I love Slashdot

I love Slashdot

The comments from my last post are still coming in thick and fast. Thanks to everyone who didn't just swear at me (and if I didn't approve your comment, it was because it had too much profanity in it).

First things first: I was wrong about uninstalling plug-ins.

Thanks to several helpful posters, you can actually do this via Tools -> Options -> Downloads -> Plugins and clicking on the little blue arrows. Perhaps someone should tell the documentation writers because searching for "Disable" in the Firefox help (or looking for it in the index) found no hits. And I swear I thought I had poked every last option on that dialog in an attempt to find the plugin. Oh well.

Google didn't help much either, but maybe this post will get a good Page Rank and help the next poor guy (or girl).

·How to disable Flash in Firefox. Tools -> Options -> Downloads -> Plugins

·How to disable plugins in Firefox. Tools -> Options -> Downloads -> Plugins

·How to disable plug-ins in Firefox. Tools -> Options -> Downloads -> Plugins

Second thing: Complaining about the installation errors was probably a cheap shot.

Still, if the same errors had appeared during the installation of a Microsoft program, users would have picked them out and laughed at them. Someone mentioned that the blank dialog may have been caused by McAfee (except it's not installed) or by Virtual PC itself (could be, although I've never seen it before). Anyway, that was my installation experience; yours may have been better (just as everyone likes to give their "I browsed one web site and had 28 bajillion pieces of spyware silently installed on my machine!" when I've never seen anything like it. YMMV).

Third thing: I did actually say that Firefox was "a nice browser."

I was merely pointing out that the average user has no way of trusting that the thing they installed on their computer really is Firefox, or that the extensions / plug-ins they load into Firefox really are the genuine articles.

Fourth thing: Jeff Klawiter apparently has a plugin to let you sign Firefox extensions

Thanks for being part of the solution! :-)

Fifth thing: Yes my post was biased against Firefox.

Because every article written about IE or Windows or Linux is completely balanced, no?

OK, let's look at the most common replies:

I am an idiot

There were a lot of these kinds of replies, citing various reasons. But only my friend Pat got it right -- he can call me an idiot, but only due to personal experience.

I am an idiot because I don't know what depaul.e d u is

I guess if failing to have an encyclopaedic knowledge of all the universities in a country you didn't grow up in makes you an idiot, then I am guilty as charged. Seriously -- have you heard of Swinburne?

Anyway, the point is that the average internet user might not know what ".edu" means, or who controls the server. The New York Times told them to download Firefox from a ".com" address, and now they're downloading it from somewhere completely unrelated.

I am an idiot because I used the term "numeric IP address"

Yes, that was a tautology; call me an idiot if you want. The intent was to point out that it wasn't a typical domain name like www.mozilla.org, and some people may equate "domain name" with "IP address" (yes, the same kinds of "idiots" that read the New York Times :-) )

I am an idiot because I think domain names are more secure than IP addresses

The point of that comment was that using an IP address (as opposed to a domain name) is one of the tell-tale signs of a phishing / scamming site. We tell customers to be wary of such sites, because (by and large) any legitimate business will have registered a domain name.

But now they are being asked to download Firefox from a nameless IP; does that make it OK?

I am an idiot because I don't understand MD5

Not true; I know exactly what MD5 is. Nevertheless, manual verification of hashes (generated via any algorithm) is a non-starter with a large majority of the user population, especially when there is no obvious indication on the web site that that is what one should be doing.

Digital signatures don't prove software is good -- even spyware vendors can get certificates

Indeed.

Note the dialog doesn't say "only install signed software" -- it says "only install software from publishers you trust," and the digital certificate is used as proof of who the publisher is. If you don't trust the publisher, don't install the software.

The problem with unsigned code is that you have no idea who the publisher is! Is it really that hard to grasp? Signing isn't a panacea, but it's better than nothing!

But Firefox is more secure!

Hypothetically, let's say that that is the case. Let's assume that the source code for Firefox is perfect and there are no security problems whatsoever with it. (Of course, we all know this isn't the case... but bear with me for a second).

The whole point of the blog was that it doesn't matter how good the Firefox source code is!

Doing what the typical end user would do (download, click, click, click) you have zero proof that what you downloaded is, in fact, the true Firefox web browser. It could be a compromised version of Firefox, or even some completely unrelated root kit.

I could have checked the MD5 "signatures"

Repeat after me: MD5 sums are not signatures. They are hashes.

Anyone who compromises the server hosting the binaries can simply replace the MD5s as well. Compromising a server hosting a digitally signed binary won't help without access to the private key (which would typically be stored on a smart card that is kept physically separate from the hosting web server).

