you heard of Swinburne?
Anyway, the point is that the average internet user might not know what ".edu" means, or who controls the server. The New York Times told them to download Firefox from a ".com" address, and now they're downloading it from somewhere completely unrelated.
I am an idiot because I used the term "numeric IP address"
Yes, that was a tautology; call me an idiot if you want. The intent was to point out that it wasn't a typical domain name like www.mozilla.org, and some people may equate "domain name" with "IP address" (yes, the same kinds of "idiots" that read the New York Times :-) )
I am an idiot because I think domain names are more secure than IP addresses
The point of that comment was that using an IP address (as opposed to a domain name) is one of the tell-tale signs of a phishing / scamming site. We tell customers to be wary of such sites, because (by and large) any legitimate business will have registered a domain name.
But now they are being asked to download Firefox from a nameless IP; does that make it OK?
I am an idiot because I don't understand MD5
Not true; I know exactly what MD5 is. Nevertheless, manual verification of hashes (generated via any algorithm) is a non-starter with a large majority of the user population, especially when there is no obvious indication on the web site that that is what one should be doing.
Digital signatures don't prove software is good -- even spyware vendors can get certificates
Note the dialog doesn't say "only install signed software" -- it says "only install software from publishers you trust," and the digital certificate is used as proof of who the publisher is. If you don't trust the publisher, don't install the software.
The problem with unsigned code is that you have no idea who the publisher is! Is it really that hard to grasp? Signing isn't a panacea, but it's better than nothing!
But Firefox is more secure!
Hypothetically, let's say that that is the case. Let's assume that the source code for Firefox is perfect and there are no security problems whatsoever with it. (Of course, we all know this isn't the case... but bear with me for a second).
The whole point of the blog was that it doesn't matter how good the Firefox source code is!
Doing what the typical end user would do (download, click, click, click) you have zero proof that what you downloaded is, in fact, the true Firefox web browser. It could be a compromised version of Firefox, or even some completely unrelated root kit.
I could have checked the MD5 "signatures"
Repeat after me: MD5 sums are not signatures. They are hashes.
Anyone who compromises the server hosting the binaries can simply replace the MD5s as well. Compromising a server hosting a digitally signed binary won't help without access to the private key (which would typically be stored on a smart card that is kept physically separate from the hosting web server).
Having said that... this fails the "normal user" test. No normal user would manually verify hashes or signatures (nor are they encouraged to), which is why I didn't. IE makes it obvious to the user who the publisher of a piece of code is (or that no publisher can be verified), although prior to SP 2 I completely agree that the UI was sucky.
I could have downloaded the source, read it line-by-line, then compiled it
And when will I see a two-page New York Times ad telling me how to do that?
Code signing is a solution to a Windows / IE problem; Linux / Firefox doesn't need it
Do Linux or Firefox somehow make it impossible to install bad software? I thought not.
Code signing is a way of providing evidence to help users make trust decisions for the software they are going to install, independent of the platform. Check your Linux package installer of choice -- I bet it checks for digital signatures (albeit ones generated by PGP keys rather than VeriSign certificates).
Those weren't random web sites -- they were official mirrors! You should trust them if you trust mozilla.org
Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob.
Let's say I trust the Mozilla developers to write 100% secure code. Let's also say I trust the mozilla.org administrators to run a secure web site. Let's even further suppose that I trust the mozilla.org administrators to only allow "good" mirrors (ie, they won't use www.hackers-r-us.com as an official mirror for Firefox).
Does that mean I should trust the administrators / users of each of those mirrors to keep their systems secure? No.
Hackers now have several websites they can try to hack in order to compromise the Firefox install.
Mozilla can't afford bandwidth, so it needs the mirrors
But they can afford two-page ads in the New York Times? <g>
Mozilla can't afford code signing certificates
Oh and they can apparently afford an SSL certificate.
Mozilla shouldn't buy a code-signing certificate because that supports the nasty closed-source for-profit world
See above; they were happy to get an SLL certificate from Thawte to protect their bug web site.
Firefox only installs extensions from white-listed sites, and only update.mozilla.org is trusted by default.
Simply not true.
I downloaded the FlashBlock extension from http://mozdev.xmundo.net/flashblock/flashblock-1.2.5.xpi and "Install Now" was the default button (hint: try typing that URL into the address bar of Firefox and see what happens).
