How can I trust Firefox?


[Fixed issues with images; sorry]

[Removed the clear=all problem; thanks for pointing it out]

[Added a follow-up post here]

Recently, a lot of volunteers donated money to the Firefox project to pay for a two-page advert in the New York Times.

If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

Let me explain…

One of the many criticisms of Internet Explorer is that customers are fooled into downloading spyware or adware on to their computers. This is indeed a legitimate problem, and one of the ways you can reduce the risks of getting unwanted software on your machine is to only accept digitally signed software from vendors that you trust. Every time you download a random piece of software from a random location, you’re taking your chances with your PC and all the information stored on it. You wouldn’t take candy from strangers, would you?

In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed, and it will suggest that you do not install any unsigned programs that you might try to download. Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn’t mean it isn’t nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software).

So what happens when a typical user decides it’s time to download Firefox and enjoy the secure browsing experience that it has to offer? Well, sit back, relax, and let me take you on a journey.

First of all, I went to the advertised www.getfirefox.com, and was redirected to the real page at www.mozilla.org/products/firefox/.
From there I easily located the download link, and clicking on the it gave me the following dialog:

Download Firefox image

Hmmmm, wait a minute. I went to www.getfirefox.com, not mirror.sg.depaul.edu. I don’t have any idea where that place is, and it sure makes me nervous. IE has informed me that “If you do not trust the source, do not run or save this software.”

Do I really trust a bunch of kids at some random university I’ve never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run. A few seconds later, I get the following dialog:

Picture of unsigned Firefox executable warning

What?

Not only does this software come from a completely random university server, but I have no way of checking if it is the authentic Firefox install or some maliciously altered copy. (I sure hope those 10 million people who have downloaded Firefox so far haven’t all download backdoors into their system…). Since “You should only run software from publishers you trust” and since the publisher cannot be verified, I should click Don’t Run (which is, thankfully, the default).

But, again, being a brave soul I click Run.

I am then greeted with this dialog:

'Picture of random setup dialog --

Oops, my network connection died. But still… that kind of unintelligible dialog doesn’t do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?

Forging blindly ahead, I download the software again (this time coming from — I kid you not! — a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) and run the installer. This time things are actually looking good:

·Installer runs fine

·I accept the defaults

·Firefox starts

·It asks if I want to make it the default browser; no thanks

·I get this dialog (seriously):

Picture of blank Message Box (not even a title bar)

Hmmm, a completely blank MessageBox. Well, OK is the default choice, so I guess I should accept that. No idea what it will do to my system though.

My confidence in this software is growing in leaps and bounds.

I decide to reboot the VPC just in case that dialog was trying to tell me something important. After rebooting, I boot up Firefox and it seems to be working fine.

I decide to install some extensions because, hey, everyone on Slashdot loves them so much. I browse to the extensions page and decide that the Amazon.com Sidebar sounds cool (I love Amazon, and Amazon loves my credit card). Clicking on the link brings up this dialog:

Picture of Firefox Extension Install dialog“>

It dutifully tells me the extension isn’t signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?

(Just so I don’t get inundated with comments about this, Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go).

Next, I want to go somewhere that uses Flash (heh, coz we all know I love Flash!). I’ll try the Ocean’s 12 official web site, www.oceanstwelve.net, which detects that Flash isn’t installed and gives me a link to install it. Clicking on the link, I get taken to the Macromedia page, where I can download Flash. Firefox prevents me from running the executable straight away, and forces me to save it to disk. That’s probably a good move for most users, although personally I tend to click Run inside IE because I know it will warn me about unsigned programs. Nevertheless, it is but a minor speed bump on the way to malware infection, as we shall see in the next step.

Once the file is saved, I can open it from the little downloads dialog that pops up. The problem is, there is no indication as to whether or not the file is digitally signed; I just get the usual “This could be a virus; do you want to run it anyway?” dialog. But without any evidence to base my trust decision on (where it came from, who the publisher was, etc.), what should I do? Of course, the right thing to do would be to delete the file and never install Flash, but I really want to install it so I guess I have to go ahead and run the thing.

What’s really frightening though is that there is a “Don’t ask me again” option in this dialog… which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn’t sound so secure to me…

So anyway, Flash installs and I can view the Ocean’s 12 website OK. But now what if there’s a security bug found in Flash and I want to disable it? With Internet Explorer, I can simply set the Internet Zone to “High” security mode (to block all ActiveX controls), or I could go to the Tools -> Manage Add-Ons dialog if I just wanted to disable Flash until an update was available. How do I disable Flash inside Firefox? Good question. I don’t see any menu items or Tools -> Options settings, the Tools -> Extensions dialog doesn’t help, and Flash isn’t even listed in Add / Remove Programs.

According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content. Ho-hum. The first download mirror that the page sent me to gave a 403: Forbidden error; luckily the second mirror worked OK and, once again playing digital Russian Roulette, I installed the extension and rebooted Firefox twice (yes twice) as instructed to install it. To be fair, the extension is pretty cool, but that’s not the point: How do I know I didn’t just install some terrible malware from a compromised web server? Who owns xmundo.net anyway, and can their admins be trusted? And what if I accidentally browsed to some site hosting a malicious Flash movie whilst trying to download the extension?

(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more.)

To continue my benevolent fairness, I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist (Secunia currently lists three unpatched vulnerabilities, for example).

Mozilla has had its share of security vulnerabilities in the past (just as IE has), and — despite what the open source folk might say — Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It’s just something you should be aware of. Just because you don’t see any unpatched security bugs in Bugzilla doesn’t mean they don’t exist, either.

But the thing that makes me really not trust the browser is that it doesn’t matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.

·Installing Firefox requires downloading an unsigned binary from a random web server

·Installing unsigned extensions is the default action in the Extensions dialog

·There is no way to check the signature on downloaded program files

·There is no obvious way to turn off plug-ins once they are installed

·There is an easy way to bypass the “This might be a virus” dialog

This is what the “Secure Deployment” part of Microsoft’s SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

I personally don’t care if people choose to run Firefox or Linux or any other software on their computers — it’s their computer, after all — but we’ll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.

So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from, and to me that makes it part of the problem, not the solution.

(Thanks to Mike and Robert and the other folk who gave this a once-over before posting; any errors are still mine though ;-) ).

Comments (1,408)

  1. some guy says:

    well, reading this blog post in IE isn’t much better – I can’t see any of the images you’re supposedly referencing. Maybe it’s a problem with your blogging tool?

  2. vj says:

    Can’t see dialog pics.

  3. G. Man says:

    I love the smell of a flame war in the morning.

  4. "Note that this is not a bad thing;"

    When did security by obscurity become a good thing? Someone will always find security holes and exploit them. I beleive in full disclosure and informing the users about the flaws in the software they are using.

    I prefer vendors telling me about their security holes and giving me patches, rather than trying to cover things up behaving as if nothing were the matter…

  5. Charles Chen says:

    As with all software, you’re only safe until someone decides they want to use it as a backdoor entry point. It’s only a matter of time before people realize that FF is just as insecure as IE. This will occur naturally as the number of users switch to FF, ironically, to avoid the security flaws on IE.

    I remember a discussion I had in my software engineering class senior year regarding OSS. My argument basically amounted to using the analogy that OSS represents a big security hole since it’s esssentially a blueprint to your vault (unless you have modifid the original source and made it more secure). The counter argument was that since it was OSS, the bugs would be caught faster by "enthusiasts" and user groups and thus fixed faster. Well, that’s dependent on three factors:

    1. Do you trust these "enthusiasts"? I know that a lot of them are well educated, Phd wielding, CS gurus. But I also know that there are a bunch of incompetent/untrustworthy individuals as well.

    2. Do you trust that all bugs will be reported by the people that find them instead of being exploited?

    3. Do you trust all users to immediately get the new, patched source/binaries?

  6. Charles Chen says:

    With my previous comment out of the way (sorry, thought of this later), I do like FF for two reasons:

    1. DOM explorer

    2. Javascript Console

    3. Better standards compliance

    These three, combined, make it a DHTML/Web UI developers *dream* to work with.

  7. Nic Wise says:

    Excellent article. I never thought about it when installing FF, tho I DO think about those kind of things when using IE. Go figure.

    (that said, I use both for very different, specific reasons. Add tabs, opening a list of bookmarks in tabs, and put popup blocking in the IE6 on Win2K3, and I’m set)

    :)

    Cheers

  8. murphee says:

    If you want to make sure that you get

    a clean, Mozilla approved Firefox, you

    *can* do that: go to

    http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/

    (reachable via the download section on

    the Firefox and Mozilla websites).

    This allows you to download the Firefox

    versions for you locale and OS.

    And: it offers 3 ways of ensuring that

    the binary you get is the one published by mozilla

    – MD5 Sums of all binaries

    – SHA1 Sums (if you don’t trust MD5)

    – GnuPG/PGP signatures for each binary;

    So: you *can* check the validity

    of your Firefox binary.

    BTW: "getting a Versign Code Signing

    cert" is just as safe as these solutions (It’s not like a malicious

    attacker can’t obtain a Verisign

    cert. It’s not like

    any end user even knows what a cert

    is… so they surely can’t decide

    whether it’s right or not).

  9. Peter Torr says:

    Charles — you have a buffer overflow there! You only allocated enough space for two reasons, but tried to stuff three into it ;-)

  10. Peter Torr says:

    murphee — thanks for the link; did the NYT ad tell people what SHA1 sums were and how to use them to verify the correctness of their download? (And if it did… did anyone understand?)

  11. About that unsigned amazon toolbar pkg, I had nothing but trouble getting firefox to recognize my signed xpi’s. I’ve got latest tools and everything (proof, it detects the signature and works in Netscape 7), but something’s amiss in FireFox-land. That’s why our website will detect firefox and offer the unsigned version when we roll out…

    Help or follow-up to my e-mail…

    -Michael Scholz

  12. Peter Torr says:

    Marcus — to each his own. There are strong arguments both for and against Full Disclosure, but I think I’ll stick to one controversial blog a day, thankyou very much ;-)

  13. You made some good points…

    However. One of the dialogs that popped up indicates a problem with 7-zip, not with Firefox. Pehaps the problem is that the entire download did not complete… which isn’t really a problem with Firefox.

    Another point is the dialog box with the empty message. I have seen this problem before and it had to do with bugs in McAffee’s overflow detection. This bug should be fixed in updated version of VirusScan.

    There are ways to verify the authenticity of a downloaded executable besides buying a trusted certificate from Verisign. They could post the hash information on a website (with an SSL certificate) which you could verify against. (This is admittedly less convenient).

    Many Linux package deployement programs verify against trusted hashes, etc.

    It is important to point out that extremely respected security analysts such as Bruce Schnier recomment against using Internet Explorer, Period.

    Firefox is often cited as a good alternative.

    So if I combine your advice with Bruce Schnier’s, it boils down to:

    1. Be diligent when downloading Firefox to ensure you are getting it from the right source.

    2. Do not use any untrusted plugins.

    3. Do not use IE except when absolutely necessary to download your intial copy of Firefox.

  14. Colin Ramsay says:

    Charles Chen says:

    "1. Do you trust these "enthusiasts"? I know that a lot of them are well educated, Phd wielding, CS gurus. But I also know that there are a bunch of incompetent/untrustworthy individuals as well.

    2. Do you trust that all bugs will be reported by the people that find them instead of being exploited?

    3. Do you trust all users to immediately get the new, patched source/binaries? "

    —–

    1. Peer review is an important process within Open Source. In Mozilla projects, nothing gets checked in without a review and superreview from project leaders.

    2. The source is fully open and the program is used by millions. The chances that a bug will be found by a single person are minute.

    3. Firefox includes an auto-update mechanism to ensure users are patched at all times.

    Really, if you are going to criticise, please do some research first.

  15. Gabe A. says:

    I download software from websites I trust. Having a box telling me that the software is signed doesn’t mean jack to me.

    The reason I stopped using IE was because Firefox gives me simplicity and control. I no longer have to worry about security zones, popups, irritating animated banners and flash controls. I don’t have to worry about spyware activex controls and BSO’s taking over my computer. I don’t have to worry about deleting my browsing history and finding out that it wasn’t actually deleted. I feel more at ease working with software that follows and supports public standards.

    But most importantly, I like the underdog. ;-)

  16. First, nobody except big companies that can afford it get a Verisign security certificate and thus users already ignore the Are you sure? This isn’t signed. dialog boxes.

    Second, Just because Verisign trusts the certificate, I never said I trusted it nor did I ever say I trust Verisign to make these decisions for me.

    The 7-zip: Unspecified Error issue has been reported to both Mozilla and 7-zip. It is caused by a corrupt download.

    The download location is not random. It is limited to those in the DNS roundrobin of mirrors.

    Mozilla extensions can be signed and people have done so in the past.

    As for the issues you bring up, they are valid in general. If you come up with a solution, nothing prevents you from filing a bug and patch on the issue.

    Don’t complain about problems, solve them.

  17. rcme says:

    Great post Peter,

    I agree completely with your assessment. The web would be a much better (and trusted) place if people learned the basic security precautions that you outline about basic application installation.

    Working in infomration security for many years now, I personally don’t install any unsigned plug-ins, etc. I closely review any application that isn’t code signed, even those that come on CD. If the pubblisher can’t be bothered with simple code signing, then where else did they take shortcuts that will compromise the application. I haven’t looked at FireFox yet, but if the install is as insecure as your description, I would never install it!

    I think the use of the term "security" is many times over generalized, as to be almost meaningless in some cases. If FireFox is stating they are "more secure", just what exactly does that mean, or is it just hollow marketing speak? With FireFox promoting this unsecure application installation from the get-go, you have to seriously question how well they did on the rest of the security in the application.

    Based on the feedback here, and what I have read about FireFox in other places, it seems to be more a browser for "geeks" and not really for consumers. What average user needs a DOM explorer or a Javascript console? This looks like just another application built by software developers for software developers.

    I agree with the comment that most people that read that advert in NYT aren’t going to have a clue about verifying a digest value or even using PGP. Even among the security professionals I know, PGP is still more a novelty, opposed to an everyday trust verification tool. At least with Code Signing, there are easily accessable tools built-in to verify signatures so that one can have a level of trust in the computer. However, in the end, until the OS flat-out refuses to install any application, plug-in, etc. that is not code signed (with no ability to override), we will continue to have trust problems.

    – rcme

  18. ·Installing Firefox requires downloading an unsigned binary from a random web server

    It’s not a "random web server", it’s a mirror selected by the Firefox web site. If you can’t trust this mirror, then you shouldn’t trust the original site: the chain of references is direct and explicit, the only way this could be a dangerous action is if the Firefox site itself is compromised, and if that happens all bets are off.

    The whole "signed binary" mechanism is a Windows-specific response to a fundamental design flaw in the way Internet Explorer and Windows Explorer are built over the same HTML control with rights assigned based on the "security zone" of the object rather than based on the path and origin of the object. No other browser provides a mechanism to trust files from "random web servers" without an explicit user action, and thus doesn’t need to depend on certificates the way IE does.

    ·Installing unsigned extensions is the default action in the Extensions dialog

    Only if they’re downloaded directly from the Mozilla website. Anywhere else (inlcuding a mirror), and it pops up a bar that informs you you’re installing an extension from an unknown site.

    ·There is no way to check the signature on downloaded program files

    See above.

    ·There is no obvious way to turn off plug-ins once they are installed

    Tools -> Extensions.

    ·There is an easy way to bypass the "This might be a virus" dialog

    The only reason this kind of dialog is important for IE is that it’s the only human confirmation between the browser and launching a program. Firefox doesn’t launch installers automatically, you have to explicitly select and open them.

    This is no different from saving to your desktop and then double-clicking on the icon there.

    "According to Google, I have to download yet another unsigned extension to enable the blocking of Flash content."

    The Flashblock extension doesn’t just "block flash content", it allows you to interactively enable flash applets on a case-by-case basis. It’s unrelated to deleting the plugin.

    "How do I know I didn’t just install some terrible malware from a compromised web server?"

    Same way you know you didn’t download some terrible *signed* malware that you might get from some external website. You follow a chain of delegation from a site you trust.

    Just because a component is signed doesn’t mean it’s secure. All it means is that there’s a good chance that, if it does turn out to be a trojan horse, you have a better chance of tracing it back to someone who bought a certificate.

    Secondarily, a signed plugin or applet (say, Macromedia Flash itself) may have security flaws. being able to track down the source of the program doesn’t help if the exposure was inadvertant.

    Basically, the way Microsoft uses signatures is not good security practice, it’s part of a long-running contest between Microsoft and Microsoft’s original flawed design for desktop-browser integration. Switching from a browser that requires signatures to one that doesn’t need to trust content from untrusted sources to do its job, well, that wins you so much more.

    And, of course, Firefox can easily add requirements for signatures if it becomes necessary. Microsoft can only fix IE by redesigning dozens of their own applications (Outlook, Windows Explorer, Windows Update, …) and breaking compatibility for a huge percentage of the applications out there.

    "Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users."