Having said that... this fails the "normal user" test. No normal user would manually verify hashes or signatures (nor are they encouraged to), which is why I didn't. IE makes it obvious to the user who the publisher of a piece of code is (or that no publisher can be verified), although prior to SP 2 I completely agree that the UI was sucky.

I could have downloaded the source, read it line-by-line, then compiled it

And when will I see a two-page New York Times ad telling me how to do that?

Next please...

Code signing is a solution to a Windows / IE problem; Linux / Firefox doesn't need it

Do Linux or Firefox somehow make it impossible to install bad software? I thought not.

Code signing is a way of providing evidence to help users make trust decisions for the software they are going to install, independent of the platform. Check your Linux package installer of choice -- I bet it checks for digital signatures (albeit ones generated by PGP keys rather than VeriSign certificates).

Those weren't random web sites -- they were official mirrors! You should trust them if you trust mozilla.org

Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob.

Let's say I trust the Mozilla developers to write 100% secure code. Let's also say I trust the mozilla.org administrators to run a secure web site. Let's even further suppose that I trust the mozilla.org administrators to only allow "good" mirrors (ie, they won't use www.hackers-r-us.com as an official mirror for Firefox).

Does that mean I should trust the administrators / users of each of those mirrors to keep their systems secure? No.

Hackers now have several websites they can try to hack in order to compromise the Firefox install.

Mozilla can't afford bandwidth, so it needs the mirrors

But they can afford two-page ads in the New York Times? <g>

Mozilla can't afford code signing certificates

But they can afford two-page ads in the New York Times? <g>

Oh and they can apparently afford an SSL certificate.

Mozilla shouldn't buy a code-signing certificate because that supports the nasty closed-source for-profit world

See above; they were happy to get an SLL certificate from Thawte to protect their bug web site.

Next please...

Firefox only installs extensions from white-listed sites, and only update.mozilla.org is trusted by default.

Simply not true.

I downloaded the FlashBlock extension from http://mozdev.xmundo.net/flashblock/flashblock-1.2.5.xpi and "Install Now" was the default button (hint: try typing that URL into the address bar of Firefox and see what happens).

I must be running on a Mac

What, you've never heard of Virtual PC for Windows?

Why am I running under Virtual PC?

Because I wanted to be able to blow it all away. Plus it was a way to get a relatively "clean" machine.

How much are they paying me for this?

Nothing; it's all on my own time.

My boss is on vacation, and I've never met Bill Gates (nor am I likely too... he's a busy guy).

Users are dumb and don't read dialogs anyway, so this whole code signing thing is a waste of time

Great attitude -- let's keep the population uneducated and encourage them to install random code; they probably won't get tricked into installing malware if they're smart enough to run Firefox!

Any arguments to the effect that "users will just click OK anyway" actually work against Firefox; see below (it has less secure defaults for saving and executing files than does IE).

The fact that you can't check the signature on Flash is not Firefox's fault; it's Macromedia's fault

Not true.

The download from Macromedia is digitally signed. Firefox just doesn't choose to convey that information to the user.

OMG IE is insecure coz it is part of teh kernel!!111!

Oh, that gem. Yes, and Paintbush runs as LocalSystem!

For crying out loud...

IE has lots of bugs, so I don't trust it

Fine, you don't trust IE.

IE has lots of bugs (I never denied that).

But again this misses the point of the article -- I don't care if the "true" Firefox has no bugs whatsoever. How do I (as a normal user, not a computer geek) know that I am really running Firefox?

Not fair; you're comparing IE 6 SP 2 with Firefox 1.0

Yes, it's taken Microsoft a while to get IE into good shape. Even so, you didn't have to wait until XP SP 2 to block unsigned ActiveX controls (or to even prompt for signed ActiveX controls). I don't have an old copy of IE or Windows lying around to test on, but I'm pretty darn sure it still prompted you for installs of controls in the past (and check, for example, this newsgroup post from 1998 which seems to confirm my memory).

Having said that, Firefox is still several months newer than SP 2, it has had years to learn from IE's mistakes, and it still managed to "borrow" the Gold Bar from IE. So you can't really claim it is disadvantaged in that sense.

Who cares if getfirefox.com redirects to mozilla.org? microsoft.com redirects a lot, too

Good point; the reason for spelling that out was not very clear. Basically I wanted to show that the download was coming from somewhere completely unrelated to the Mozilla web site (including the redirect).

And it's true -- Microsoft has used bandwidth aggregators like Akamai in the past, which might present an unexpected URL to the user. But at least they can be sure the files haven't been tampered with due to the digital signature which IE dutifully checks for them (ie, not relying on them to get MD5s from some secondary source, manually check them, etc).