I must be running on a Mac
What, you've never heard of Virtual PC for Windows?
Why am I running under Virtual PC?
Because I wanted to be able to blow it all away. Plus it was a way to get a relatively "clean" machine.
How much are they paying me for this?
Nothing; it's all on my own time.
My boss is on vacation, and I've never met Bill Gates (nor am I likely too... he's a busy guy).
Users are dumb and don't read dialogs anyway, so this whole code signing thing is a waste of time
Great attitude -- let's keep the population uneducated and encourage them to install random code; they probably won't get tricked into installing malware if they're smart enough to run Firefox!
Any arguments to the effect that "users will just click OK anyway" actually work against Firefox; see below (it has less secure defaults for saving and executing files than does IE).
The fact that you can't check the signature on Flash is not Firefox's fault; it's Macromedia's fault
The download from Macromedia is digitally signed. Firefox just doesn't choose to convey that information to the user.
OMG IE is insecure coz it is part of teh kernel!!111!
Oh, that gem. Yes, and Paintbush runs as LocalSystem!
For crying out loud...
IE has lots of bugs, so I don't trust it
Fine, you don't trust IE.
IE has lots of bugs (I never denied that).
But again this misses the point of the article -- I don't care if the "true" Firefox has no bugs whatsoever. How do I (as a normal user, not a computer geek) know that I am really running Firefox?
Not fair; you're comparing IE 6 SP 2 with Firefox 1.0
Yes, it's taken Microsoft a while to get IE into good shape. Even so, you didn't have to wait until XP SP 2 to block unsigned ActiveX controls (or to even prompt for signed ActiveX controls). I don't have an old copy of IE or Windows lying around to test on, but I'm pretty darn sure it still prompted you for installs of controls in the past (and check, for example, this newsgroup post from 1998 which seems to confirm my memory).
Having said that, Firefox is still several months newer than SP 2, it has had years to learn from IE's mistakes, and it still managed to "borrow" the Gold Bar from IE. So you can't really claim it is disadvantaged in that sense.
Who cares if getfirefox.com redirects to mozilla.org? microsoft.com redirects a lot, too
Good point; the reason for spelling that out was not very clear. Basically I wanted to show that the download was coming from somewhere completely unrelated to the Mozilla web site (including the redirect).
And it's true -- Microsoft has used bandwidth aggregators like Akamai in the past, which might present an unexpected URL to the user. But at least they can be sure the files haven't been tampered with due to the digital signature which IE dutifully checks for them (ie, not relying on them to get MD5s from some secondary source, manually check them, etc).
ActiveX controls suck
Maybe, but how is the download experience for the Flash plug-in better? At what point during the install was I informed that the thing I had downloaded really was from Macromedia, and not from Hackers-R-Us (or some un-named entity)?
Firefox's downloads are more secure because they don't auto-execute
Neither do IE's.
First you get the "Open, Save, Cancel" dialog, then (assuming you clicked "Open") you get the "Run or Don't Run" dialog. That's two dialogs, each with helpful information in them, and reasonable default actions if you just hit <Enter> (Cancel and Don't Run). With SP 2, even if you choose to save the file to disk, you will still be given the second warning if you later try to execute the file through the shell (with the default, again, being Cancel).
With Firefox, you get the "Save to disk" dialog and then the "Open" dialog; still two dialogs, except the default is "OK" (not Cancel) and there's no protection if you save to disk and then open from there -- ie, only one dialog, the default action of which is to save the EXE to your desktop where you might (accidentally?) click on it later.
Your HTML sucks
Sorry; that's just the way it is. I don't control http://weblogs.asp.net
It's still viewable in Firefox; there's just a bit of a gap after one of the images.
You're spreading FUD
Well, yes, I suppose I am.
·People should fear code they cannot easily verify
·People should feel uncertainty about downloading and executing code that they cannot easily verify
·People should doubt the integrity of code they cannot easily verify
And, to re-iterate what I said earlier, manually checking MD5s or compiling the source does not qualify for 99% of users.
You must be a crappy developer / You should fix your own code
I am not a developer. I am a Program Manager.
My job is not to write code directly; I leave that to the experts.
Why don't you just use Firefox?
Because my blog doesn't display properly...