How can I trust Firefox?

How can I trust Firefox?

Rate This

[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it's time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don't have any idea where that place is, and it sure makes me nervous. IE has informed me that "If you do not trust the source, do not run or save this software."

Do I really trust a bunch of kids at some random university I've never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven't all download backdoors into their system...). Since "You should only run software from publishers you trust" and since the publisher cannot be verified, I should click Don't Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still... that kind of unintelligible dialog doesn't do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from -- I kid you not! -- a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog

It dutifully tells me the extension isn't signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don't get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I'll try the Ocean's 12 official web site, www.oceanstwelve.net, which detects that Flash isn't installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That's probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual "This could be a virus; do you want to run it anyway?" dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What's really frightening though is that there is a "Don't ask me again" option in this dialog... which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn't sound so secure to me...

So anyway, Flash installs and I can view the Ocean's 12 website OK. But now what if there's a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to "High" security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don't see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn't help, and Flash isn't even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that's not the point: How do I know I didn't just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either.

But the thing that makes me really not trust the browser is that it doesn't matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the "This might be a virus" dialog

This is what the "Secure Deployment" part of Microsoft's SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don't care if people choose to run Firefox or Linux or any other software on their computers -- it's their computer, after all -- but we'll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

  • I download software from websites I trust. Having a box telling me that the software is signed doesn't mean jack to me.

    The reason I stopped using IE was because Firefox gives me simplicity and control. I no longer have to worry about security zones, popups, irritating animated banners and flash controls. I don't have to worry about spyware activex controls and BSO's taking over my computer. I don't have to worry about deleting my browsing history and finding out that it wasn't actually deleted. I feel more at ease working with software that follows and supports public standards.

    But most importantly, I like the underdog. ;-)



  • http://forums.mozillazine.org/viewtopic.php?t=187607
  • First, nobody except big companies that can afford it get a Verisign security certificate and thus users already ignore the Are you sure? This isn't signed. dialog boxes.

    Second, Just because Verisign trusts the certificate, I never said I trusted it nor did I ever say I trust Verisign to make these decisions for me.

    The 7-zip: Unspecified Error issue has been reported to both Mozilla and 7-zip. It is caused by a corrupt download.

    The download location is not random. It is limited to those in the DNS roundrobin of mirrors.

    Mozilla extensions can be signed and people have done so in the past.

    As for the issues you bring up, they are valid in general. If you come up with a solution, nothing prevents you from filing a bug and patch on the issue.

    Don't complain about problems, solve them.
  • Great post Peter,

    I agree completely with your assessment. The web would be a much better (and trusted) place if people learned the basic security precautions that you outline about basic application installation.

    Working in infomration security for many years now, I personally don't install any unsigned plug-ins, etc. I closely review any application that isn't code signed, even those that come on CD. If the pubblisher can't be bothered with simple code signing, then where else did they take shortcuts that will compromise the application. I haven't looked at FireFox yet, but if the install is as insecure as your description, I would never install it!

    I think the use of the term "security" is many times over generalized, as to be almost meaningless in some cases. If FireFox is stating they are "more secure", just what exactly does that mean, or is it just hollow marketing speak? With FireFox promoting this unsecure application installation from the get-go, you have to seriously question how well they did on the rest of the security in the application.

    Based on the feedback here, and what I have read about FireFox in other places, it seems to be more a browser for "geeks" and not really for consumers. What average user needs a DOM explorer or a Javascript console? This looks like just another application built by software developers for software developers.

    I agree with the comment that most people that read that advert in NYT aren't going to have a clue about verifying a digest value or even using PGP. Even among the security professionals I know, PGP is still more a novelty, opposed to an everyday trust verification tool. At least with Code Signing, there are easily accessable tools built-in to verify signatures so that one can have a level of trust in the computer. However, in the end, until the OS flat-out refuses to install any application, plug-in, etc. that is not code signed (with no ability to override), we will continue to have trust problems.

    -- rcme
  • ·Installing Firefox requires downloading an unsigned binary from a random web server

    It's not a "random web server", it's a mirror selected by the Firefox web site. If you can't trust this mirror, then you shouldn't trust the original site: the chain of references is direct and explicit, the only way this could be a dangerous action is if the Firefox site itself is compromised, and if that happens all bets are off.

    The whole "signed binary" mechanism is a Windows-specific response to a fundamental design flaw in the way Internet Explorer and Windows Explorer are built over the same HTML control with rights assigned based on the "security zone" of the object rather than based on the path and origin of the object. No other browser provides a mechanism to trust files from "random web servers" without an explicit user action, and thus doesn't need to depend on certificates the way IE does.

    ·Installing unsigned extensions is the default action in the Extensions dialog

    Only if they're downloaded directly from the Mozilla website. Anywhere else (inlcuding a mirror), and it pops up a bar that informs you you're installing an extension from an unknown site.

    ·There is no way to check the signature on downloaded program files

    See above.

    ·There is no obvious way to turn off plug-ins once they are installed

    Tools -> Extensions.

