Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
"How can I Trust Firefox" blog by Torr

Peter Torr has joined our group, working with development teams to help them through the Security Development Lifecycle and Final Security Review processes. He just posted an interesting comment about downloading and running Firefox.

http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

Posted: Monday, December 20, 2004 1:40 PM by michael_HOWARD
Filed under:

Comments

FireFoxUser said:

<b> I can trust FF
# December 20, 2004 11:01 PM

Susan said:

I think you are missing the point. Installing it is not where the issue lies [even though this is an exercise in downloading, do I, does anyone check the md5 checksums for those security patches that Shavlik sucks down? Do I check a security bulletin's pgp key?

The real "trust" is running any browser. By definition they do "active content". As per my understanding, JavaScript, Java, Active X by definition to "unload"the overhead on servers, runs code on "my" machine.

Do I really need to have Javascript running to get a printer driver from hp.com?

In reading the goals of the w3c project... we've run head first towards the use of the web as the platform of choice but the very design foundations sound more like a Woodstock convention [love, peace, embrace all platforms] than something that we're running financial transactions across.

The question is..."how can I trust Firefox?"... the real question I'm asking myself on behalf of my firm... is there ANY browser I trust?

The answer right now as I see the secunia vulnerability notices pile up in my inbox for Opera, Mozilla, Netscape, Firefox and Internet Explorer is a resounding heck NO.
# December 20, 2004 11:24 PM

E-Bitz - SBS MVP the Official Blog of the SBS said:

# December 21, 2004 9:45 PM

E-Bitz - SBS MVP the Official Blog of the SBS said:

# December 21, 2004 9:49 PM

ME said:

The funny is that only the guys from M$ or that work for it, that approve and like that comment.
# December 22, 2004 9:28 AM

Thomas Elias Weatherly said:

I don't trust the Mozilla folk and I don't trust the Microsoft folk. My friends and I check the MD5 hash and the SHA-1 hash of all code that we download; we try to download from different sources and compare with each others results. Trust no one and verify is our motto.
# December 24, 2004 11:16 PM

Ghent said:

Make a better browser or we will fire you!
# December 27, 2004 10:54 PM
New Comments to this post are disabled
Page view tracker