    Most don’t stay hidden very long. I’ve submitted a security bug, and shortly afterwards it was "unhidden" because it wasn’t considered something that could lead to untrusted code execution. Similar bugs reported to Microsoft vanish into the ether.

    "But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist"

    The difference between Firefox and IE is that Firefox doesn’t have a deep design flaw that has remained unfixed for seven years because it can’t be fixed without changing the API and causing the publisher loss of face.

    I may seem excessively harsh on Microsoft here, but back before the flood of exploits and viruses I was responsible for the conversion of our users from X-terminals (thin clients) to Windows desktops. In the process of this I evaluated Outlook and IE for our division, and I rejected them. It was obvious to me, even back then, that there were huge security issues inherent in using the same component for the desktop and the browser, and while it could have been done safely (say, by having the HTML component contain no internet access, plugin, or application launch mechanism… having it call back to the parent applications exclusively for content) Microsoft’s design was inherently almost impossible to implement safely.

    I didn’t know what the failure mode would be… this was back before Melissa… but I knew it would be spectacular. And, of course, it was.

    What really bothers me is that Microsoft, rather than backing away and launching a reliable design, has spent the past seven years trying to shore up ‘security zones’ to limit the damage… and failing. I see no prospect that they will ever find a solution to the general problem, OR back out of the flawed design.

    And *that*, in the end, is why you’re better off trusting almost any browser that doesn’t use the Microsoft HTML control. Its own problems are unlikely to be as long-lasting and hard to resolve.

  19. Mike Dimmick says:

    I posted about this back in July. That post was based on v0.9, IIRC, but a lot of it’s still relevant.

    http://mikedimmick.blogspot.com/2004/07/techworldcom-browser-rival-to-activex.html

    As I recall, v1.0 now has an information bar clone which pops up when you click an XPInstall link. This allows you to select which sites you want to be able to start plug-in downloads. Unfortunately it’s not single-shot like IE’s.

    I’m sticking with IE too. It’s a known quantity. Firefox is an unknown quantity and without any form of formal prerelease testing, I don’t trust it (same for any other non-trivial OSS without formal testing, like Linux).

  20. Anon says:

    If you want tabbed browsing, but dont like FireFox, try AvantBrowser (www.avantbrowser.com)

    suits me just fine

  21. G DAWG says:

    This page doesnt even render correctly in Firefox. Half the article is scrolled way down – you wouldnt even know it is there!! what the…..

  22. AC says:

    firefox is teh rox! sux0r

    -AC

  23. Nathan Lanyon says:

    Heh, nice comments about security certs there, considering there was for quite some time (Still is?) a security vulnerability in IE where a malicious website owner could spoof microfts certificate. The Advisory stated the workaround was to not permanently trust microsofts certificate and try to judge installs on a case by case basis. Making them… pretty much useless. I also like the way you try to blame an unintelligble dialogue in 7-zip on firefox as well! Don’t get me wrong, 7-zip is a great though often terse program, but it has NOTHING to do with firefox.

  24. Microsoft’s Peter Torr invites a flame war with his essay, How can I trust Firefox? He walks through the installation and configuration process with Firefox and determines that it reinforces some particularly bad habits for users. He concludes: I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist (Secunia currently lists three unpatched vulnerabilities, for example). Mozilla has had its share of security vulnerabilities in the past (just as IE has), and — despite what the open source folk might say — Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It’s just something you should be aware of. Just because you don’t see any unpatched security bugs in Bugzilla doesn’t mean they don’t exist, either. But the thing that makes me really not…

  25. ClickStart says:

    I spend most of my time in the Computer Industry removing spyware/adware from home users and business users who don’t understand anything about security. That is the way the industry is. THE ABSOLUTE most effective solution i have found to date, is to disable internet explorer, install Firefox, install Spyware Blaster, Install Spybot Search and Destroy (tea timer).

    Since performing these actions on hundreds of clients computers i have not had ONE (Not even a little one) of those clients ever have a problem with spyware/adware.

    Btw, didn’t your mother teach you to always save to disk instead of running files from the online location! tut tut!

  26. Jim says:

    GDawg: This page doesnt even render correctly in Firefox. Half the article is scrolled way down – you wouldnt even know it is there!! what the…..

    http://validator.w3.org/check?verbose=1&uri=http%3A//blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

  27. Fred says:

    The war of operating systems’ security is restarted; the war of browsers’ security is restarted; the war of security seen as lines of codes is also restarted; There is the situation in the last days; there are some of my toughts on the subject; take this post as a trackback:

    http://radio.weblogs.com/0140770/2004/12/20.html

  28. Steve Jezek says:

    Well I certainly don’t miss the automagically changed home page, unrequested added toolbars, flurry of popups, and self installed spyware that I was plagued with when I used IE. Microsoft has had 9 years to prove whether they know how to handle network security correctly (I figure MS didn’t really have a networked machine until August 1995) and have thus far failed. I’m quite willing to give Mozilla the next 9 years to prove themselves one way or another.

    Yeah – I know – "Wait until the next version. It’ll be awesome. Honest." (c) 1972-2005 Microsoft, Inc.

  29. How do I trust Verisign? I mean I seem to recall quite a few stolen keys being released in the past. You want security. Use a VM like you did. Don’t allow the user to install anything. Without doing a su or RunAs. Oh wait I forgot…..Windows XP wants you to be Administrator by default.

  30. HydraPheetz says:

    Congratulations, you just started a flamewar. >:(

  31. abhi says:

    this guy obviously does not understand that if one approaches something from a very narrow convoluted worldview people are instantly going to recognize that he’s unsuitable to take advice from.

    let’s get this straight – he doesn’t trust a bunch of kids at a school putting out software.

    However he’ll trust a bunch of execs at a major corporation.

    hahahaha

    your narrowmindedness is exceeded only by your narrowmindedness

  32. unfunk says:

    "Firefox is an unknown quantity and without any form of formal prerelease testing, I don’t trust it"

    no prerelease testing? How long was it available in beta form? at least two years.

    At least I know that if Firefox crashes, it won’t take Windows with it.

  33. Will Smith says:

    As a lover of open source and a lover of Firefox, I’d like to say thanks for your helpful suggestions. I hope Firefox will take them on board.

    I apologize for all the reactionaries who may mistakenly flame you.

    Will Smith

  34. Jason says:

    Bias anyone? Sorry, but Firefox is not meant for complete idiots. IE has had this great security policy for how long? About a month? Only after years of screwing people and their computers over and strong-arming its way into the marketplace.

  35. pete says:

    if it’s a choice between possibly downloading a copy of FireFox one time which may be trojaned, which i can check by comparing MD5Sum’s after i download, or using IE and being infected with a new piece of spyware every 5 days, i choose to take the 1-time risk of Firefox.

    and by the way, on the whole, mirrors have a very good security track record. only very few times has an application been found to be trojaned on a mirror, and checking the MD5 or PGP signature usually prevents the trojaned software from even getting installed.

  36. Nick says:

    "Of course, just because a piece of software is signed (or you have the MD5 hashes for it) doesn’t mean it isn’t nasty; it just provides some evidence you can use to make a trust decision about the software (in logical terms, it is a necessary but not sufficient condition for trusting software)."

    You failed logic class, didn’t you? No, that is not a translation in logical terms, unless you honestly believe every piece of software without a signature will do bad things to your computer, or at the very least you honestly believe that there is no way one can trust a piece of software without a signature. Necessary does not "provides some evidence" about something, in logical terms it is a conditional.

  37. blog.msdn? says:

    How do I trust Verisgn?

  38. anonymous says:

    Do you realise that ALL ur errors did come from all the third parties software u have installed ? Next time to be real, try on a blank install, with no buggy AV or other thing intereacting.

    On code signing, Mozilla project is open source and commited in its politics too and the last thing the project will do is to invest into stupid code signing whereas the good old unix md5, sha-1 ang gpg signing are as reliable if not more ( you have 3 unique ways to check your binary ).

    Take it or leave it.

  39. Hal Vaughan says:

    Bottom Line:

    Microsoft has had almost a decade and millions of dollars to make IE work perfectly. They haven’t touched it for years. Oh, they have? That’s right — they have to keep creating security updates, and even with that, IE is still unsafe, and it is possible for malicious code to easily do something as nasty as taking over a user’s computer and erasing all the drives. I have had to fix Windows systems that were literally slowed to a halt because of spyware — all installed by malicious code, without the user’s premission. You can use any terms you want, you can say any thing about Firefox you want to.

    The bottom line is that for years IE has been proven insecure, and MS has not EVER effectively made it safe. Firefox, by simple design, includes a sandbox that keeps your computer safe — something MS, with billions of dollars and years of time to code, has NEVER been WILLING to do.

    Oh, and the latest MS solution to security, if you’re not running XP SP2? Buy a new computer. Who, besides a MS employee, or someone trained by them, would consider that safe?

  40. You sir, Peter Torr, are a tool! You REALLY need to take the time you spent analyzing Firefox, and do the EXACT same thing with ALL MS software prior to XP SP2. IE only gained its current level of security as a result of SP2 which has taken HOW many years to reach this level? Think about it.

  41. rel4x says:

    Take a look: http://it.slashdot.org/article.pl?sid=04/12/21/0038235&tid=172&tid=154&tid=109&tid=113&tid=1

    Your very own Slashdot thread…

    on a side note, I wouldn’t trust Verisign with a plastic spoon.

  42. Demiurge says:

    To run Internet Explorer, I must trust that Microsoft won’t do something bad to me via their software.

    To run Firefox, I must trust that the Mozilla Foundation won’t do something bad to me via their software.

    So far, the Mozilla Foundation has had a much better track record for bug fixes and holes than Microsoft has.

  43. Brian Downey says:

    The solution is perfectly obvious. Entice a acquaintance to download and install everything before you; then get the binaries from he or she once you have determined everything to be safe and sound.

    Everyone needs a guniea pig. A naive co-worker, gullible little brother, perhaps one of your elderly parents if you’re the ungrateful type. But regardless, the result is the same: Better them than you!

    In fact, I don’t trust this webpage.. it’s running asp.net. I’m outta here.

  44. Keith says:

    I never heard of Firefox until this blog.

    I installed it and like it better than Internet Explorer now.

    Thanks for the tip guys. I’ll make sure to tell everyone about Firefox now.

  45. Rob Davy says:

    4 Words – Lesser Of Two Evils

    At least you have to actively choose to install things with Firefox, instead of bugs in IE allowing anyone to install things

  46. Gothmolly says:

    When its filled with ridiculous bugs that MS admits that it will not fix? When simply opening up the home page of some Internet sites automatically installs spyware? When you can download, install, and RUN a virus, merely by sliding a scrollbar?

    I’m sorry, I’m not drinking your Koolaid, and less and less people are these days, thank $DEITY.

  47. Colin Day says:

    How can I trust Firefox? Because it came with SUSE 9.2.

  48. AJ says:

    Face it..all your arguments against FireFox have been bashed by evidence show by the people who have posted above.
    <br>
    <br>IE has not been secure for a long time, and the security threats keep on piling up. When FireFox came out, Microsoft came out with the huge SP2, which made IE a little better with its pop up blocker, but still it is the worst browser you can have period.
    <br>
    <br>The Mozilla team has worked hard to correct any of the small number of bugs that exist on FireFox. It is updated periodically (Heck, you can get nightly snapshots!) and is very secure. It is also secure, because it is open source (download the source, read it- if you feel it is secure, compile and run it!!).
    <br>
    <br>Besides the security issue, FireFox is the Best browser that i have seen (features, ability to customize,etc..).
    <br>
    <br>Microsoft is a company that loves to make something and then charge everyone a lot of money for it and then not update it in the least and then flame another product for being better instead of actually doing something to fix the problem (Please-dont tell me about the new pop up blocker- so lame, it could have been coded years ago..Oh wait..there already have been pop up blockers made by people years ago because it was a problem..)
    <br>
    <br>FireFox is a much better product in every way than Internet Explorer.
    <br>
    <br>BTW, I am writing this from inside Firefox. ;)

  49. Jay says:

    I don’t think this article is going to fool anyone into believing Firefox is somehow less secure or less prone to spyware than IE. The simply fact remains, [b]despite these cosmetic shortcomings, terrible design decisions in IE are the reason it has so many security woes[/b] and most people savvy enough tor ead this article will know that.
    <br>
    <br>Several of your points amount to the same thing. So, you download firefox from university servers? You don’t know whether you can trust the executable? This can all be solved by verifying that the executable matches a secure hash. This would be a sufficient condition to determine the executable you downloaded is kosher.
    <br>
    <br>You talk about how IE only allows signed ActiveX apps to be installed. Well, let’s hope no badguys can get signed ActiveX controls. Let’s hope no bad guys get signed ActiveX controls, because there would be no reason not to trust them, right? Firefox doesn’t install activeX controls at all, so I guess that point, which you brought up, would be a score for everyone’s favorite browser.
    <br>
    <br>You also mentioned that you don’t like how firefox will not allow you to execute files right from within the browser. This is what they call a ‘good design decision’. You know, the kind of things Microsoft learned a little bit about before they released XP’s service pack 2. The idea behind this is that even if Firefox is tricked into downloading spyware, as IE often is, it [b]cannot[/b] execute that software from within the browser, like IE commonly does, but at best the automated process allows you to download it.
    <br>
    <br>Then, the user, who was unaware that their browser downloaded software and attempted to install it (IE would’ve succeeded, FF would’ve failed) would have to track down that file and decide to run it themselves.
    <br>
    <br>Now before you talk about how unlikely drive-by spyware installations are, know that they happen in IE more than you want to believe. The program Cool Web Search, for instance, has been known to have drive-by installations from some sites (taking advantage of IE security holes). This program is particularly malicious and particularly hard to get rid of as Cool Web Shredder, the piece of anti-spyware specifically written to get rid of Cool Web Search, often fails.
    <br>
    <br>You have to remember: you cannot trust bad guys not to do anything. If there exist known exploits in IE, as there do, then they’ll try to take advantage of them. If the only layer of security IE sports is, &quot;Hey, look, we only trust signed software by default&quot; then I’m a little afraid you’re in for a world of hurt. Haven’t you learned anything?
    <br>
    <br>I don’t do my work in the Windows world myself, and all of my downloads come from a trusted server (I emerge my software from a public mirror that I maintain), but as far as my family is concerned: they all run Firefox. And why? Because I hate working with Windows and I hate ‘fixing’ Windows installations.

  50. Alex Birch says:

    This is some of the best FUD that I’ve read… Kudos!!!

  51. Jerry says:

    I’ve used Firefox since .7 and haven’t touched IE since. I’ve never had my computer run so smoothly since I got rid of Microsoft’s web browser. You knew you could get your copy of Firefox from the source but you you already knew where you could get a illegitimate copy from somewhere else. Which you knew you wouldn’t install correctly. You are not dumb, so don’t act like we are. People would have more respect for Microsoft if your company would stop spreading half-truths and misconceptions.

  52. DoesnMatter says:

    It is for this very same reason that Microsoft suffers from improper security implementations – Their employees do not understand that simply signing code with "Verisign" certificate does not mean you should trust it. What the heck? If I had money I could simply buy Verisign certificate and sign some piece of code which erases the end user’s hard drive. Even Microsoft signs it’s own code – which has flaws which are exploited time and again to screw end users. Why should I trust the Microsoft signed code then?

    Thank you – we do not need your flawed certificates and signed code – We trust Mozilla.org more than Microsoft – for they aren’t after my money.

  53. Mike K. says:

    Simple. To borrow a phrase from the X-Files, "Trust no one".

    That being said, I have no reason *not* to trust Firefox at the moment. It’s been good to me, hasn’t misbehaved, and "appears" to be relatively secure.

    On the other hand, Internet Explorer and Microsoft in general have abused my trust on numerous occasions – viruses, security flaw after security flaw, odd behavior / instability, etc. So despite all the Verisign certificates in the world that Microsoft might own, I will never trust IE again.

  54. Greg says:

    There’s only one reason I don’t use IE anymore at home. SPYWARE. Take your fully patched IE and browse over to Newgrounds.com (where the best flash is). If you’re using IE, your computer just got owned.

    Microsoft can come up with security policies that keep me from being a stupid user. Their security policies don’t mean jack when a banner ad can hijack my machine.

  55. The simple answer to the question is: by being careful. Download from a trusted server.

    <P>The problem of course is that you have no such option with IE. All IE distribution, signed or not, is insecure because I have no way of checking the code, nor can I take it to anyone who can. I have to trust Microsoft, one of the worst programming companies in the world with a two decade record of sloppy workmanship, dishonesty and apathy towards its users.

    <P>The writer says that Mozilla has had "its share of security problem (as has IE)" but quickly skips on hoping that, as is MS policy, the reader will treat all insecurities as equal. Of course, the truth is thet IE flaws regularly allow total and easy compromise of the user’s machine, while Moz has only had a handful of such massive breaches. The combination of IE and Outlook has brought many an IT, indeed many an entire company, to its knees for days on end. The one time I was in British Telecom Headquarters there were notices up everywhere telling the staff not to even open their email as an IE/Outlook virus was in the system, and had been for two days at that point. BT have huge resoruces and are not in the habit of downloading their IE updates from Warez sites! Did that help them? No. Did it recover any of the hundreds of thousands of pounds in lost productivity? No. They trusted Microsoft and they got burned.