ActiveX controls suck

Maybe, but how is the download experience for the Flash plug-in better? At what point during the install was I informed that the thing I had downloaded really was from Macromedia, and not from Hackers-R-Us (or some un-named entity)?

Firefox's downloads are more secure because they don't auto-execute

Neither do IE's.

First you get the "Open, Save, Cancel" dialog, then (assuming you clicked "Open") you get the "Run or Don't Run" dialog. That's two dialogs, each with helpful information in them, and reasonable default actions if you just hit <Enter> (Cancel and Don't Run). With SP 2, even if you choose to save the file to disk, you will still be given the second warning if you later try to execute the file through the shell (with the default, again, being Cancel).

With Firefox, you get the "Save to disk" dialog and then the "Open" dialog; still two dialogs, except the default is "OK" (not Cancel) and there's no protection if you save to disk and then open from there -- ie, only one dialog, the default action of which is to save the EXE to your desktop where you might (accidentally?) click on it later.

Your HTML sucks

Sorry; that's just the way it is. I don't control http://weblogs.asp.net

It's still viewable in Firefox; there's just a bit of a gap after one of the images.

You're spreading FUD

Well, yes, I suppose I am.

·People should fear code they cannot easily verify

·People should feel uncertainty about downloading and executing code that they cannot easily verify

·People should doubt the integrity of code they cannot easily verify

And, to re-iterate what I said earlier, manually checking MD5s or compiling the source does not qualify for 99% of users.

You must be a crappy developer / You should fix your own code

I am not a developer. I am a Program Manager.

My job is not to write code directly; I leave that to the experts.

Why don't you just use Firefox?

Because my blog doesn't display properly...

  • <quote>
    People should fear code they cannot easily verify
    People should feel uncertainty about downloading and executing code that they cannot easily verify
    People should doubt the integrity of code they cannot easily verify
    </quote>

    What does "verifying code" mean?

    PS: good luck with the zealots!
  • If your blog doesn't display properly in Firefox, I think you should take it up with the admin. I and many with me won't touch IE.

    Signing software does not solve the securityproblem with software. I have been using MS software since 1988 and Linux since 1995 and, signed or not, I do not have any confidence in Microsoft or Microsoft Software. I rather get Linux from ftp.university.edu than but sofitware from Microsoft. MS history is full of security mistakes and monopoloist behaviour, which makes me avoid MS as much as I can.

    And guess what? It works very well;)
  • It is interesting you point out this FUD about Firefox. Yet the same happens for IExplorer and basically everything a user runs nowadays. Digital signatures and automatic checks don't really mean anything, do they? When you say "Pople should fear code they cannot easily verify", it means if you cannot look at the code and compile it yourself, live in fear. Well, how does IExplorer help that? How does Firefox help for the matter you may ask? It doesn't either, I don't think users will read the code before running a program.

    Most of the points you make seem valid, but then you could replace FireFox with IExplorer, and their value wouldn't change. I guess that's why people are accusing you of spreading FUD, because you shoot at things nobody is capable of solving anyway, yet direct those arguments against a specific product, which of course is not made by your company.
  • Run with Firefox for a month. Play with it for a bit. I'm sure you'll learn to love it. Many of the offices I admin are stuck on win xp for desktop so I use Firefox and Thunderbird with openoffice.org to lower the chances of infections. Eight months later and I'm virus free and no trojans. There is a little bit of learning to do when switching from one product to another so give Firefox the time like you did IE. BTW it *is* a better browser ;)
  • I too will not use IE. I gave it up years ago and switched to Firefox.
    I don't care if it isn't perfect. I will keep updating it. I am careful and do configure my software for security.
  • Mozilla doesn't have enough bandwidth to support all the downloaders? The solution is not to use mirrors. As you say, who knows if they are compromised or not?

    The solution is to use BitTorrent. Bandwidth scales with the number of users downloading it, and you can fix the amount of upstream you want going at any one time as the seed. Whatever they set it to, it'll be much less than having normal downloads, and much higher than they'll need to saturate the swarms downloading from it.

    Of course, BitTorrent is something of a dirty word these days, since the MPAA and RIAA are going after a lot of BitTorrent sites, but that's just pirates exploiting a good tool. It's a great tool for certain uses, and solving the problem Mozilla is currently having is one of the things its best at.

    One of my friends works for Microsoft (he's a Unix programmer, oddly enough), so I don't dislike Microsoft employees, by any stretch of the imagination, but its hard to argue the merits of Internet Explorer when its technology has been basically stalled for the last 4 years.

