How can I trust Firefox?

Dom

"Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain...

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you're taking your chances with your PC and all the information stored on it. You wouldn't take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn't mean it isn't nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software)."

[Read More]

_____________________
Source: WinBeta

Xii

How can I trust a Microsoft employee? Think he might be biased?

Dom

He's got a point with the file mirrors, though that's probably because Mozilla doesn't have millions of dollars to spend on file servers. Firefox is open source; part of The Mozilla Organization, not part of a multi-trillion dollar corporation that produces more over-priced, under-developed software than it does software that can't be beat by open source programs. The mere fact that Microsoft and its employees even give Firefox any regard shows their true concern. Not concern for your PC's safety, but for your money not going to them.

I have purposely accessed a Web-site that I knew contained spyware, adware and malware with both IE 6 SP2 (with security levels at their default levels) and with Firefox (also default security settings). When I used IE my computer instantly became infected with all of the above mention malicious software. After cleaning up the mess of over 100 entires with Ad-Aware and restarting, I then tried the same site with Firefox and was infected by fewer than 12 entires. Amazing.

kelston

That's interesting. I'm on IE SP2 at default settings, except I turned off the IE Bar that blocks more stuff, and the only thing I've gotten infected by between SP2's release and this second is WildTangent, which I chose to install.

Not even a tracker cookie shows up as being present. How's that work?

After all, i'm a college student and porn is good.

kalx

Excelent article , though biased at least someone else has somit to say apart from a bunch of loosers who before now had prodly never even heard of open source.

__________________
--------------------------------------------------->
AMD FX51 / 2x OCZ 400 mhz 512MB DDR /ATi Radeon X800pro /19 inch DVI
-
-
-
-
-
-
---------------------------------------------------->

Xii

There's a discussion with over 1400 +3 mod comments on slashdot : http://slashdot.org/article.pl?sid=0...&tid=113&tid=1

Spyro124

Buy a G5 Mac with a double button mouse and you'll be safe for a while

__________________
My Computer stats:

AMD64 3200+
Asus A8V Deluxe
PNY 6800 GT
2x 512MB Kingston Value Ram pc3200
1x 60GB WD and 1x 74 Gig WD Raptor
Dell 1704FP TFT

PoopyTheJ

Signed ActiveX? Mozilla doesn't download signed or unsigned activeX, it's just not used at all, thats like arguing the merits of Leaving your door unlocked but leaving a note asking everyone that comes in to leave ID, or just locking the door... idiotic comparison....

__________________

Dom

kelston

I'll just quote one of the Slashdot replies for your apparent FireFox bandwagon post.

"Did you even read the freaking article? The author didn't say "Don't use firefox, they encourage bad behavior." He had legitimate points. If firefox wants to sell security, they need to appear secure. Not having the installed signed isn't a good marketing tactic." - Enrico Pulatzo

The point of the article is, how the heck do you know the FireFox you installed - like lemmings walk off cliffs - isn't malware in and of itself?

It's open source, it's unsigned, it's from some random website. It's just called FireFox and you trust it. Why? Because it's "cool" to run anything that isn't Microsoft just because it isn't Microsoft. That's dumb.

That's sort of like looking at three doors, one marked shotgun trap by Microsoft, one marked not a trap by Microsoft, and one marked Not Microsoft, and choosing Not Microsoft for no legitimate reason. Maybe it's a butcher knife trap surrounded by pretty butterflies and fluffy bunnies by psycho butcher. Hey and guess what? You're screwed because you have a butcher knife in the face.

PoopyTheJ

__________________

PoopyTheJ

It's fairly easy to make sure you've got what you wanted using firefox or ie, just because Firefox and the GNU community in general are not hopping on the DRM train doesn't mean there's a problem with the download. A Verisign certificate is worth as much as the paper it's printed on, oh wait you say it's not printed, well that's how much it's worth, if you really want to make sure something is what you want you're gonna have to compare md5 hashes or go look it up same as always. Is any browser "secure" not particularly if the person on the other end really wants to get it, is it more secure just by the exclusion of ActiveX controls? Leaps and bounds my friend leaps and bounds, it is too bad the firefox community doesn't have their own host to host the 12th million download of their software I agree, however I guess we'll just keep using mirrors like the drivers/applications of the rest of the smaller development community....

__________________

kelston

I'm still with Zardon on the whole, FireFox is bs theory.