    <P>Who cares if that sort of work is signed or not? Signitures are not a panacea. IE is and always will be a third-rate backdoor to your hard drive because it is badly designed and badly programmed (just how hard is it to implement PNG anyway? 8 Years hard?!) and no one is doing anything about it.

    <P>By the way, I use Opera – it’s faster than Firefox. I download it from the company site. The point is not so much the server, it’s that I trust the company behind it, just as I trust the programmers behind Firefox.

  56. siroxo says:

    Verisign can also sign for spyware (excuse me, adware) programs, such as gator and bonzaibuddy. There is no reason to trust a program with a verisign certificate more than one without one.

  57. Sabu says:

    It looks as if Microsoft put one of their cronies to start a flame war — poor guy. How much are they paying you to take a hit for the team?

    gimp.

  58. Lucas says:

    Seriously, the authenticode system and signing is waste of time.

    The vast majority of users don’t actually care whether the thing they are downloading is signed – they are easily confused by just another technical nicety. You wouldn’t believe how frequently I have to clean users machines from malicious software even when the user has a choice.

    I’m sure a malicious person could put a web link which would say "click on the button to have your credit card stolen" and people would still click on it, just because they can.

    Note this does not make FireFox better than IE, it just makes the whole argument spurious. The real issue is the lack of choice in any browser when things happen without user knowledge, either by bad design, or bad coding leading to exploits.

  59. Jonathan says:

    I have used Firefox and IE, in fact on my main computer I use IE all the time. I have no issues w/ spyware and malware, I browse sites I know are not sending me stuff and I keep Spybo Search & Destory up to date, schedule Virus Scans and Updates and don’t have an issue.

    I hate having to install things like flash or some other extension to get what I want when I want it. Sometimes I just want to browse one site and not have to worry I have everything configured correctly.

    What makes Firefox the best browser? From everything I read, its just because it’s popular w/ people on Slashdot

  60. Alex says:

    That was surprisingly long for derived bullshit.

  61. rolf says:

    I think a better question is how can I trust Microsoft. Just because a company pays for "signed certificates" doesn’t imply they are "trustworthy" or that the products can be trusted. MS has demonstrated that very clearly.

  62. dev null says:

    sychophants, pull your heads out of bill gate’s ass and get some fresh air then maybe you will think clearly again…

    http://www.winternet.com/~mikelr/flame38.html

  63. P00r says:

    Hehe funny, I must had installed Firefox twenty times and I never saw a 7zip or an empty dialog box, anyway keep your IE and I will keep using Firefox….

    Funny to see MS scarry like this, beware the Google Sand man gonna get ya!

  64. vanberge says:

    firefox uses mirrors because they arent microsoft. They havent been overcharging customers for 20 years to be able to have bottomless bank accounts… since they have had 11 million downloads, they need some means of bandwidth and infrastructure to support that.

    Obviously their lack of "overcharging end users" renders them less likely to "be able to spend millions" on the "systems" required to facilitate 11 million downloads.

    Also, firefox is forced to integrate with microsofts "awesome" operating system…. clearly, that wouldnt have anything to do with any errors.. It doesnt run flawlessly on linux distributions or anything.

    sarcasm intended

  65. /. guest says:

    First of all, I went to the advertised http://www.getfirefox.com, and was redirected to the real page at http://www.mozilla.org/products/firefox/.

    Funny thing when i went to http://windows.com i got redirected to

    http://www.microsoft.com/windows/default.mspx

    Should Microsoft also not be trusted

  66. Kevin says:

    I’ve installed Firefox at least 20 times on friends pcs – usually after I’ve had to cleanup the mess from Windows XP SP1 and IE. Never once have I encountered any of the problems you describe.

  67. gees says:

    You don’t trust "ip addresses", but you trust "domain names"? Do you know that one is just a symbolic name for the other?

    Do you realize that trust has very many levels, and that Microsoft’s problems are at the most fundamental – that the developers and management at Microsoft are completely untrusted? Their skills at making secure software are completely untrusted and unbelieved. No matter how many times Microsoft code is signed, the signature just tells us that we can be sure that the software is insecure.

  68. Is it only me or this is a lame excuse about "digital certificates"…

    Hey!! not everything is digital certificates, 999.99% is also the DESIGN OF THE PROGRAM.. IE is INSECURE BY DESIGN..

    So dont try to cover this holes with a bunch of crap about I DON’T TRUST FIREFOX..

    Why dont you and the zillions of programmers @ microsoft try to do something good and redesign IE from scratch ?

    That will break like 10000000 things right ?

    So lets keep insecure and continue selling Office, the real cash cow.

    Microsoft dont care about IE or security or stuff, they care about PROFIT!

  69. Math says:

    "This page doesnt even render correctly in Firefox. Half the article is scrolled way down – you wouldnt even know it is there!! what the….. "

    Are you really surprised? This is a Microsoft page. Those pages are designed exclusively for IE. Remember the MSN home page debacle with Opera a few years ago?

  70. Ryan Sommers says:

    To each his own. I think you pose a lot of good arguments. However, when I originally switched to FireFox I did so because of 2 features. Tabbed browsing and Pop-up blocking.

    Tabbed browsing is simply amazing, the first time I saw it I was shocked neither myself nor anyone else had thought of this sooner. It made (makes) so much sense. Right now, as I sit here, I have 4 tabs open in FireFox. To accomplish the same thing I would need 4 separate windows with IE. Being an IT person, I already have about 6 separate windows running, why do I need 4 more added to the already cluttered taskbar?

    I’m not going to touch the pop-up issue, I think we all know and agree on that. Thankfully, IE6 has this (I think, haven’t used IE6 much since I went to FF).

    Another thing that I haven’t seen mentioned. FireFox is available on a variety of platforms AND works on all of them with relatively little difference. My place of work (print shop) has quite a few Macs, as well as a few UNIX boxes that I use (2 FreeBSD boxes, one live, one development, and a laptop, also FreeBSD, sitting here right now) and no matter where I go: Windows, OSX, UNIX, Linux, FireFox looks the same everywhere. I can even share my bookmarks easily! Out of all of those, IE only works on Windows and OSX. I’ve tried using it on OSX and frankly there are a lot of instances where it just doesn’t display things correctly. Let alone the fact it displays things DIFFERENTLY from the Windows version. What’s that about?

    I’m not trying to convince you of anything. You seem intelligent enough to make your own decisions; you even took the time to try FireFox. However, what I will say is that your entry, in my opinion is nothing more than obnoxious slander, and quite honestly, hypocrisy. If you were expecting FireFox to be without fault, you were one naive developer. Every program has had its faults. The big question is how long will it take the Mozilla team to rectify those mistakes? Then let’s compare to how long it will take Internet Explorer to become "safe." As I see it, IE has had 6 major versions, countless minor versions, and we’re still seeing bug after bug. FireFox had its first major release, and you’ve already condemned it.

    If you want something that hits a little closer to home, let’s face the fact that after one major release FireFox has already seized up a sizable chunk of the browser market. Even if it doesn’t work right, crashes five times a day and has to have 2 service packs, you know what, it will still be ahead of Windows 98, or Windows 2000. Has 2003 had a service pack yet? It’s been out a year, I imagine it’d about due for one.

  71. CheapAlert says:

    Hehe, this blog is M$ BS all over, i have never had trouble or suspicion obtaining and getting firefox, and i DO know better :P

  72. I see, and agree, with most of what you have said about the process with Firefox, but I have a big issue with the "many criticisms of Internet Explorer".

    The big criticism isn’t that people are fooled into fooled into downloading spyware or adware – it’s that some site have the ad/spyware install without users even knowing. There is no prompt, there is no cert auth, an ActiveX control does it for them.

    Granted IE bocks these by default, but many people change their settings (not knowing what they are doing) and open themselves up for the problem(s).

    There is no "fooling" going on, it’s a combo of uninformed users and usability issues in the software.

  73. slashdotter says:

    LET THE SLASHDOTTING BEGIN !!!!!

  74. abhishek says:

    there is a link on firefox website that lets you download firefox right from their servers… may be you chose a mirror. IE has got tons of problems with phishing and opening backdoors, ff doesn’t. ff is better standard compliance, ie isn’t. ofcourse it has many other cool features that ie doesn’t. and guess what when i tried to install the software of my new HP laser printer, it said that the driver is not digitally signed which i assume is paying M$ money…

  75. greg says:

    How can I trust Firefox. I can if it is not run of windows. The questions is how can we trust windows? The code is hidden, and the only people that get to see it are those are paid to. Now how does that inspire confidance. For all we know it is not Firefox or IE that is insecure. How come I do not get viruses on my Mac? How come I don’t have to reboot every time make a change on my Mac? How come is the Blackjack port open by default under windows and there is traffic going back and forth. How come companies such as Lexmark can install spyware on your computer and get away with it. It is not the university kids that you have to worry about folks. They are by far not your worst enemies. The only person you should fear is the big good wolf that cries every time he is cheated. The powers to be are chaning and finally the deception is being exposed. Do not follow the decption of the magician, look straight into the looking glass. Then, and only then, will you see the real problem, the real desease. Can it be cured? I don’t know, the choice is for you to make.

  76. JSmooth says:

    Peter,

    Scary world eh? When untrusted, open source, trojan horsed software is STILL better than IE.

    You would think M$ would be light years ahead of a free, donation based, browser in terms of reliability, performance, features… Oh wait, IE is how OLD??

    Guess I’ll just keep downloading those "Windows Security Updates" while I have NO idea what is actually going on. Blind trust in M$ is ok. Blind trust in FF is bad.

    Thanks for the heads up!

  77. Unlike IE it is possible to build Firefox from source.

    If you are really paranoid, you can download the source, look at it, and build it yourself.

  78. Matt says:

    I know when I tell anyone to install anything I simply say "Click Next and Agree to everything." This is because even beginning to explain the significance of certificates and how to verify them as being true, valid, and factual.

    For that matter, I don’t think even I understand what is "Verified to be ‘Right’". I didn’t know Verisign made certificates for downloads. How do I know you’re not making this up.

  79. Alex Birch says:

    I’m confused Peter… I always thought that security was best accomplished by security. E.g., you would have your operation system and then applications on top of those. That way if the application is compromised, the system isn’t.

    How does that work while browsing with part of the Kernel? It seems that if IE is compromised, then you’re Operating System is compromised. But if Windows was worth anything, then it would only allow the application to be compromised and no super user exploit would be possible.

    Alex

  80. Alex says:

    "This page doesnt even render correctly in Firefox. Half the article is scrolled way down – you wouldnt even know it is there!! what the….."

    Is it Firefox’s fault it doesn’t render a site that was desgined specifically for a standards bashing browser.

  81. Graxx says:

    Let’s compare versions.. IE has had 6(?) versions to get this web doohikie right and it’s still chock full of holes.

    FF has JUST NOW come out of beta and you’re *struggling* to find reasons why I shouldn’t trust it!

    What happens when FF matures and spits out version 2 or 3? You gonna admit defeat or code something worthy for a change?

  82. Torel says:

    "we’ll never get past the spyware / adware problem"

    well I can’t speak for the rest of you, but my spyware/adware problems ended when I installed firefox.

  83. sam says:

    There seems to be a funny bug in IE; I hit <ctrl>-tab to open up a new tap, and nothing happens. That’s the only come back I can think of.

  84. I needed a good laugh… this artical shows how you can’t outsmart "human stupidity". What morron goes "hmmm, this could be a nasty program that will screw my computer over" and then clicks "RUN"? If this is how a person blindly clicks away with the mouse, it won’t matter what browswer they use… but at least with Firefox they won’t have crapware loaded up just from viewing a webpage. 1800search anyone?

    The artical sounded more like you were TRYING to induce a problem yet failed to. Why not juggle bricks while standing on the hood of your car and then whine about your broken windshield?

    Lets now have an artical about how AOL is soo great because AOL users can get a "free virus scanner"! Remember how cool it was when AOL announced you could email "pictures"… WOW, groundbreaking!

    Pencilneck blah blah blah

    —I don’t make typos… they are "eastereggs".

  85. Do you know what else comes from a "numeric IP address"?

  86. "I have no issues w/ spyware and malware, I browse sites I know are not sending me stuff and I keep Spybo Search & Destory up to date, schedule Virus Scans and Updates and don’t have an issue"

    I have no issues with spyware or malware or viruses. But I don’t have Search and Destroy programs, or even a virus scanner installed, and haven’t for four years. I’m on 24hr broadband with a one-line firewall script.

    Sounds like you have to do a lot of work to prop up your leaky system; I just get on with doing my work under Linux. Try it, you just might like it!

  87. John Blanco says:

    Funny, when the Spyware installs on my machine through IE, I never even get a dialog telling me that the source isn’t trusted.

  88. zarecor says:

    So, I want to know why you use a virtual PC. Eases the system crashes does it? Would be great if tools for verifying binaries were distributed as core windows packages. If that were true I wouldn’t need to install cygwin to verify my checksums.

  89. bloggsie says:

    emerge firefox

    Gets me the sources, checks the md5sum,

    which came from a different and trusted mirror server from the one which hosted the source. Builds those sources into the binaries which I then run.

    Do I trust the Gentoo Portage system?

    Yes I do, absolutely!

  90. Elisha Gould says:

    You say the defaults in IE is not to run any unsigned software, however there are many that are signed or even unsigned that instantly run WITHOUT user intervention. Unlike the common belief in Microsoft’s little world, programs like MySearchBar and many more simply install by visiting a site.

    The only way in IE to prevent these from installing is to disable activex all together or to make it so it asks you before it runs. This means that if you want to have any flash pages show up in IE the only secure way is to say yes I want to run flash every time a page is loaded.

    The problem is not that people are agreeing to install spyware accidently, the problem is that it installs without user intervention.

    The next thing you might say is install XP SP2, however did you know that several drivers simply stop working as well as the fact that it screws up several applications.

    Next you might say buy certified hardware, however did you know that many people are not made of money contrary to popular belief and other hardware does the job just as well, if not better than the hardware twice as expensive.

    Finally you might say the hardware manufacturers should put out new drivers, however did you happen to realise they also are not made of money and putting out drivers may take some time due to budget constraints.

    All in all monopolies like Microsoft should not be so anti-competitive and slander everything about smaller companies. Of course small companies don’t have an unlimited budget and small things like being unsigned is an offence according to the great laws of Microsoft doesn’t really matter. If you want to go slander someone fix your own stuff up first.

  91. Hi. 99.99999% of content on the internet is unsigned. So, to only allow access to signed content is to limit yourself to an extremely small part of the internet. Of course, code signing can be faked- easily. You shouldn’t need to pay someone to sign your code. That helps only a few people, certainly not any developers.

    If the default install of IE doesn’t allow unsigned code to run, obviously the guys who make the code are getting it signed, or they are faking the signatures.

    In your clearly anti-Firefox post on your blog, you seem to not be trusting a download from depaul.edu. If you had half a brain, you would realize that this is Depaul University.

    There are no signed extensions, the reason for this is that 1.) All extensions are made by users and not all users are trustworthy. 2.) Signing is insecure because it can be faked.

    There is an easy way to turn off plug-ins… have you tried uninstalling them? IE works the same way, except that when the plug-in is malicious, it becomes extremely difficult to get rid of it.

    Next, the way to bypass the virus dialog, is for the user to set the server that the extension is coming from as "trusted."

    In short, you present a lot of misleading information by not giving people the whole story. This causes users to become mislead and only helps the malware author. No doubt, you have a biased opinion due to your employment at Microshit and if anyone caught you saying something pro-Firefox, you would be out of a job. However, this is not a reason to twist information to suit goals. If you are going to attack something, find a REAL flaw and give the full and objective story.

  92. Jeff Wilson says:

    How can I trust you?

  93. I have already helped address part of the problem. I submitted a patch for signtool will allow developers to sign their extensions with a digital certificate. Signtool is part of the <a href="http://www.mozilla.org/projects/security/pki/nss/">Network Security Services</a> project. While the patch was submitted this summer the next version of NSS (3.10 which includes the patch) has yet to be released.<br><br>

    My own FireFox extension is signed by my employer’s code signing certificate.<br>

    <a href="http://www.j-maxx.net/abtrans/abextension.php"&gt;

    http://www.j-maxx.net/abtrans/abextension.php</a&gt;

  94. I find reading this quite funny, as i have spent the last 3 hours updating my fathers laptop.. installing SP2, removing spyware with AdAware and rebooting 6-7 times. Hes just the regular computer user but his computer got all messed up because he wasn’t sure why that update thingy kept popping up.

    My finilization of this "update" is installing Mozilla Firefox, and replacing the Firefox icon with the IE icon. He will never notice, but it will save me the hell of "fixing" his computer in a couple of months.