    ·There is an easy way to bypass the "This might be a virus" dialog

    The only reason this kind of dialog is important for IE is that it's the only human confirmation between the browser and launching a program. Firefox doesn't launch installers automatically, you have to explicitly select and open them.

    This is no different from saving to your desktop and then double-clicking on the icon there.

    "According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content."

    The Flashblock extension doesn't just "block flash content", it allows you to interactively enable flash applets on a case-by-case basis. It's unrelated to deleting the plugin.

    "How do I know I didn't just install some terrible malware from a compromised web server?"

    Same way you know you didn't download some terrible *signed* malware that you might get from some external website. You follow a chain of delegation from a site you trust.

    Just because a component is signed doesn't mean it's secure. All it means is that there's a good chance that, if it does turn out to be a trojan horse, you have a better chance of tracing it back to someone who bought a certificate.

    Secondarily, a signed plugin or applet (say, Macromedia Flash itself) may have security flaws. being able to track down the source of the program doesn't help if the exposure was inadvertant.

    Basically, the way Microsoft uses signatures is not good security practice, it's part of a long-running contest between Microsoft and Microsoft's original flawed design for desktop-browser integration. Switching from a browser that requires signatures to one that doesn't need to trust content from untrusted sources to do its job, well, that wins you so much more.

    And, of course, Firefox can easily add requirements for signatures if it becomes necessary. Microsoft can only fix IE by redesigning dozens of their own applications (Outlook, Windows Explorer, Windows Update, ...) and breaking compatibility for a huge percentage of the applications out there.

    "Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users."

    Most don't stay hidden very long. I've submitted a security bug, and shortly afterwards it was "unhidden" because it wasn't considered something that could lead to untrusted code execution. Similar bugs reported to Microsoft vanish into the ether.

    "But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist"

    The difference between Firefox and IE is that Firefox doesn't have a deep design flaw that has remained unfixed for seven years because it can't be fixed without changing the API and causing the publisher loss of face.

    I may seem excessively harsh on Microsoft here, but back before the flood of exploits and viruses I was responsible for the conversion of our users from X-terminals (thin clients) to Windows desktops. In the process of this I evaluated Outlook and IE for our division, and I rejected them. It was obvious to me, even back then, that there were huge security issues inherent in using the same component for the desktop and the browser, and while it could have been done safely (say, by having the HTML component contain no internet access, plugin, or application launch mechanism... having it call back to the parent applications exclusively for content) Microsoft's design was inherently almost impossible to implement safely.

    I didn't know what the failure mode would be... this was back before Melissa... but I knew it would be spectacular. And, of course, it was.

    What really bothers me is that Microsoft, rather than backing away and launching a reliable design, has spent the past seven years trying to shore up 'security zones' to limit the damage... and failing. I see no prospect that they will ever find a solution to the general problem, OR back out of the flawed design.

    And *that*, in the end, is why you're better off trusting almost any browser that doesn't use the Microsoft HTML control. Its own problems are unlikely to be as long-lasting and hard to resolve.
  • I posted about this back in July. That post was based on v0.9, IIRC, but a lot of it's still relevant.

    http://mikedimmick.blogspot.com/2004/07/techworldcom-browser-rival-to-activex.html

    As I recall, v1.0 now has an information bar clone which pops up when you click an XPInstall link. This allows you to select which sites you want to be able to start plug-in downloads. Unfortunately it's not single-shot like IE's.

    I'm sticking with IE too. It's a known quantity. Firefox is an unknown quantity and without any form of formal prerelease testing, I don't trust it (same for any other non-trivial OSS without formal testing, like Linux).
  • If you want tabbed browsing, but dont like FireFox, try AvantBrowser (www.avantbrowser.com)

    suits me just fine
  • This page doesnt even render correctly in Firefox. Half the article is scrolled way down - you wouldnt even know it is there!! what the.....
  • firefox is teh rox! sux0r


    -AC
  • Heh, nice comments about security certs there, considering there was for quite some time (Still is?) a security vulnerability in IE where a malicious website owner could spoof microfts certificate. The Advisory stated the workaround was to not permanently trust microsofts certificate and try to judge installs on a case by case basis. Making them... pretty much useless. I also like the way you try to blame an unintelligble dialogue in 7-zip on firefox as well! Don't get me wrong, 7-zip is a great though often terse program, but it has NOTHING to do with firefox.
  • Microsoft's Peter Torr invites a flame war with his essay, How can I trust Firefox? He walks through the installation and configuration process with Firefox and determines that it reinforces some particularly bad habits for users. He concludes: I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn't currently have any unpatched security vulnerabilities talked about in the press doesn't mean they don't exist (Secunia currently lists three unpatched vulnerabilities, for example). Mozilla has had its share of security vulnerabilities in the past (just as IE has), and -- despite what the open source folk might say -- Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It's just something you should be aware of. Just because you don't see any unpatched security bugs in Bugzilla doesn't mean they don't exist, either. But the thing that makes me really not...
  • Great post.

    http://www.msfn.org/comments.php?shownews=11134
Page 2 of 94 (1,408 items) 12345»