    SP2 introduced popup blocking (finally), but implemented it with one of the most hated features of all time, the information bar, which, for the average user, is impossible to disable. There's no "right click to disable" option on it.

    Having a nearly-invisible warning come up every time you download a file, too? Now that's just cruel.

    Mozilla implemented popup blocking years earlier and twice as well.

    -Bill Kerney
  • I guess this is stage 2. Now that he's got himself to admit things we made him to, now this page is something like a politician's son screaming "Yea, my pop was killed while doin' campainin' for his party. Now since he's no more, gimme all your votes." It's probably sympathy vote/ soft-cornering for Microsoft. Still he does have a few things to get straight, as seen here:

    "Yes, it's taken Microsoft a while to get IE into good shape."

    Good shape. Jesus. We can see what 'shape' it's in.

    "Third thing: I did actually say that Firefox was "a nice browser." "

    Then why has all this spewed forth?

    "only install software from publishers you trust,"

    Do we? Can we? Should we? Can't we just use Firefox and shut up about it? Let him live with IE, guys. Just let him live with it.

    On a second note: Can we "trust" Microsoft and all that comes out of Redmond?

    "
    Your HTML sucks.

    Sorry; that's just the way it is. I don't control http://weblogs.asp.net
    "
    Typical, generic, Microsoftie's default pass-the-buck in action. Hell, Why should I even care to blame you? It's what each one of you there at Redmond do your whole life. Things will never, NEVER change if this is the default at Microsoft. This is JUST the attitude that Windows has towards its users. Nothing to see here.

    "My job is not to write code directly; I leave that to the experts."

    Yeah. That we can see. <smirk>

    "
    Why don't you just use Firefox?

    Because my blog doesn't display properly..
    "

    Run your blog through the validator at w3c, it speaks volumes for itself. And was that a Microsoft logo I saw in the Platinum Sponsors section? Dude, give it up already.

    I don't intend to spew venom; I wish to show you the truth. It's hard to believe that someone has to SHOW it to you.
  • I don't care whether you MODerate or FUDerate these posts, but the truth is out there. People know it; it will prevail. I almost forgot that this blog is run by Microsoft.
    --thanks for reading
  • "Trust is not transitive. If I trust you and you trust Bob, that doesn't mean that I trust Bob. "

    It can do though. People that use PGP rely on that sort of system. If you trust mozilla.com, it seems reasonable to trust a mirror listed on that site, even if it is to a slightly lesser extent.

    As Federico states above many of the problems are more based upon manipulation of the user and that will still be present what ever the options are set to.
  • I think most people missed the point in there comments...
    Here in short:

    If FireFox is not (trusted) signed, then it might contain a backdoor.
  • <p>Looking at the netcraft page for debpaul.edu you can see that many of their servers are running old unpatched/unupdated editions of the Apache, PHP, mod_ssl and OpenSSL. This would seem to reinforce the point about not knowing whether the site you are downloading executables has been compromised, and whether the unsigned file are genuine.

    <p>http://uptime.netcraft.com/up/hosted?netname=DEPAUL,140.192.0.0,140.192.255.255

    <p>http://www.kb.cert.org/vuls/id/303448

    <p>http://www.k-otik.com/exploits/20041127.phpnolimit.c.php

    <p>http://www.apacheweek.com/features/security-13

    <p>http://secunia.com/product/253/?period=2004#advisories

  • The problem with viewing blogs here on weblogs.asp.net in firefox is a problem about the crappy css stylesheets coming with the crappy old version of .Text we're using here.

    My blog here with a custom css works fine in firefox for example.
  • One thing you didn't mention was that IE6 SP2 is Windowx XP only.
    Firefox is much more secure than an older version IE on, say a Windows 98 machine.
  • Peter, you say "People should fear code they cannot easily verify".

    In my opinion its alot harder to verify IE's code, mainly due to the fact that I cannot possibly ever look at the code.
  • Excellent :-)

    The whole post is about codesigning (or bettter said, an automated and secure integrity check from trusted sources). But they make it a "FireFox is more secure that IE" batlle from it.

    As I just read the reaction from Debian-lover about how he rather download something from and education institution then from M$. Well.. that just about hits the spot! How does he know for sure that the download is not tampered with by using a secury way of an integritycheck.

    It really doesn't matter if you are downloading an executable. The whole thing also applies to archives. The weird thing it that none of the mainstream compressors like bzip, rar, 7zip, ace have such a build-in certificate signing solution.

    Ok.. the Linux world is using md5 hashes for integritycheck for years. But what if I am installing from a cd and have no internet connection available? Certificates just rule!
Page 1 of 17 (244 items) 12345»