  95. d-mal says:

    Boy, after reading this I think I need to rebuild my system.. All of those unsigned driver installs are scaring me now. Who should I call to fix these?

  96. ALok says:

    obviously firefox is good becasue nobody uses it so there are no exploits made for it

  97. Brock says:

    I also deal with users in the ‘wild’. The browsing policy at my company is basically up to the users, so we are at their mercy. The first question I have is the author’s comment about a ‘default’ installation of IE6 denying ActiveX installations. Is this under XP SP2? What percentage of company, or even personal (which I imagine is far larger), PCs even have SP2 running yet? How many are even using XP? My company hasn’t deployed SP2 yet because there are concerns about it breaking programs. In my experience, IE6’s default behavior is to accept signed ActiveX controls. Even depsite the denial of these controls IE6 can still be hijacked and your PC compromised. The fact is that Firefox doesn’t have hooks into the OS on the level that IE6 does.

    Granted, running untrusted code on a computer is going to put a user at risk anyway. This is the case with either browser.

    What is the difference between installing an ‘untrusted’ browser and installing an untrusted spyware remover? How many users have tried to fix the mess left by a malware attack by installing some piece of software that just happened to show up in a Google search? It’s a fairly well known fact that 75% (or more) of the spyware removers out there contain malware or yield false positives to coerce users to install and buy their software…

    Competition is a good thing. Firefox is competition to Microsoft and IE. Articles like these, finding petty problems with quality OSS software (7-zip error? That isn’t firefox’s error, it’s another of your OSS programs causing the problem… I’ve seen blank confirmation dialog boxes with no text in commercial software, that also isn’t a firefox problem) are just spreading the FUD. If you want to get my attention (as joe user), create two test boxes (virtual PC). PC1 is a vanilla XP SP2 install (updated, of course) with no frills, no extra software. PC2 is the same as PC1, but with Firefox installed. Now, browse around to some of the known problem/spyware websites, make sure and do this with both Virtual PCs. Then show me the results of Adaware or HijackThis after 30 minutes or so of browsing these sites. Also, reboot a couple of times just for good measure.

    Trust certainly is an issue in this case. However, I think when it comes to using a Microsoft product most people do so begrudgingly. How many times do you hear someone complain or rant about a Microsoft product? Finally there is a product out there worth using, and it’s making Microsoft take notice.

    Sorry I don’t have a blog of my own set up. Feel free to contact me at cmdrtallon@gmail.com

  98. /.'er says:

    Hmmm…my comments have not been put up yet….i have posted after that too…..very interesting….

    my test message to see if my posts were goin thorugh

    "LET THE SLASDOTTING BEGIN!!!"

  99. Matt says:

    First of all, you can download from http://ftp.mozilla.org if you’re so insecure about where you get your software from.

    Secondly, if I go to http://www.microsoft.com/ie, I get redirected to http://www.microsoft.com/windows/ie/default.mspx, and with the lovely new IE flaw (http://www.eweek.com/article2/0,1759,1743407,00.asp)

    The entire address bar can be spoofed, so I can’t trust that anymore. (please note this vulnerability exists on a fully patched XP SP2 box, one of many SP2 vulnerabilities that come out weekly)

    Third of all, I don’t give a rats ass about what’s signed and what’s not. There’s all sorts of garbage spyware out there that’s proudly signed by the company that’s desperatly trying to install it on your machine and at least had the courtesy to ask…

    And with Firefox, I can surf the web and (right now) feel secure knowing that I won’t have mountains of garbage malware silently installed without my knowing until my next BHODemon/Bazooka/AdAware sweep (something that is much rarer on my computer now that I have Firefox as the default).

    The bottom line is that Firefox ASKS me if I want to install software. IE kindly allows any jackass with shell scripting knowledge to plant stacks of unwanted software on my machine without my ever knowing. Until that’s fixed, You’re just blowing smoke up everyone’s asses.

  100. Godzaic says:

    Mozilla is better than FireFox anyway. And you can download it directly from http://ftp.mozilla.org. Problem solved.

  101. Dave Wilson says:

    "I’m sticking with IE too. It’s a known quantity. Firefox is an unknown quantity and without any form of formal prerelease testing, I don’t trust it."

    yup, IE is a known quantity. specifically, known to be the one of the two biggest vectors (along with Outlook Express) of virii and other malware out there. funny how you didn’t mention CERT’s recommendation to use anything other than IE.

    as for your comment on "formal" testing: yes, there is some merit to applying formalized software testing methodology to products, but it’s not a panacea. i’m assuming that Microsoft has been conducting such "formal" testing with IE over the years, and yet, strangely, the security holes still exist. as far as i’m concerned, the admittedly ad-hoc public beta testing model used by Mozilla and Firefox generates demonstrably better results.

    -Dave

  102. Jacqal says:

    The question should be, how can I trust Windows XP when it can get rooted within 4 minutes of getting connected to the Internet?

  103. Hoe can I trust company that mirrors it own software via WindowsUpdate via IE download from other sites that DO NOT EVEN show that it is NOT coming from their site.

    How can I trust a company that will NOT fix errors in their software? IE is still broken in in Win 95, 98, ME, … many things are still broken and Microsoft the Monopoly refuses to actually repair it. But you can buy the next release that does NOT work with your hartdware.

    How can I trust a company that release a service pack the breaks or destories the OS it is upgrade to the point of completely reloading.

    How can I trust a company that answers that complaint with "Buy new hardware".

    In the end…

    How can I trust a company that will even say to users of it software: "You are NOT our customers, DELL and HP are." but in back handed way they do… buy new hardware.

  104. Thoralf says:

    # re: How can I trust Firefox?

    Peter Torr

    murphee — thanks for the link; did the NYT ad tell people what SHA1 sums were and how to use them to verify the correctness of their download? (And if it did… did anyone understand?)

    Posted @ 12/20/2004 1:13 PM

    and how do ppl know how certificates work? how can they know if the certificate is ok and not a faked one?

    your argumentation has many flaws and and of course you can find as much problems as you like. i didn’t have any obscure dialogs with empty content so i assume that you either "tuned" the install somewhat, faked it completely or simply screwed your operating system.

    digitally signed software might be the solution for you. for me it’s completely intransparent. i cannot see what happens, i cannot check the source code … that’s what i call insecure.

    if you want to know what you are installing you can easily get to know. but if you do not want to – stick to your internet explorer and be happy! you got the choice.

  105. Die Microsoft! Die a horrible and painful death by a thousand throw-ups and homosapien bacteria that digests you from the inside out! Mwahahaha!

  106. You mean you can’t trust firefox because it downloads from some "random" university server? Then what do you say to The Fedora Project, Open Office, or any other open source program that uses university servers? The reason a university server is used is because the project is not funded through a major corporation like Internet Explorer is. The servers are generously donated to the project and are all approved by the leader of the firefox project. I’m sorry if they dont have billions of dollars like Microsoft does to run servers for a program being downloaded 500,000 times a day. But hey if you don’t like Firefox then uninstall it and don’t use it. Believe me I would do that with Internet Explorer if I could.

  107. Mike B. says:

    You must be out of your gourd. I was a die hard MS user until just a few short years ago. I have designed and implimented 3000 seat windows XP deployments across an enterprise. I have been MCSE certified since early in the NT 4.0 days. I have to tell you that ever since I switched my parents to Firefox, I have NOT HAD A SINGLE PHONECALL from them saying they get these annoying popups. This was well over a year ago.MS has no clue and whichever boss of your put you up to writing this "scare" article should be shipped to Faluja and forced to shout I am an American. Repeatedly.

    Some of your points are BARELY valid, but the chances of Firefox be comprimised are about as remote as IE not having another 5 security patches in the next few months.

    In otherword it ain’t gonna happen.

    Mike

  108. Tester says:

    The flashblock allows you to selectively block flash from different sites (to .. lets say .. block ads)..

    You can do in the Preferences, in the Downloads section, there is a "Plug-ins" button that allows you to disable different plug-ins…. Or you could just delete the flash plug-in file.. Unlike the complicated ActiveX stuff..

    That said, if you installed it on Linux, it would probably come in a signed package (I think all linux distribution sign their packages one way or another)

  109. Enune says:

    The solution to this is obvious:

    IE is for idiots who need a browser that works, yet is left unpatched for weeks at a time.

    Firefox is for people who know how to use a computer, and a few braincells.

    You are obviously in the former category, so before you cast negativity all over probably the most _secure_ browser available, read about it. If you don’t like it, don’t bloody use it.

  110. C says:

    I prefer to take the risk than to have Microsoft involved, everything that MS touches becomes shit, thus the success of Firefox. But FF has achieved what $50Billion have not.

  111. Anthony says:

    There is no IE for Linux (yet). Maybe if they ported IE to Linux we’d have a browser war on a different front.

    Wait – no we won’t.

    Of course, that’s assuming MS would even be able to port code that they seem to have no control over.

  112. freeform says:

    Let’s see. Firefox version 1.0, IE version 6.01 (or some such). And five ‘features’ missing. Not bad.

  113. You’re scared of downloading software from DePaul University’s FireFox mirror but you trust IE?

    WOW, we know who feeds you!

  114. blackwaffle says:

    IE sucks, okay. Viruses, popups, M$ spying on you, cookies, its a piece of shit bloatware. Firefox is fast, simple and free. (well, IE is sort of free, but not really- hence the $ replacing the "s" in MS) I have been using firefox for sometime and have never gotten an unwanted popup add. Also,the fact you are using a blogging tool like this instead of building a real website doesnt exactly inspire my confidence your opinion.

    "Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more.)"

    that bad guy is bill gates. His program is IE.

  115. Tyler says:

    While there is no reason to flame – Firefox is hands-down better than IE. I didn’t have any of the problems you described. I have never suffered spyware/malware since installing. Verigsign costs money but OSS devs donate their time – why would I make them pay for something to validate something they are giving away already? That would be a slap in the face.

  116. Master Bates says:

    In case you haven’t noticed, spyware companies like Gator digitally sign their products too. Thus, going by your logic IE would happily allow you to install all manner of malware over your Windows machine just because it was signed?

    It’s pretty obvious this whole article is a put-up job from a Microsoft shill trying to spread the usual FUD on a superior competitive product.

    As with Linux:

    First the ignore you

    Then they laugh at you

    Then they fight you

    Then you win.

    I guess this just shows how panicky Microsoft is becoming lately as more and more excellent competitive Open Source products are released that they can’t either buy up and sit on or sue out of existance.

    Go the Penguin and go the ‘Fox !

  117. Newton Costa says:

    Some spywares are also signed with Verisign… Gator, Bonzibuddy, etc.

    What’s the point?

    Lame article. Lame.

    So your conclusion is that IE is a better browser because it treats the user ass a dum ??? People should learn how to browse.

    After all, with firefox spyware isn’t going to be automatically installed (like with IE)…

  118. Elisha Gould says:

    <Quote>

    Alex

    "This page doesnt even render correctly in Firefox. Half the article is scrolled way down – you wouldnt even know it is there!! what the….."

    Is it Firefox’s fault it doesn’t render a site that was desgined specifically for a standards bashing browser.

    </Quote>

    in reply to this the problem was put in on purpose. if you scroll in the html you will find <br clear="all"> which will cause the text beneith it to go below the end of the side menu. If you change this to simply <br> the page will display without the gap. You might want to notice that the site is also not designed for anything other than IE.

  119. Blah2005 says:

    Bill Gates: Peter, what sort of sycophant are you !!

    Peter: What sort of sycophant would you like me to be ?

  120. sgk284 says:

    Way to distort the facts as Microsoft always does.

    1) Firefox by default only lets you install extensions from one site that it controls, any other site you must individually okay. If an extension is unsigned, it is only checked to install by default because the site is a trusted site.

    2) Firefox is not integrated with the operating system. Therefore a whole ton of problems that are possible in Internet Explorer are not possible in Firefox.

    3) Firefox does offer means of verification using free tools. Why does Microsoft think everything has to involve money? All that verification nonsense can be done for free, but see point 4.

    4) Signed code means nothing. if anything it leads the user into a false sense of security. What happens when Bonzi Buddy starts signing its code and users all the suddent see the little dialog saying that this executable is okay to run? Malicious code can’t be stopped through verification like you speak of, its a flase sense of security. I could go buy a cert and send everyone a virus. All of the sudden its legit because it’s signed?

    5) There is a much more software out there not signed then is signed.Most freeware and indie developers don’t have the resources to sign their code etc… Only in the big corporate world can such practices be done consistently and effectively. This achieves two things… it forces people into only trusting big monopolies and it forces indie developers to starve to death. See point 4 again, as this supposed verification means nothing.

    6) You could stop this nonsense if you chose what applications should be ran and which shouldn’t, but who are you to decided what I run?

    7) You made that install process to seem as negative as possible, in the real world its uaually as easy as download, click, install, borwse safely.

    8) Your whole argument is based around code signing, that is nonsense. Why would you even recommend that an OSS project give some of its money to some big company for a cert that means nothing more than could be achieved freely? Even CACert.org would have been a better recommendation, not everything involves money.

    9) You are apparently an intelligent fellow who acted like a complete idiot when installing this just to make it seem a million times worse than it is. The fact that you did that makes the foundation for your whole essay uncertain.

    10) Microsoft has to stop whining. Someone made a better browser, boo hoo you lost. (not by numbers, but by quality). Get over it.

    -Steve

  121. monkeyboy says:

    I’ve started going to people’s houses to fix their Windows boxes. First step: install Firefox. Remove IE icon from desktop. Use it to download spyware removal software. Remove spyware. Install Windows updates.

    Here’s the problem with the article: the author is way too savvy. I drill the point home that the people with the compromised PCs should never download untrusted software, but at that point their computer is already a quivering pile of goo that needs at least an hour or two of work to get operational.

    Also, the author doesn’t like the fact that the mirror hostname is different. When I run Windows Update, it doesn’t tell me what hostname the software is connected to. What if a trojan Windows Update is installed on my computer? It could be injected all kinds of evilness into my system and I would never know.

    The bottom line: the issue is trust. I think students at a university are at least as trustworthy as a company who has sold an operating system that is completely insecure with the default configuration.

    MSFT is scared, and they should be.

  122. Face it..all your arguments against FireFox have been bashed by evidence show by the people who have posted above.

    IE has not been secure for a long time, and the security threats keep on piling up. When FireFox came out, Microsoft came out with the huge SP2, which made IE a little better with its pop up blocker, but still it is the worst browser you can have period.

    The Mozilla team has worked hard to correct any of the small number of bugs that exist on FireFox. It is updated periodically (Heck, you can get nightly snapshots!) and is very secure. It is also secure, because it is open source (download the source, read it- if you feel it is secure, compile and run it!!).

    Besides the security issue, FireFox is the Best browser that i have seen (features, ability to customize,etc..).

    Microsoft is a company that loves to make something and then charge everyone a lot of money for it and then not update it in the least and then flame another product for being better instead of actually doing something to fix the problem (Please-dont tell me about the new pop up blocker- so lame, it could have been coded years ago..Oh wait..there already have been pop up blockers made by people years ago because it was a problem..)

    FireFox is a much better product in every way than Internet Explorer.

    BTW, I am writing this from inside Firefox. ;)

  123. Dave says:

    "But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist (Secunia currently lists three unpatched vulnerabilities, for example)."

    Have you checked out IE lately?

    http://secunia.com/product/11/

    Compare IE and FF which would you rather use?

  124. Grey says:

    Simple reason why

    2 computers both with the latest version of IE and firefox, use one browser on each on the same sites with default setup.same sites everything. Was using sp1. sp2 seems a little better, but thats after i gave up on IE

    computer on which IE was used had loads of spyware.(fixed now. just had to mess with the security settings and add a pop up blocker etc etc….basically making it a wee bit of a bitch to use)

    the firefox computer was clean (improved with adblock,fireftp etc. more for extra features)

    Nearly all sites i generally go to, apart from some sites at my university (which check the version number only and think 1.0 is worse than 6.0 *cough cough*) render well, and should unless they didn’t meet the w3c guideline. you know how websites are SUPPOSED to be designed and all?

    If you’re really paranoid(to sound like a broken tape recorder)

    1)run everything in a VM :) no worries about anything

    2)compile from a source after reading the whole damn thing

    3)check MD5 hashes. most open source software seems to allow for it

  125. Khosrof says:

    My experience with FF… I think FireFox rocks! Working in the IT field… and also being the IT Tech to a multitude of family, relatives, freinds, etc… I think FF is the way to go! I have a laptop setup with FF and have not had a single instance of spyware/popup/virus on the machine in over 1 year (obviously I started using FF before way before version 1.0). I don’t even have any protection (anti-virus, spyware scanner, etc). It just works.. and I like it. I have grown to appreciate some of the great applications available through GPL in the past few years. Don’t let big companies push you around and scare you over GPL software.

  126. way to flame a good product. nothing like the ms pr wagon at work.

    fortunately, we preinstall firefox/thunderbird for our users at work, so they are not presented with such issues. :)

  127. Scott says:

    As a former rhetoric major, I must confess that this invective made for a most entertanining, though utterly unconvincing, read.