If you hate ActiveX, turn it off, it's there as an option anyway. If your problem was with ActiveX, turning it off achieves the same thing as getting an alternative and you don't have to give up proprietary Microsoft filters like drop shadows.

Open source/GNU is good on paper. The problem with it is that anyone can do anything they want with it and sell it as the original. Maybe Verisign means nothing, but Verisign + MD5 means more than MD5 hashes alone since an attacker could simply replace the file with his own file's MD5 sum.

Some GNU/Open Source projects give you some semblance of security in downloading the files. Sourceforge has a list of mirrors so you could at least trust it more than seeing some random Bumpkinville University hosting the file.

There aren't 10 million, 12 million, 500 billion FireFox downloads because FireFox is safer. There's however many there are because it's "Not Microsoft". After all, i'd wager more than half of these dudes didn't know squat about open source before the whole FireFox scene became popular. Computer scenesters.

PoopyTheJ

I'll agree with you that open source doesn't = more secure just by the fact of it being open. However, I'd say open source makes you more aware of security issues, you've got to think more about what you are doing because it can give you more control, sometimes at the expense of ease of use..... Linux for example is like using a hole hawg drill, really powerful and dangerous unless you know what you're doing....IE made some nice strides with sp2, however it's still using code from 5 yrs ago and patching holes opened by previous patches, there's no innovation in ie nor are we likely to see any in the near future and unless you're using XP the benefits of SP2 are not there for you and you're stuck with VERY insecure browsing if you stick with MS. Firefox and Opera are awesome, I definitely prefer them over IE, and have been using one or the other for probably 3 yrs now, and can't use IE except when I'm forced to... and disabling activex works so long as the site isn't trying something sneaky like getting into administrator priveliges on your box, which is way easier with IE than an alternative, hell MS still hasn't fixed the damn DSO exploit for however long it's been going on...

__________________

zerodamage

Interesting. This proves to me that MS actually see's Firefox as a threat. The problem isn't only ActiveX. It is the entire IE browser and how it handles BHO's. 98% of my customer's are infected with spyware. Much of it is people voluntarily installing these search bars and junk. You get one and then you get more and more. It doesn't help that AOL advertises their anti-spyware crap that does absolutely NOTHING. I cleaned up a computer 2 days ago with over 1500 spyware detections and that AOL POS was on there doing nothing. AIM installs Viewpoint and other spyware now. Yahoo's spyware "detecting" toolbar does nothing.

The biggest problem is education or that lack there of, that and law enforcement. The law is doing nothing about these companies. These states keep making laws, and all the while this is costing customers millions if not billions each year.

The average user doesn't know how to turn off ActiveX in IE.

Nuke209

I think people should just be more smarter nowadays...
Being an average joe and using a computer isn't gonna cut it anymore
You gotta read things thoroughly and know how to use it
I mean, not everyone knows how but they should start learning more and more
I remember working at bestbuy and almost every customer would complain on how their computer is slow and they need a new one or need it fixed
the ones that needed a new one had money, comp isn't that old, and full of spywares and stuff
same with those who needed it repaired
People click yes on this and that, and don't know what's going on.

I dislike firefox, lol, but dont mind using it, but still, I dont get spyware on my comp, I check it every now and then and becareful on what i click and do read what's going on
If i dont know what's going on, I google it, lol, and usually see if it's safe or not.

__________________
2006 Subaru Impreza WRX

Sargentwhitey

Meh... all I say is people can use what they wish.. they're just missing out/leaving themself more open to such malware using other such browsers.

__________________

Mobile:Intel Celeron M 1.5GHz, 40GB WD, 1GB PC24000, Intel Mediocre Graphics 2, SB Audigy 2 Notebook

PangingJr

it seems that every blogs in the world are linking to this article and there are a lot of very good comments, suggestions, viewpoints and thoughts all over.
everybody believes in something and i guess, this depends upon what's your or are thay evidence about this.

--

"In God we trust, all others we virus scan." ~Author Unknown

kalx

Lets face it firefox may win this round but ms will destroy it like they have done to every other bit of competition with in the last 5 years.

Prepare to be asimilated

__________________
--------------------------------------------------->
AMD FX51 / 2x OCZ 400 mhz 512MB DDR /ATi Radeon X800pro /19 inch DVI
-
-
-
-
-
-
---------------------------------------------------->