  128. AnalogDog says:

    Dude, get a life. Actually get a real OS. The reason you can’t trust Firefox is that you are running the wrong OS.

    Firefox roxs on Linux. Oh, and by the way, no worms, trojans, or spyware here.

    Come over to the Light Side, Microsith Lord. Shining a little light on you, might change your closed source mind!

    Tee Hee Hee.

    Go ahead, use IE 6, but don’t bug me about my excellent choice. Firefox is for those that know.

  129. Dean says:

    You can disable plugings by going to Tools->Options->Downloads->Plugins and clicking on the little check mark under the "Enabled" column for the relevant file type.

    Also, when I needed flash, Firefox gave me the option to automatically install it and that process was signed.

    Good point about the extensions, as most are not signed.

  130. Alademuerte says:

    Alright, just because your computer doesnt display a dialog box, doesnt mean you need to bash it. There’s a lot of computers that dont display things in IE (ooh, scary).

    Second of all, just because IE says it’s an un-verified source for downloading it, doesnt mean it’s bad. Like 1 out of every 500 programs I find are approved by IE.

    The Amazon extension? It’s unsigned, oh well… A lot of things are unsigned, wait for another one to be signed or if you want it bad enough, make your own.

    And the fact that it’s default for Install? Who cares, dont just keep on pressing Enter, read your choices.

    You cant deny that FireFox is taking a large market share and is really taking away a lot of IE’s glory. Maybe IE should look into fixing a lot of their vulnerabilities….

  131. Roy says:

    The Problem isn’t Firefox or Internet Explorer, it’s Windows itself. The security model is flawed from it’s very foundation. None of the problems noted above exist in the Linux version of the browser. Linux is gaining ground on the desktop every day. It’s only a matter of time before it makes M$ obsolete.

  132. MJTG says:

    A few points.

    Firstly, as pointed out by lots of people, your blog doesn’t render well in Firefox. And no wonder – I ran the page through the W3C HTML validator (http://validator.w3.org), and its full of errors – specifically, you’ve got closing DIV and SPAN tags that don’t match opening ones. No wonder it doesn’t render well – did you specifically design the page to render properly in IE and not Firefox ? I’m sure I could write a page that does the opposite. I don’t, I try to stick to web standards as much as possible (ie. standards published by W3C, not by MS).

    Re. downloading Firefox from "some random university" – hey, I’ve browsed through the Microsoft website in the past to download software, and have been referred to weird-looking places where the software resides (places that, at first sight, bear no relationship to Microsoft).

    As for the problems you experienced while installing Firefox (dialog boxes with no text, etc.), all I can say is that I’ve installed the program at least a dozen times in the past, and the install hasn’t missed a beat. Maybe your problems were caused by spyware that got installed on your PC while you were using IE ? :-)

    As for the advantages of only installing digitally-signed software, that’s been attacked by others on this blog, so I won’t even bother.

    I can’t believe that people actually *USE* IE to surf the web. I’ve seen so many PC’s chokked full of spyware and stuff, as a result. I’ll re-iterate a point made by other posters – install Firefox, and your chances of getting hit by spyware go from highly likely to virually nil.

    I take your point that the way Firefox works tends to make non-technical users do things that are not best security practice. Firefox has just reached version 1.0, and is therefore still a relatively new piece of software. But, finally here, let me make the following two predictions:

    1) six months from now, the usability issues you raise will have been addressed my the Firefox developers (thanks to articles written by good people like yourself), and Firefox will be a secure product, in both technical and usability terms

    2) six months from now, surfing the Internet using IE will still be as dangerous as walking into a minefield wearing a blindfold.

  133. So yea, the reason why people get loaded with spyware…they let their kids play with their computer, they allow pop ups to deceive theirselves. I think we should all go back to Lynx and screw pictures!. I do prefer FF and Opera over IE. The only reason why I have IE is to download MS’ security patches! Cause they cant trust any other webbrowser to install SP2 correctly, install it, and then reboot the machine, only to find that you have to reformat because SP2 did not install correctly and you can not get into safemode to uninstall SP2. And we must love how those new pop ups that come on the screen, but do not have the typical close box, but a close ‘X’ that shows up after however long the animation goes on for. Anyways, one thing that MS can learn from FF and Opera…get Tabbed Browsing! Its the next best thing since….well FF and Opera!

  134. d says:

    erm, the problem with IE is not the shit you click on, its the shit that is fed to your browser by malicious web sites.

    Stop spreading such FUD.

  135. Cian says:

    Normal disclaimers apply. I am not responsible for anything, and neither is Microsoft.



    US antitrust lawsuits say differently…

  136. Code signing seems like a good idea on the surface, but there are a number of issues with it:

    It uses a central authority to sign all the keys. Of course, if this authority were compromised, the damage would be higher than if there were no code signing; at least then people would understand that they should be careful! Further, central authorities seem to make technical and security decisions on the basis of popularity, leading to using known insecure solutions like MS Windows and IIS. This raises the liklihood of a compromise.

    Secondly, code signing is mostly useful in situations where the end user is prevented from being able to check what they are running directly. If you don’t have (and can’t get) the source code, there is no reason to think you’re safe. Widely available source code is the best defense against compromise; code signing is a second-rate attempt to patch this real problem with a centralized, marketing-centric pseudo-solution.

    Finally, no matter what software an end user installs, it should not be able to trash his computer or other software. Only an administrator (perhaps the same user, after jumping through the authentication hoops) should be able to make changes that could break the system, eat up all the resources, or cause many of the problems that malicious software is supposed to cause. Instead of asking people over and over whether they "trust" the host they’re downloading from (and who can say? Do you know the admin of every webserver you visit?), the system should simply ask them for an administrative password if the action to be taken by the software could be detrimental to the system. Then, instead of warning people not to accept software from "sources" they don’t trust, which only causes paranoia, responsible OS vendors could say, "Never type in your administrative password unless *you* decided to do something that would require it; software that you are installing should almost never need it."

  137. Thudman says:

    Verisign Code Signing Cert = $400

    Not a lot of cash, if you ask me

  138. This is obscene,really.

    You are writing this article and counting on the credibility of the readers to make them beleive the problems you saw are important.

    Con I.E. (and it’s integration in Windows):

    Okay you WORK for Microsoft!! Come on,digital signing is prohibitively expensive (and you you know it).

    Good hashcodes (SHA1) are inherently as good but are availlable to the mass money wise if no better.

    _Internet explorer is closely integrated in the system and any exploits can go easilly very far. Actually M$ systems have a very poor security model. It doesn’t respect the idea of clustering users to limited rights (well it has been patched to make you beileive it does… we (software programmers) all know it would take some serious work to implement cleanly a system with fine granularity for user rights). For those not aware of this: The scripting engine for the JScript in I.E. is the same (as in the same dll,instances in the memory..) than a one used to script the system (WSH).

    _Microsoft has a very bad track record regarding stability and securities of the products. NT has been better than 9x (thanks to os2) and XP has also raised the bar a notch (thanks to BSD…). However without any external software (firewalls,antiviries…) an XP doesn’t even survive to virus attack on the internet the time to get all the required patches (personnal experience).

    _The "trusted site" from M$ doesn’t allow the user to choose who he trusts (who knows after all some of your partners could be planning on planting spywares and/or backdoors on our systems). Rumours are that tere are many backdoors in M$ products so that the CIA/FBI and Microsoft can expect your computer. At any rate the system is NOT WORKING correctly. Let’s give it a test: use a standard computer (no antivirus firewalls… running),go browse in sex and/or warez site (those attack browsers quite a lot). Don’t download anything. YOU WILL HAVE AN INFECTED COMPUTER.

    Pro Firefox:

    As said before this is very obscene:

    _Firefox is on different mirrors (some of those even don’t have DNS…).

    And so what? As long as they are trusted by firefox devellopers I don’t see what’s wrong they or firefox.com would have to be hacked for peoples to put there own virus loaded version there. Microsoft’s products ARE ALSO STORED ON A WHOLE BUNCH OF COMPUTERS ALL OVER THE WEB. Those computer are just referred by the same dns (well not exactly:msdn.com,microsoft.com formerly windowsupdate.com)… So what’s the difference?????

    And also these servers also quite often run under OS’s that are more secure and therefore have less chances of hosting hacked code. Well as a M$ you will say this arguable (the Departement of Defense thinks they (AIX,SuSe…) are secure for critical operations and windows isn’t, no talk about digitall signature).

    _I don’t know how on earth you managed to mess up so much the installation. I have installed firefox on a lot of machines and some of those where running under windows. Never had a problem.

    _This looks a lot like the "get the facts" disinformation campagn from Microsoft. Fact is: M$ is affraid peoples will adopt more and more open products making easier for them to leave windows for another os (or at least this is my point of view).

    Regards,

    Till

    Ps:

    Since I’m opened to answers you can e-mail me at:4jzt73y74vld5it@jetable.net

    P.P.S: The adress up there is a disposable adress since I don’t want to leave any valuable information on a microsoft owned site. My mail is spam free and I intend to keep ip that way. This address will cease functionning in 8 days

  139. Taudiophile says:

    i switched to FF and havent looked back since. it is infinitely better. wonder why this guy so passionately argues against FF?

    HES A MICROSOFT EMPLOYEE, RETARDS.

  140. openaff says:

    The reason it doesn’t render correctly in FireFox is because on line 194 column 3411 is a <br clear="all" /> element. Note clear="all" means the browser *should* put it in a block of space all its own regardless of floating divs. Notice how IE does NOT render it correctly since it ignores this; FireFox does. It is either the Author’s error, or the system in which he wrote the article on, and IE’s ;)

    According to the W3c, there are two definitions in proof it is IE’s error:

    1. "This property indicates which sides of an element’s box(es) may not be adjacent to an earlier floating box. (It may be that the element itself has floating descendants; the ‘clear’ property has no effect on those.)"

    Descend is to move downward, so as the cleared element is parsed, any floating boxes after it are not affected. The Menu to the left in the source of this article’s document is NOT a descendent as it precedes the cleared element.

    2. A value of "all" ("both" in css) has this effect: "The generated box is moved below all floating boxes of earlier elements in the source document.." That includes elements outside of the cleared element’s parent container (a div in this instance) since "all floating boxes or earlier elements in the source document" unequivocally means all elements preceding it.

    FireFox++

  141. Scott says:

    Microsoft bashing firefox? You don’t say!

    You haven’t even made a good case, I’ve never seen your "errors" so you obviously have some issues with your VM that you need to sort out (which I’m guessing is microsoft?), and you can check the authenticity of a release by getting it from the horses mouth if you want. There’s absolutely no need to buy a verisign certificate, what a waste of money.

    A bunch of kids at a university? Wake up would you, it’s just a mirror.

    This article is a joke.

  142. Peter says:

    Work IT. People bring their computers to me all the time, infected with all kinds of spyware. Many of them have teenaged kids who will download anything they can get their hands on. Get rid of spyware, install Firefox, remove all IE icons, they dont know the difference. The internet is the internet. No more spyware, no more complaints. If Firefox can defend itself against the dozens of teenagers I have pitted it against, I see nothing wrong with that.

  143. Quila says:

    "This page doesnt even render correctly in Firefox."

    Maybe because it has 92 W3C HTML validation warnings. IE does handle poorly-written web pages better than Firefox.

  144. Weldon says:

    PGP

    MD5

    SHA1

    You could have used any of those, or even all three. You work for one of the top software companies in the world and you don’t know how to get a checksum or check a PGP signature?

    Geez… standards in Redmond must be slipping…

  145. RaV says:

    GRC to MS: "warning, your code is higly insecure"

    Secunia to MS: "warning, your code is higly insecure"

    Eeye to MS: "warning, your code is higly insecure"

    etc.

    Consumer: "help! I’m infested with spyware and 5 viruses are currently deleting all my data!"

    Microsoft: "Gee wiz, indeed. And seems like those guys working on MacOS/Linux/FreeBSD/etc. are outcoding us on every side! Better do something…"

    Microsoft after SP2: "Wow! For the first time in our company’s history our programmers seem to have actually written decent code! We must be an AUTHORITY on security now! Let’s go criticise other people’s stuff!" :)

  146. Baris Cicek says:

    If you run an unknown executable from an unknown source even uber secure operation systems can’t protect you from spyware/virus and trojans, leave . FireFox itself can’t put a brain to any of its users. But what people have problems in understanding is IE is unsecure not because it does let unsigned files to run, it’s unsecure because it’s embedded to OS itself, which is irrelevant. Moreover it’s coded as bad as new comers to CS classes. Has stupid bugs which is unexpected from such an mainstreem and highly used app. Adding those up, using IE is the worst thing to do to your internet security.

    I mean come on, this article stinks, obviously biased and spreading misinformation. You forgot that’s oss and if you’re that paranoid, you can download the sources check them and compile it yourself. But considering there’s md5 checksums on sites you don’t even need that too.

  147. Dan says:

    Peter

    I’m sure your boss is very impressed with your defense of IE. Your promotion and bonus check are on the way… er… yeah.

  148. Brennan says:

    Never write a critique of bugs in a piece of software’s installation process when you are running the software under Virtual PC.

    That’s all I have to say.

  149. Peter H. says:

    I love how you touch on all of the additional security features and reassinged default settings for IE that were added with XP SP2 but are lacking from every OS MS released up to XP. XP surprisingly holds 60+% of the Windows market but that remaining 40% has been left high and dry. FireFox is a safe haven for that 40% and is one of the many superior options for those who chose not to use Windows at all. If I were one of the poor souls who was curse with ME or an earlier OS, I would definitely consider FireFox before shelling out $100+ dollars for XP. But lets face it, if I were on Windows ME, I’d have poked my eyes out with a spork a long time ago anyways so perhaps this isn’t a valid arguement.

    It is indeed an impressive site to see how you skillfully demonstrate your mastery of IE’s cryptic and overly complex security model to disable certain features that pose security threats, yet stumble through FireFox’s like you don’t know your @$$ from a hole in the wall. It doesn’t help matters that with every release of IE the myriad of options are shuffled around confusingly just when you felt confident that you could find them in under 5 minutes. FireFox’s configs change slightly with releases as well but never drastically and considering there are about 1/100th the number of radio buttons and check boxes to twiddle, it only takes a minute to read through all of them. Nevermind the fact that about 99% of the population wouldn’t even know what ActiveX is let alone any inkling as to why they might want to disable it.

    I think the one over arching arguement that I can make for FireFox against IE is that I have never once had anything installed via FireFox inadvertently, accidentally, through deception or without my knowing. Yet every time I run IE, setup with ActiveX disabled and cookies set to only last for the current session, my spyware scanners find at least 2 items they’d like to remove.

    FireFox may be made by bunch of punk kids who don’t have money to throw around like it’s going out of style but they’ve never once let me down and the fact that they not only give their product away, but also stand by it instills more confidence in me than Microsoft ever will.

  150. Internet Explorer is a browser that is riddled with many inherent flaws and problems which microsoft WILL NOT FIX, because they want to make money instead of actually making a quality product…

    Firefox is much, much better at security and has awesome features such as tabbed browsing and a little talked about feature – when you select a phrase or word, and right click , there is an option to search the internet for it. This is the kind of features and innovative ideas the Mozilla team thinks of. And not to mention, the fix the bugs found unlike Microsoft.

    I like firefox and use it all the time, even now ;)

    /.

  151. What a pathetic shot in the dark. If this is the best arguement you’ve got against Firefox then M$ might as well pack up shop and close it’s door. You’ve all sat on your laurels long enough to allow an open source solution get it’s foot in the door (5% browser market share) and pretty soon your other over-priced products (Office specifically and later on Windows) will go the same way (due to OpenOffice and Linux, etc.).

  152. Joe Sheehan says:

    Peter,

    Great article. I’m an avid Firefox user b/c its so convenient and I trust the underlying code base more, but this article does an excellent job at pointing out ALL of the security aspects I take for granted b/c I’m a knowledgeable user.

    Its disappointing that the previous commenters missed your point completely – that a "typical" user must make alot of insecure actions. Knowledgable users like us have exponentially better instinct as to what is trusted and what isn’t.

    In order to help make things more secure, we need to change people’s behaviors, not just tell them to use another browser.

    <rant>

    Its VERY disappointing that my fellow Slashdotters don’t seem to get any of that.

    </rant>

  153. iive says:

    There is only one way YOU can trust FireFox: download the source, inspect it, compile it, and then use it.

    Everything else is just a matter whom do you trust more.

    About the question of security…

    It is not just a matter of having bugs, it is matter of how they are exploited. And exploiting IE holes have created a whole new food-chain.

    I don’t trust IE. Do you?

  154. So here’s my question. Why shouldn’t I trust FireFox? The fact is that FireFox has yet to give me a reason not to trust it. The fact is that there is fairly little that most end users do to figure out if their programs are safe. While the crowd that does use Firefox tends to be a little more careful, FireFox signing and mirros don’t mean anything to most people. As several people have said, you had better trust the Firefox website if you’re installing it, and any other website if you install things from them.

    Even more importantly, Firefox has proven to be effective for enough users to generate a following. While that may be partially because a swirly fox going around the world is much better a blue "e", it’s mostly because Firefox has done a good job.

    If Firefox does turn out to have more security flaws than I currently believe it does, then people will notice. If that happens, I’ll try opera, or AvantBrowser, or anything else I can find. I will not, however, be going back to Internet Explorer any time soon.

    I have a new question. How can I trust msdn to give me unbiased advice about Internet Explorer?

  155. Netaku says:

    What I don’t like about this article is that all of these "problems" were around long before IE added their security measures to SP2, and is attempting to make it seem like Firefox is unsafe because it does not include the safety features MS integrated only a few months ago. These are’t vital security measures we’re talking about, I don’t need my web browser to tell me if something I’m downloading is safe or not, I have the common sense necessary to figure this out myself. I understand that some people may lack that, but wouldn’t it be better for those people to learn how to distinguish this sort of thing for themselves than it would be to hold their hand and let them remain ignorant?

  156. Dan says:

    Boo! What’s this censorship bullpoop! Tell me what a police state looks like, this is what a police state looks like! I’m burning my copy of XP in effigy right now! Die!!!

  157. m3ta says:

    The big difference is, Mozilla will never eat anti-spyware companies and charge users for the fixes they should do themselves – yeah i know this was not even sarcastic, it’s really a joke on Ms, but hey, Ms has always been obvious. (obviously bad)

  158. shahriyar says:

    of such is the kingdom of Micro… i mean heaven.

  159. &quot;It dutifully tells me the extension isn’t signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?&quot;
    <br>
    <br>In fact, like many others before me already said: Firefox requires the user to explicitly state that he/she wants to even start the install procedure of a plugin. If the very same person then does not even read what’s displayed and acts accordingly, it’s his/her own fault. I have a strong feeling most people – running IE and related products – are used to be clicking OK in dialog boxes without care for there are so many, popping up in all kinds of situations, not saying anything understandable for the non-techie/MCSE.
    <br>A default is not a security issue if it does not become effective as long as the user does not say so or is informed beforehand! (Which is not the case for IE!)
    <br>There might as well be a box where &quot;OK&quot; and &quot;Cancel&quot; where switched by an already installed worm, right? Stupid (I know) but very possible! :-)
    <br>
    <br>And how come I am not told were my windows update tool get’s his data from? Why do certain updates seem to not do anything for minutes while they happily download further data from servers that sometimes might not even have a registered domain? On top of that, they install additional (to me) unknown stuff not even asking the user if he really wants to or for what reason! The worst thing about this I will never know even if i were up to research as I would most certainly end up violating some licenses that I agree on previously.
    <br>
    <br>Another problem I see is that when I tell IE only to run ActiveX controls and other kinds of programs on userinput, why I only can say &quot;Yes&quot;, I want to or &quot;No&quot;, I do not? Why doesn’t it tell me where that script came from at least? Or let me even browse its source without auditing previous (somtimes heavily) hirached HTML before???
    <br>
    <br>Yes, I do agree when some people say, that they do not trust Verisign either. Sincerely, I do not understand what would make the enduser, not knowing what PGP or even encryption is, suddenly caring for signed software products? The decision wether he trusts that package or not should always be left in his hands as it is his/her computer he/she bought and has a right to use it, for whatever (legal or not) thing he wants to in the way he/she likes it best. Of course he/she should be aware of the responsibilty that requires as well. Instead of teaching these things from the start, some products available per default, seem to trick the unaware person into thinking otherwise easily.
    <br>
    <br>Best regards from a happy KDE 3.3.2 user who trusts the Archlinux package repository, knowing where the source is available from, who wrote it, where it was downloaded from, who maintains that package per name and e-mail, how it was compile, which patches were applied and could even easily refuse to trust those and make his own in a breeze. ;-)

  160. Will says:

    You sir, are a complete moron.
    <br>
    <br>Here is my formal rebuttal to your ridiculous arguments against Firefox.
    <br>
    <br>&quot;First of all, I went to the advertised http://www.getfirefox.com, and was redirected to the real page at http://www.mozilla.org/products/firefox/.&quot;
    <br>
    <br>Holy crap! Websites can redirect now? You mean that if I go to <a target="_new" href="http://www.windows.com">http://www.windows.com</a&gt; it will redirect me to <a target="_new" href="http://www.microsoft.com/windows/default.mspx?">http://www.microsoft.com/windows/default.mspx?</a&gt;
    <br>
    <br>&quot;Do I really trust a bunch of kids at some random university I’ve never heard of?&quot;
    <br>
    <br>This is what is called a &quot;mirror.&quot; You see, because The Mozilla Organization creates free and open source software, they are not rich bastards like Microsoft are. Therefore, it is much less expensive if they can share their bandwidth with other web sites. If you don’t trust running executables from this mirror, download it and then check the MD5 Sum from the Mozilla.org site (<a target="_new" href="http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/MD5SUMS">http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/MD5SUMS</a&gt;). This will most certainly guarantee that the download was not corrupted and is not a fake, loaded with spyware, backdoors, etc…
    <br>If you are still unconvinced, you can always download the Firefox source code, read it and compile it yourself (<a target="_new" href="http://www.mozilla.org/source.html">http://www.mozilla.org/source.html</a&gt;).
    <br>I will not bother into going a huge discussion about how signed vs. unsigned makes no difference. But the point is that if credible companies and spyware companies can both have signed software (and they do), whats the point? Signed software just means it hasn’t been hijacked by others, but what if the original creators are the ones developing it to spy on you?
    <br>
    <br>&quot;But being a brave soul (and not caring if my Virtual PC image dies a horrible death) I click Run […] I am then greeted with this dialog:
    <br>
    <br>[Picture of 7-Zip dialog]
    <br>
    <br>Oops, my network connection died. But still… that kind of unintelligible dialog doesn’t do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?&quot;
    <br>
    <br>No offense, but are you that stupid? Notice the window name: &quot;7-Zip&quot;. 7-Zip is the program that is having problems, not Firefox. Stop blaming Firefox for your VIRTUAL PC’s failings. Virtual PC’s are known for odd quirks and errors. The next dialog you show (the blank one) is also probably caused by your Virtual PC. Next time, try repeating these steps on a normal computer (Windows, Linux, Mac…whatever your choice is). This also brings up another point, why are you even running a Virtual PC (I thought you worked for Microsoft? Why not run Windows?) and 7-Zip (an Open Source file archiver, whats wrong with the default one included with Windows XP?).
    <br>
    <br>&quot;It dutifully tells me the extension isn’t signed (good), but makes the default choice Install Now (bad). This is the opposite of what Internet Explorer decided to default to when it detected unsigned code (ref: above). Now tell me again, which is the more secure browser?&quot;
    <br>
    <br>Firefox is the more secure browser. The place you are downloading the extension from (ftp.mozilla.org) is white-listed by default because it is a trustworthy site (you know, that company that develops Firefox and all…). Therefore, it is perfectly fine to have the &quot;Install Now&quot; button the default choice. Try downloading an extension from a different server and you’ll see how Firefox outstrips IE by default security by leaps and bounds.
    <br>
    <br>The rest of the article is quite honest and truthful, and I thank you for that.

  161. Brad Laue says:

    Another point that hasn’t been raised yet is an issue I recently experienced on my XP Service Pack 2 equipped computer.
    <br>
    <br>That is, I visited a website (gametrailers.com at the behest of one of my co-op students, who was intent on showing me movies of the latest version of half-life) and was greeted with the information bar. Internet Explorer had blocked a pop-up. I welcomed this, as I hate pop-ups. But what’s this? A pop-up window appeared anyway, containing an iframe pointing to gator.com.
    <br>
    <br>I was then asked to restart my computer.
    <br>
    <br>After extensive analysis I found that indeed nothing had been installed on my computer, and nothing in the registry was changed.
    <br>
    <br>However it led me to continue using Firefox. I’ve been attempting to switch to Internet Explorer because I like the way it &quot;feels&quot;. It has a certain flow to it when I’m using it that I just can’t reproduce with other browsers. I have all the latest patches, service pack 2, and I’m using Internet Explorer’s default security setting for the Internet zone, and I’m still subject to serious incursions.
    <br>
    <br>Yes, it’s a serious incursion even though no software was installed. The purpose of the popup blocker is to block popups. Not only did it not do this, it allowed the only popup that could do the most potential damage to my computer.
    <br>
    <br>I want to use Internet Explorer. I like it better. But I don’t want to look over my shoulder every time I do.

  162. Mike says:

    Your parinoia might have more ground if this product weren’t already successfully in use by plenty of customers. Me being one of them. You also seem to be having a number of problems that the average user doesn’t experience. Security issues also aren’t the only reason people choose to use Firefox. No matter what browser you choose, common sense can protect you from most of the problems hovering around the internet. Firefox is simply a better browser all around.

  163. beachguy says:

    &quot;Normal disclaimers apply. I am not responsible for anything, and neither is Microsoft.&quot;
    <br>
    <br>Yeah, we know.

  164. Charles Hill says:

    Code signing isn’t the end-all, be-all. You raise some valid points about there needing to be a method for ensuring the validity of the Firefox executable.
    <br>
    <br>However, the emphasis on Verisign code signing certificates seems to forget Microsoft’s own experience with these beauties: <a target="_new" href="http://news.com.com/2100-1001-254586.html?legacy=cnet">http://news.com.com/2100-1001-254586.html?legacy=cnet</a&gt;
    <br>
    <br>It also neglects the fact that many people downloading Firefox have completely lost trust in IE. Right or wrong, that trust was lost due to BAD EXPERIENCES with IE. Thus, no one CARES what IE complains about because it isn’t a trusted source. Think of it like the compulsive liar you are leaving telling you &quot;you can’t trust him! Trust me!&quot;
    <br>
    <br> -Charles

  165. Spike says:

    How can I trust Microsoft?

  166. Cynyr says:

    Mike Dimmick,
    <br> I was reading the coments one this web log and noticed yours in particular, baisicly because of the coment
    <br>&quot;’m sticking with IE too. It’s a known quantity. Firefox is an unknown quantity and without any form of formal prerelease testing, I don’t trust it (same for any other non-trivial OSS without formal testing, like Linux).&quot;
    <br>Firefox just went into what would be considered it’s first release….. version 1.0 everything before this release has been &quot;bata&quot;, most of that bata has been perfectly usuable but, bata none the less. THe formal testing has been done, there is a review process for the development of firefox, as well as most OSS, including the linux kernel. It is very hard to get a random peice of code into the linux kernel. The thing about closed code is, how does one verify that it only does what it says it does? and yes i relise that most people lack the knoledge to dig thru all the code.. but if you wanted to you could. The argument that you will probably give me next is that the &quot;geek&quot; could easily just make this some &quot;trogan&quot; code to install a back door to your computer…blah, blah,blah. this is also wrong, mostly due to the fact that the people that write the code also use it every day, there have to be exceptions but there always are. anyways i would encourge you to go and look at the design processes of various OSS projects, Gaim, GIMP, The Kernel, OpenOffice, and see how they meet your &quot;requirements&quot;. i think you will be nicly surprised.

  167. Karl says:

    &quot;Mozilla has had its share of security vulnerabilities in the past (just as IE has)&quot;
    <br>
    <br>Ok.. Just looking at the stats, from your linked site…
    <br>
    <br>From 2003 to 2004
    <br>—————–
    <br>* IE 6 has had 58 advisories
    <br>* Mozilla 1.0 has had 18 advisories
    <br>
    <br>Of those,
    <br>* 14% of IE 6’s are &quot;Extremely Critical&quot;
    <br>* 0% of Mozilla 1.0’s are &quot;Extremely Critical&quot;
    <br>
    <br>* 34% of IE 6’s remain unpatched.
    <br>* 17% of Mozilla 1.0’s remain unpatched.
    <br>
    <br>No software is perfect. Security advisories are there to improve system security. It just appears to me that Internet Explorer has had more than its fair share of high-risk advisories, and for an organisation the size of Microsoft, you really need to be doing a better job of resolving the issues.
    <br>
    <br>Firefox has only just reached version 1.0. Internet Explorer is up to version 6.0. So, Firefox isn’t perfect – what a surprise! But by version 6, I’d expect IE to be getting BETTER, not worse.
    <br>
    <br>But seriously – Microsoft’s credibility is at stake here. The world is watching how you respond to the plethora of security issues facing you. Trying to deflect the criticism to how a bunch of amateur programmers have managed to perform doesn’t really address the real issue.
    <br>
    <br>And the numbers aren’t in your favour, really.
    <br>
    <br>Karl.
    <br>
    <br>
    <br>

  168. Jon_K says:

    How the hell can I trust IE when every other fucking day an exploit on the net comes out for it.
    <br>
    <br>I can’t completley trust Firefox, but compared to IE Firefox is the most secure product in the world.
    <br>
    <br>Why is it all my friends with IE get viruses every day, when my friends using the very first version of Firefox to ever be released haven’t gotton yet.
    <br>
    <br>Why is it my friends with the latest service pack for XP still manage to get spyware using IE, yet my friends with unpatched versions of firefox haven’t got any spyware yet.
    <br>
    <br>Maybe Microsoft should take another look at their active X code. Back the drawling board.
    <br>
    <br>P.S. I bet you voted for Bush too.

  169. Jon_K says:

    How the heck can I trust IE when every other freaking day an exploit on the net comes out for it.
    <br>
    <br>I can’t completley trust Firefox, but compared to IE Firefox is the most secure product in the world.
    <br>
    <br>Why is it all my friends with IE get viruses every day, when my friends using the very first version of Firefox to ever be released haven’t gotton yet.
    <br>
    <br>Why is it my friends with the latest service pack for XP still manage to get spyware using IE, yet my friends with unpatched versions of firefox haven’t got any spyware yet.
    <br>
    <br>Maybe Microsoft should take another look at their active X code. Back the drawling board.
    <br>
    <br>P.S. I bet you voted for Bush too.

  170. aerojad says:

    This article has to be a joke. If not, where can I snag a job for spreading such lies?

  171. XP Secure? says:

    Why did XP down default to RUN and not SAVE?

    Is that "safe usage"?

    But then if you did save it, you could have checked the MD5sum instead of just trusting the site.

    Boy, you have BAD internet skills.

  172. Duncan says:

    It may be fair comment to say that the Mozilla Team should clean up their download security measures but look past this and you’ll find a far superior product to IE. On 2 clean computers run IE on 1 and Firefox on the other for a week of regular us, then sweep it with a program like AdAware for Spyware and see which browsers better.IE is buggy and full of holes whilst Firefox, if not perfect, is a lot closer to perfect than IE has or will ever be.

  173. fish says:

    Okay. You can’t trust FireFox before installing it, and you can’t trust IE after installing it. Go fig.

  174. Aaron says:

    It all comes down to computer literacy. The more people know about spyware and adware, the less they will have to worry about browsers "protecting" them. Firefox still rules.

  175. blink128 says:

    All those features you’re blahhhing about are new to SP2, so if you were looking at IE a few months ago what ground would you have to stand on?

  176. Perhaps.. says:

    Dude, was that really Will Smith?

  177. Paul says:

    Good artical, I use firefox because well, I get less adware and spyware on firefox then IE, the kind of adware that don’t give you nice dialog boxes allowing you to say, no I don’t want that…. Its better then IE, but not flawless.. Thats for pointing out some ways it can be made better

  178. Jaime says:

    I wrote up my response to this article on my weblog. Here is the link to it: http://jmweirick.blogspot.com/2004/12/why-i-trust-firefox.html

  179. Nicholas says:

    I trust Firefox because I trust MD5. I always check the sources I compile with the MD5 key, and – since collisions are rare – I trust it.

  180. ca_grover says:

    Most of the "issues" listed in the article are very real issues with IE as well – even if it’s not 100% the fault of the browser. I gave up on the "signed" certificates a long time ago – either I trust the link I just clicked, or I don’t. Most of the warnings that appear are noise interfering in the task I’m tryin to get done (poor user interface), when all I need is a single "Are you sure" type message. Saving the file first is not a problem – my AV software gets to inspect it.. wait, I’m running Linux, I’m not as likely to receive a virus so don’t really need AV software (yet).

    So, for me it comes down to this: "Which is more stable after it’s been installed? Which does the most damage to my system by using it?" IE looses on both counts. The only time I’ll recommend IE these days is if an EXISTING application uses IE specific features (i.e. showmodaldialog() ).

  181. This is what the "Secure Deployment" part of Microsoft’s SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

    1) Only on new hardware… So no help for Win98 Users.

    2) Only after buying a new copy of the OS, can’t transfer an OEM version.

    3) Default to RUN and not SAVE on downloads of EXE. (Shown by his own snap shots!)

  182. How can we trust IE. I never downloaded it, it was just on my computer. I’d like to see the source code of anything installed.

  183. rouble says:

    I used to use IE – and my laptop was always full of adware/spyware. This spyware was being installed without my knowledge – no dialog boxes came up to warn me that this spyware was being installed or if it is signed or unsigned. Should I trust that ?

    After reading about it on slashdot, I switched to Firefox – my computer has now been spyware free forever. I never have unexpected processes running. Life is good, again. I’ve even removed all the anti-spyware software I had.

    I can’t decide if you’re so cut off from reality in M$oft Land or if you’re just trying to impress your manager by taking a shot at FireFox. Maybe you keep installing fresh images on your development boxes, so that cleans out your spyware … the rest of us aren’t that lucky.

    Also, I do have a favor to ask, can you please remove the code that stops me from uninstalling IE ? I know numerous people who would love this "feature".

    cheers,

    rouble

  184. Darkangael says:

    Too easy, tools->options

    Go to "Downloads" section.

    Click "Plug-Ins"

    Untick the plug-in you want disabled.

    Menus are in different locations for Linux version (edit->preferences, then proceed as usual).

  185. Llama says:

    "How can I trust Firefox?" he asks.

    "How can I trust *Microsoft*?" I ask.

    Given all the screw-ups I’ve suffered through with Microsoft operating systems and software over the years, I feel I need to tell Mr. Torr that the pot he sees over there in that mirror is black.

  186. THE FACTS says:

    Metro – Firefox – 2004

    Retro – IE – 2001

  187. Well, this is just _really_ shallow. I mean you are complaining about things that are:

    a) Installation related (could be the OS’s problem)

    b) Not security related

    c) Completely irrelevant

    Default options are never good enough. Some like it this way and some prefer it that way.

    By using such hilariously ridiculous arguments, you weaken your case.

    And all this coming from a person that refuses to switch to any other browser simply because I just love the way IE does things. All things! I know how to use security zones and I have only had problems with spyware once. Once I took care of that, I haven’t had any problems.

  188. Nyx says:

    I can speak from experience that firefox is a hundred times more secure than IE. Not only is it less vulnerable to the copious of buffer overflow and other attacks, is that it is much more intuitive than other closed source system(not to mention that bug fixes are thousands of times faster). Also, Peter, if you can’t figure out how to disable a plug-in then you are more illiterate(sp?) than I gave you credit for. Check out http://www.getfirefox.com and http://www.hackermedia.com!

    Nyx

  189. aresident says:

    how can i trust microsoft? honestly, what makes a multinational corporation more trustworthy than a bunch of open source free-software programmers? tell me, please, i’m dying to know why making a lot of money means ‘integrity’.

  190. The reason why you most likely were downloading from an .EDU site, was the fact that bandwidth isn’t free, and the Mozilla Foundation survives off of donations… Ever heard of Mirrors? Ever heard of MD5 to verify integrity of files? Oh wait, you use Windows -ONLY-, I guess you haven’t!

    Lets think about this for a moment too… If I install a bad ActiveX file (equivalent to a FireFox Extension as far as portability). I could have my entire Machine hi-jacked. But from what I’ve seen, if I were to install a bad FireFox Extension, it would merely hi-jack just the browser, not much else. FireFox limits it’s features to itself (trapped in a sandbox).

    What’s worse, losing just a ‘browser’, or losing your entire Machine, possibly saved passwords and banking information (if you use other Microsoft products)? That’s a tough one, lets do lunch and compare notes!

  191. Chtulu says:

    If people can’t figure out who to trust, or understand the risk, then that is nobody’s fault but their own. Firefox is free, and comes with no warranty. If it did, I could understand the requirement of digital signing. It is the user’s responsibility to understand the risk and deal with it apropriately. Freedom comes with responsibility. If they want to live under the software dictatorship, then they can keep paying to do so, and remain ignorant to the technology they use.

    The security in firefox is that it is not intregrated into the OS so deeply that uninstalling it is impossible. Another pro is that it doesn’t install anything without prompting. And the browser IS open source, so if someone wants to make known a bug in the code, they can. And they can patch it if they want to. Any submitted patch can be examined by ANYONE.

    You can’t argue that IE is the root of all spyware problems due to it’s inefficient design and integration.

  192. Keith says:

    Well, my parents and in-laws, both sets are fairly unsaavy computer users. Not geeks at all. I’ve had to remove around 70 pieces of spyware and viruses from their PCs at least twice while they were running IE. The last time, I installed FireFox. Admittedly, I wondered if they would be able to handle a browser that, yeah, might be a little less average user friendly, but I didn’t want to waste any more of my life removing viruses and spyware. Since I installed it (and Thunderbird, as well) they have had no instances of spyware or viruses. Go figure. I’d say, 70 million points for Firefox for saving me hours of fixing their PC, and Microsoft needs to go back and rethink its design practices.

  193. Tom says:

    You know, I never rely on ANY ms warning about security from Ie. If microsoft spent as much time hardening their browser as they do bloating it out with all kinds of cryptic security warnings then maybe it would be semi-trustworthy. MS hiding behind a shield of "security" is laughable. IE is the problem, and MS still has NO SOLUTION.

  194. Jon_K says:

    Ever heard of MD5?

    [The MD5 algorithm] takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

    This is how security and integrity of firefox is maintained — md5.

    To learn even more about how to use it in linux type man md5sum, wait, do they even have Unix based machines in Redmond?

  195. Andy Habel says:

    The simple fact is that I’d much rather trust an open source application where the code is public and subject to scrutinty then a closed source browser known to be riddled with many bugs and security holes, some which still aren’t patched to this day. Yes firefox asks you if you want to install software/plugins which is minor security risk to novices. Compare this to internet explorer where you can get code run on your machine simply by visiting a malicious website.

  196. cork says:

    A few things:

    1. You don’t have to fool customers "into downloading spyware or adware on to their computers." I remember reading about a bug in IE (although I admit it may be fixed now) where HOVERING OVER THE LINK installed software. That’s a world of difference from fooling them into downloading something conciously and installing it.

    2. As you pointed out, you can verify you got the correct program by checking the MD5 hash.

    3. And as you yourself point out, just because the MD5 hash is correct, or just because it’s signed doesn’t mean that the program is not some nasty virus/adware/spyware crap. I remember getting a pretty dialog box once indicating that the software I was getting ready to download and install was certified by Gator….

  197. Superman says:

    Perhaps Microsoft should be a little less concerned over the security of Mozilla’s software and be a little more concerned about the security of their own.

  198. Peter Torr says:

    I am allowing all comments that aren’t completely full of swear-words, but I have to go home and eat something now, so there will be a delay in your comment appearing…

  199. Ben says:

    Hey bud, your code (html & css) is all messed up…

    For instance, why insert "clear="all"" in the break at the end of "page at http://www.mozilla.org/products/firefox/.&quot;

    This is what’s making the page render improperly, and I can’t see any reason to do it in the first place…

    Why not just end the paragraph, or just make a plain break?

    As for the layout, it looks like the CSS that MSDN made for you doesn’t make much sense. I’d give the left list an absolute position and width, not float it. Then you can do pretty much everything else you’re doing with no problem.

    Your site is the whole reason I want people to use Firefox. If miscoded sites like yours look like crap, perhaps you will take the time to learn how to code properly, so I don’t have to live with IE’s piss-poor UI and security just to read a web-site.

  200. u blow says:

    "Hmmmm, wait a minute. I went to http://www.getfirefox.com, not mirror.sg.depaul.edu. I don’t have any idea where that place is, and it sure makes me nervous."

    Hmmm, wait a minute. I was on this one site and it had a link to http://www.micirosoft.com so I clicked on it and showed http://www.microsoft.com in the url bar…but for some reason after I downloaded this one file I got a trojan on my computer and my security was compromised.

    Yea, I just love my built in phishing exploitable webbrowser that still isn’t patched yet!

    way to go microsoft!!!!!!

    and you whine about a mirror for file downloads hah!

  201. Me says:

    Although you do present some problems with the naming of the mirrors, and a small glitch in the installer dialog (even though i never had that problem) I still believe it does not outweigh all the security flaws found in i.e.

  202. Before I say anything else, I will mention that there are some perfectly valid points here, and I can understand both sides of the argument. However, I tend to prefer open-source for so many reasons – it just fits me better. Right now I use Slackware Linux (www.slackware.com) and think it’s the best ever created.

    Microsoft is horribly insecure, I won’t deny it. I only keep my copy of Windows installed so I can play "The Sims," and even then I’m hoping ReactOS (www.reactos.com) will eventually mature enough to support it.

    Open-source is done by the people, for the people, instead of by a company, for money. If you don’t trust open-source, I don’t think you can really trust anything.

    By the way, this page renders just fine on my laptop in Galeon (http://galeon.sf.net) which is Mozilla-based.

  203. 1. Do you trust these "enthusiasts"? I know that a lot of them are well educated, Phd wielding, CS gurus. But I also know that there are a bunch of incompetent/untrustworthy individuals as well.

    Sort of like the programming staff at Microsoft, huh?

  204. IhateM$ says:

    Asshole. You are just a parasite, and you don’t deserve an excellent software like firefox. Try your stodgy, wormlike IE and be slap-happy. Talking about paranoia, the world you live in is called M$Paranoia. Go and fcuk yourself.

  205. steve says:

    Wow, My confidence in MicroSoft Software has increased substantially.

    Can I get my IE6sp2 for my Windows 2000 customers today? No, wait, I have to purchase a Windows XP licence and install that. I rather the easiest option of installing Firefox than forking more cash over to MicroSoft and then downloading 200+ megs of signed Updates. 1 unsigned update vs 200+ megs of signed updates, who do I trust?

  206. Why don’t you write about all the flaws and months it takes MS to fix them as opposed to the days it takes the mozilla team? I know, because your site could not support the bandwidth for your frivolous nitpicking.

  207. Um, so you don’t trust firefox because IE gives you warnings? Depending on your IE config, you’ll get warnings on every site. C’mon.

    Besides, don’t know what wierd stuff you’ve going on with your box, as Firefox installed beautifully on my brand new xp install…

  208. Rohit says:

    Some of the points mentioned in the post are true. I guess that these worries will be taken care of and make a better Firefox. And nah no chance of switching back to Internet Explorer.

  209. Goblin says:

    All in my opinion:

    I’m posting this from Mozilla 1.7.5 which I downloaded from Mozilla’s ftp and compiled from source. It was very simple. You see, with Linux I’m not stuck with clicking through an install, I can review the code (which is already reviewed by thousands of people) if I choose and configure options that I want, compile it myself and use it in a matter of minutes. Or, if I want, I can download the installer from Mozilla’s FTP and use that without having to compile. The same applies to Firefox. Have you tried this yourself? Hmmmm?

    I gave up using Windows a long time ago and I’m switching over as many people as I can every day to Linux. Guess what? They love it. People are opening their eyes and seeing that they can use free, open source programs for Windows. Guess what? That’s leading them to discover a free, open source Operating System: Linux. Everyone I know who uses Windows has to run several applications to keep their system free of spyware/adware/viruses/trojans/keyloggers, you name it. Everyone I know who uses Linux does not.

    "If a bad guy can persuade you to run his program on your computer, it’s not your computer any more" And that’s one of the reasons why I run Linux now and not Windows. :)

    Here’s something for you to blog about: "Unbending the Truth: Things Microsoft Hopes You Won’t Notice" http://www.novell.com/linux/truth/

    With Linux I have a choice, with Windows I found my choices were limited. MSIE? I wouldn’t use it even if I was paid millions of dollars to. MSIE is closed source, right? So how can anyone outside of Microsoft look over the source to see if there are no backdoors? Who do we trust? Trust? Trust is EARNED. The way I see it, with all the patches that are on Windows Update which mention fixing remote exploits (maybe using a different term) how many other remote exploits exist? How many years did it take before all of these issues were discovered and resolved since WinXP launched? How can I as a user feel safe using MSIE knowing that programmers like me cannot look at the source code? With Mozilla, Mozilla Firefox, Thunderbird, and thousands of open source programs like it, I and others CAN examine the source code and we do. TRUST can be built upon that. I do not blindly trust any company to provide me with a secure closed source product, just as I do not trust in an invisible god.

    Of course, I’ve been into computers well before Microsoft was around, and I explain to everyone I turn on to Firefox and/or Linux that there is a better and free choice.

  210. prasams says:

    But by using Firefox. I am downloading something and installing that in my machine. But What about firefox. But with IE without my knowledge everthing happens. Everyday i am coming out with some Toolbars some new processes running in machine.

  211. Anonymous says:

    How can I trust IE? Fuck you.

  212. rob says:

    How can I trust Internet Explorer? Internet Explorer will install signed binaries from adware companies behind my back using unfixed flaws in the browser.

  213. AFC says:

    After trying firefox for the first time, I NEVER went back to using IE. IE sucks! Why? After IE won the Netscape/IE war it virtually stayed unchanged, no new features/innovations. WTF? That tells you something about MS! Bunch of shit man

  214. Bryan says:

    Great article. Its amazing how folks jump on the anythings better than IE bandwagon without looking into the details. FF is good, IE is good. Its a subjective choice, but to claim Firefox is the all together most secure browser is well …very slashdot.

  215. A real user says:

    Your comments are disingenuous. Many of the spyware installs DON’T inform you that they are installing themselves but utilize security flaws in IE and install themselves without user intervention.

    That the best comeback you have a against firefox–code signing?

    Only a MS flunky would focus one a problem that even MS hasn’t even solved.

  216. William Door says:

    Has everyone noticed that when Microsoft can’t compete they begin blasting FUD with both barrels? This has to be the most stupid complaint that MS-FUD generators have come up with to date.

    Get a life MS – and you might want to use Firefox to do it!!

  217. /. says:

    to Jon_K check out this slashdot article : about the MD5 being ‘broken’

    http://developers.slashdot.org/article.pl?sid=04/12/07/2019244&tid=93&tid=172&tid=8

  218. anonymous says:

    Well first off, even if your Firefox was a bad binary, if it’s able to escalate its privileges and do bad things to your system… guess what, you have a bad operating system.

    And it’s your fault for downloading from a bogus mirror in the first place.

    The mirrors in the pool at mozilla.org should have packages that match the checksums posted on the site. You can verify this with a free copy of md5sum.

    And those extensions you talked about? If you were running a real operating system with real security (aka some flavor of UNIX or just anything that manages to distinguish between users and administrators and properly implements filesystem permissions) those extensions would, assuming you were sane and ran firefox as a normal user instead of the superuser, install to and execute from your profile directory inside your /home tree. They then would only be able to screw up your files, not the entire machine.

    Yes, IE pops up more warning dialogs, but they’re pointless for two reasons:

    1) Granny is much more likely to click "OK" to make the confusing dialog box to go away so she can visit whatever site she was trying to get to in the first place

    2) Those of us who take the time to read them won’t be using Internet Exploder in the first place.

  219. John C says:

    HAHH HAH HAH you just made a fool of yourself.

    If your title is dev, thats a shame. A Shame because that is a false title.

    You attempted to test software inside a Virtual machine.

    Your Virtual machine doesnt seem to handle Windows which is a shame, because it caused most of your issues, not the installer.

    But being a brave soul, didnt have anything to do with how smart you are.

    Being a brave soul made you post this knowing you would be the butt of all the jokes in the office.

    How can you trust firefox? obviously you have been mislead by software you do trust, so much so that you dont see the good within firefox and open source.

    You’re trust of microsoft (I.E. and VPC) has lead you to creating a seriously flawed attempt at attacking FireFox.

    Open your eyes, Firefox is better.

    Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.Firefox is better.

    Firefox is better.

  220. Nick says:

    How can you trust that your loved ones wont kill you in your sleep…

    Baited and pure flame and like so many of these browser (or insert some fandom based software/hardware/consol/car) you can bet the fan boys will google up many anwsers to rebutt your arguments.

    But like anything worth while debate will only bring about harder competition, which means better browsers for all.

    Good post, but maybe a little more thought and research next time.

  221. Dada says:

    If this FUD is intended to scare people from switching to FireFox, I believe it will be counterproductive because the more the FUD is debunked and facts are openly discussed (IE scaring insecurity for example), the more people will know that FireFox exists, try it and find it superior to IE.

  222. rob says:

    your very first paragraph shows that you are an idiot:

    DePaul University? never heard of it, eh? have you ever *been* to a university? or are you just another uneducated hack?

    and a "bunch of kids" running the servers? i think not. you obviously dont know how the Computer Science departments operate at a major university.

    your "article" is just another load pure flamebait crap. certianly not worth the time to read

  223. How can I trust an article about security flaws in Firefox from a guy that works for the King of Security Flaws…Microsoft? Hypocrisy at it’s finest! Here’s some advice…spend more time writing code to fix all your company’s security flaws instead of spreading FUD about your competition. No one outside of M$ believes a word of what the Ballmer Boys are spreading around regarding network security. The bottom line is that some of us HAVE to trust Firefox, because we KNOW we can’t trust Internet Explorer. Now if only Mozilla would come up with a replacement for Outlook that works with Exchange Server!

  224. Dean says:

    It’s good to see the microsoft marketing machine adopting new ways of pushing bad software. Afterall, it’s not about the software most of the time, its about the marketing.

    Those of us that know better will ignore this kind of uninformed and devicive rubbish.

  225. WIN says:

    it is very sure firefox can be trusted then IE… this is my point….before this with IE there are always adware although i never browse & save from unknown website… but with firefox (3 month already)…i am running without any adware program….and just for you info i am totally remove IE from my WinXP

  226. Dan L says:

    I’m a Student Ambassador to Microsoft, and promote VS.NET on campus. However, I’ve switched to Firefox and have no intentions of going back. Why?

    1) RSS fields built into browser

    2) faster than IE in loading my favorite websites (use MOOX version)

    3) more secure – I’ve been incredibly close to installing all those wonderful browser toolbars unintentionally in IE whereas this never has happened in Firefox. I’ve seen a friend who’s never been viewing P0rn or other related sites who’s picked up these browser hijacks that take hours to fix (Adaware, etc. etc. still didn’t work to eliminate it until I went into the registry).

    4) tabbed browsing – i really love it now that I have it.

  227. R says:

    I got a good chuckle from the ominous dialogs that IE throws up to cast doubt on legitimate open source programs such as Firefox, while it does absolutely nothing to protect users from worms, trojans, adware, spyware, or any other form of electronic vermin.

    I also found it interesting that the basis of your argument seems to be that Mozilla.org can’t be trusted because it doesn’t work the way IE does. Oh, sweet irony!

    I’m writing this on Firefox under Linux (the page renders just fine, by the way), which I installed from a Debian package. Now there (Debian) are people I can trust. After a dozen years as a Microsoft user and developer, I finally came to understand that all I could trust MS to do was to always place their needs ahead of mine, and to charge me dearly for the privilege of knuckling under.

  228. Jay Loden says:

    Peter Torr:

    "murphee — thanks for the link; did the NYT ad tell people what SHA1 sums were and how to use them to verify the correctness of their download? (And if it did… did anyone understand?)"

    No offense, but the entire point murphee was making with his post, was a) it is NOT impossible to verify the firefox binary and b) users have absolutely no idea what a signed certificate from Verisign means any more than a SHA1 or MD5 hash, so your reply is rather superfluous and redundant.

    I hate to burst your bubble, but a digitally signed piece of spyware isn’t safer than an unsigned copy of Firefox. The bottom line is, until a fundamental infrastructure change on the Internet takes place, no amount of half-assed solutions like digital signatures from a monopolistic entity like VeriSign will solve anything. By the way, do a poll of some end users sometime and see how many even know what in the hell VeriSign is or what they do.

    -Jay

  229. Kukurio says:

    I wonder if a non-profit organization can sue for reasons of slander/libel in the U.S. I guess not, since there are no actual monetary damages.

  230. kourge says:

    As you can see, Mozilla.org redirects you to a trusted mirror when you click on the Download link.

    Despite the UI designs of Firefox are considered unsafe, the software framework is secure.

    Unlike Internet Explorer, which has a considered safe UI, but an easy-to-exploit engine with lots of security holes discovered constantly.

    And, comparing Firefox’s installer is pointless. Internet Explorer comes bundled with Windows, so Internet Explorer doesn’t need a installer.

    To be more precise, bundling Internet Explorer with Windows is as bad as unsigned plugins without suggestions. Users have no idea that the Windows installer will also install Internet Explorer with Windows.

  231. Az says:

    When using IE i got spyware and malware galore even when I cleaned it, it just came back. The minute I cleaned my system and began to use Firefox no more problems. I will NEVER go back to IE its such a horrid piece of crap. I recommend Firefox to all my friends when their computers break from so much crap that gets installed from them using IE and you know what? They LOVE Firefox and their systems do to! After a good scrubbing to get the crap installed from using IE out of them and then the switch to Firefox their system stays clean! Double fist for Firefox and NO FIST for IE because its a weak POS!

  232. Free Frag says:

    How can i trust firefox?

    Ans A IE = SPYWARE, ADWARE, TROJAN, HIJACKS, VIRUS

    Ans B FF = NO PROBLEMS AT ALL.

    Simple as daylight people.

  233. If your so paranoid about it, download the source, review each line(it might take a few months…), and compile it yourself. Why? Because you can. Oh, wait, you M$ people not use to source code? You think the only thing available to the end-user is in binary? Think again.

  234. Travis S says:

    Apparently, Microsoft has their employees balls in a clasp if they have to suck up this much.

    That whole article is a pretty lame thing to write about (though the arguments brought up are valid). The last thing MS needs to do is start a flame war on why IE is secure and FF is not.

  235. JOe Press says:

    To Quote you:(Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more.)

    Isn’t that the Microsoft Business plan?

  236. perianwyr says:

    If you want to do some good in the world, get IE standards compliant posthaste. I look at the security issue as a good way to get end users to start using what ends up being a superior browser from my standpoint as a developer.

  237. Fioric says:

    People, just give up on using Firefox on Windows, ok? IT IS WAY BETTER THAN INTERNET EXPLORER (Put any version you like here). But it’s just not worth it, Windows will still suck. Instead, try getting a Linux Debian (www.debian.org) or a FreeBSD (www.freebsd.org).

    Why? Simple, because Debian and FreeBSD have a list of programs they tell you it is safe to install.

    Take a minute browsing.

    Debian package list: http://packages.debian.org/stable/

    FreeBSD package list: http://www.freebsd.org/ports/index.html

    Why should I trust they when they say it is safe?

    1 – Because they want their Operational Systems to be used.

    2 – They’ll try to make you have a good time using their OSes, so you’ll keep using them.

    3 – Since they want you to have a good time, they won’t be telling you to install trojaned software or spywares, because people tend to hate spywares and trojans.

    By the way, how to install programs in those operational systems?

    Debian:

    apt-get install firefox

    * This single line on the command prompt (terminal) downloads, uncompresses and installs firefox on your computer.

    FreeBSD

    cd /usr/ports/www/firefox

    make install

    * Those two lines downloads, uncompresses, compiles the source code for the program, and installs firefox on your computer. After that, if you want to get rid of the source code (after all, it already got installed) you do

    make clean

    There, here’s how to install a program on your computer in those operational systems. Also notice that you simply won’t be intalling stuff by accident on those Operational Systems.

    Just make sure you know what equipment your computer has before killing your Windows, ok? (if you have the manuals for your computer cards and peripherals, you’re all set)

  238. Jon Haddad says:

    Sorry man.. but you’re analysis of the situation is pretty lame. I really wouldn’t expect much else from someone on the inside of MS.

    I hate to tell you this, but just because a file is signed does not tell you anything. I would rather trust the firefox web site than the credibility of Microsoft, which I would rather switch professions than develop for.

    You are a joke, and so is your browser.

  239. Sum Juan says:

    he is running a Mac after all

  240. Fioric says:

    Oh, crap! I should have figured there was moderation on this. After all, the last thing you guys want is people dumping Windows for a real Operational System.

    Anyway, I’m off.

  241. I can’t decide if you’re so cut off from reality in M$oft Land or if you’re just trying to impress your manager by taking a shot at FireFox

    Dude, you’re not paranoid enough. His boss asks him to put up a troll, they collect the responses and bingo! They have a list of missing features and things to fix for IE 7.

    It’s dirt cheap market research.

    Repeat after me: "I love Internet Exploder just the way it is!" and hope they don’t notice that it’s Firefox you’re posting with.

  242. I am so glad you pointed out the dangerous threats of "numerical IPs". hahaha.

    Is this load of MS FUD the best you could come up with?

    This is ridiculous, and will not work on any reasoning, rational computer user.

    Gee, I wonder why MS is pushing a purchased certificate system as an attack on free OSS.

    One day, MS may try to operate with some dignity, but with blogs like this, and that dodgy TCO report, they are losing more and more respect.

    Shame on you.

  243. Mancow says:

    Having installed Mozilla hundreds of times on machines running various incarnations of the living/breathing memory-leak that is Windows, on machines of different makes, models, hardware; I stop and ponder to myself: Why have I not once seen anything like you describe? Perhaps the 5+ spyware processes and 20+ modules loaded are causing a little havoc with your setup? Perhaps you should follow warnings that have been drilled into our cerebral cortexes since first moving a mouse that anti-virus software may cause conflicts? Pay my flat fee of $200/hr and I’ll gladly find out what ails you (even if it involves a fresh install, which works wonders!)

    Just because you work for the beast itself, you must be obligated to defend the hand that feeds you — or get fired like Microsoft-employed bloggers of seemingly hallowed antiquity.

    MD5 hashes are good, but have come under fire lately for collisions and whatnot. You know your geek news sources, find the links yourself. Although sums of binary executables is a good idea nonetheless. And guess what, it’s free! Just because you don’t have to buy it like you do digital certificates, which have proven to be ineffective in the past due to various flaws (mainly in IE that allow for certificate spoofing), doesn’t make it inferior or less effective.

    You’re worried about spammers and phishers? How about a little less blogging and a little more brainstorming with your co-workers about eliminating the system-level vulnerabilities that permits 500 new worms this month from finding a home?

    Some of my clients most plagued by spyware have been 99% spyware free since I *forcefully* switched them to Mozilla and eliminating as many traces of Internet Exploder possible. I’d be willing to bet a fair percentage of those 10+ million downloaders are as jubilant as I am that there is finally an alternative to the force-fed garbage that comes with every hour-long (hour plus, even) Windows installation.

    On a final note, digital signing and trust situations would be good if 95% or more of internet content was digitally signed. But this is the real world, and the percentage is nowhere near that. Maybe in a perfect, Windows-less world…

    I digress, since it is highly unlikely that any intelligent soul that wanders here in an attempt to shed a little truth on your misappropriations will make a dent in your brainwashed ways. God bless America, where it is as easy to get into a cushy, high-paying job for a monopoly by knowing the bare minimum and being good with smoke and mirrors, as it is to become a drug lord.

  244. WildFire says:

    Pot calling the kettle black. As long as there are uneducated end-users, nothing will be secure.

  245. Joe says:

    Someone up above asked

    What makes Firefox the best browser?

    One: Internal pop up blocking. Never see another popup again. Ever.

    Two: Tabbed browsing. Want to read detailed news articles from a group of headlines? Open everyone in a tab, and avoid clicking hte back button 6 times to read the news

    Three: Extentions offer ways to add functionality without the spyware. Extentions allow you to check your email, get the weather, control a media player, all without leaving hte main window.

    Four: Default search is google, not MSN. That’s a matter of opinion, but i like google better.

    Five: Better icons. Again, opinion, but firefox looks classy.

    Six: Be popular with the slashdot crowd. Slashdot owns. Why do you think this flame inciting blog has more than 5 comments on a story? Hint: slashdot.

    And it’s cheating to test anything in virtual PC. Nothing works in those. Saying IE doesn’t work cause it doens’t run on Sun boxes is no better than this, except you’re paid to agree with these statements.

    You Nazi.

  246. Me says:

    Lots of talk about ‘trust’ here…

    Personally I put no trust in this article as the author can’t even write standards compliant HTML.

  247. Oli says:

    This article is pure bullshit and it’s content should not be taken seriously! This is just too pitiful.

  248. user says:

    (Always remember the Ten Immutable Laws of Security, and in particular Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more.)

    you’re right… how did I ever let myself get "persuaded" into running anything (from) MS?

  249. Mancow says:

    NOTE: In my comments, I don’t specifically name FireFox (rather calling it Mozilla), but I think the focus is there despite my screwups.

  250. you’re really pathetic. despite whatever your disclaimer at the top states, if you live in some sort of reality where IE is the more secure alternative to firefox, and that reflects the thinking inside the sunless warren of MS, then you’re all going to circle jerk yourselves into irrelevance like a certain company that recently had to sell their PC division to kiss the ass of some rising foreign nation.

  251. Eli says:

    I think most of the people commenting here are completely missing the point behind this blog entry. And yes, it’s a blog, not a formal essay on Firefox security. Peter walks through downloading, installing, and using Firefox from the perspective of a random user referred from the New York Times advertisement, not some computer enthusiast with the time to check his downloads against MD5. Despite targetting Windows, Interet Explorer-using users with this advertisement and touting enhanced security, Firefox fails to comply with the simple security paradigm, signing executable binaries. By encouraging users to download unsigned code in its advertisement, Firefox is trying to undo what Peter likely makes his job, encouraging users to be cautious with what they download and avoid unsigned programs.

    Yes, signed code is generally a "Windows thing" and Firefox is a cross-platform browser but the vast majority of users are likely running it on a Windows platform and Firefox should at least make an attempt to follow Windows security paradigms and sign its code. The user interface choices made by Firefox fall into this same category.

    And what’s the deal with everyone commenting as if Firefox is completely free of security vulnerabilities? Weren’t there SEVERAL buffer overflows discovered in the HTML parser just over a month before 1.0 was released?

    See: http://www.securityfocus.com/archive/1/378632/2004-10-15/2004-10-21/0

    Also apparently there are 4 unfixed vulnerabilities in Firefox right now:

    http://secunia.com/product/4227

    Is Firefox better than IE because it has LESS unfixed vulnerabilities? It still has holes regardless and will have more in the future. If Firefox’s exposure were even close to matching IE these numbers would likely skyrocket and they will be more likely to be exploited as well. If I were you, I’d be trying to keep Firefox usage down, it’s biggest advantage is its limited use.

  252. Henk says:

    There is a known issue with Microsoft Virtual PC causing blank dialogs in specific cases. Restarting the VM solves the problem. I haven’t seen it appear in the MS Knowledgebase yet.

  253. Jack Tor S says:

    I would like to thank you for that very enlightening article. It seems that the liberal media vies to take control of the Internet by replacing corporate browsers with their "free" and "open" browsers, along with their so-called "standards", which are a mess compared to the privately-developed standards which have made (and still continue to make) Internet Explorer the dominant browser in the market. A market share over 90% isn’t a monopoly, it’s a sign of success.

    The Libertarian Party is right behind Microsoft to stop the deceit behind these government-imposed economic policies. If you would like to learn more about me, please visit my blog: http://votebadnarik.blogsite.org/

  254. -O3 says:

    Well "ptorr", you did the first step, you tryied Firefox.

    Some issues about Firefox you said can be solved using an OS you can trust. The others(if you still think are issues) you can solve by yourself or request to firefox coders if you aren’t competent to do by yourself.

    Well, i have a sugestion for you: start your test again and look to the good things of Firefox compared to IE, it’ll be more much productive for you. But please, use a decent OS.

    BTW, what you do at MS?

  255. Zach Jacobs says:

    I think it’s kind of funny how you neglect to highlight the browser’s features and only complain about the download not being "secure". You have had many responses to your "insecure" download, pointing out MD5 hash, etc to verify the authenticity of your download. I could care less if you say firefox is less secure. I know for a fact it keeps spyware off my computer. Who are you trying to satisfy yourself or the end user (me)??

  256. James says:

    Oh boy saying IE is more secure than Firefox? Would you like some piss to drink, along with the fresh plate of bullshit?

    For one, Firefox had a minor security hole, that was patched within 12 hours, IE still has more security holes than I can even comprehend being in something like a browser. Hell, at least you can uninstall Firefox if you don’t think it’s good enough for you.

  257. Eddy says:

    Folks… just because you use IE doesn’t mean you will get spyware on your machine. My parents for example have never had a single problem with their machine… they run as normal users (not admin), have a virus checker and sit behind a windows firewall. Problem free. There’s no need to switch to FF.

  258. tool says:

    you’re sucha tool…..perfect exapmle of why i wouldnt trust using software from a company that has workers with your mindset and lackluster facts. You should have researched a bit more thoroughly before blogging away your ignorance.

  259. Your MOM says:

    Well at first i get the impression that you are a windows programmer and you are just trying to keep people from using another web browser. But after reading farther I have come to the conclusion that you really don’t have any clue what you are talking about. You used the web browser for a minuet and say that it has all these vulnerabilities and that you MUST download all these plugins. Which is not true at all you don’t have to do anything you can download it and use it just fine. I don’t know why anyone would want to see all these flashing advertisements and what not. And there are ways to get back your warnings (why you would turn them off I really don’t know) ,but hey you always have the excuse that you are a windows programmer. As for the "Downloading back doors into your computer" there are always back doors all you have to do is look hard enough, but if you are going say that IE is anywhere near as safe as FireFox You Are Wrong. Using FireFox does not grant access to you ENTIRE computer (if running a windows OS) because we all know windows uses IE for EVERYTHING. Windows also gives stupid warnings for everything and "Unsigned binary" It is LINUX software made for windows and it is Open Source. OF COURSE IT IS UNSIGNED. Yes random web severs allow people to have a chance to mess with the code, but we don’t live in a perfect world. With that said I will end my comments, But please i know my form is not good and maybe i have some stupid points but it is late and and i have been up for almost 24 hours so i am tired and wanted to just put some random thoughts in of mine. Oh yes and i am writing this From a SuSE9.2 Box. For those of you who don’t know it is a Linux Distro.

  260. x says:

    What a wonderful piece of comical MS propaganda. Thanks, I need the laugh.

  261. Aaron says:

    Nice blog post about Firefox. It’s obvious you put a lot of time and energy into it, and for that, I thank you.

    There are some things that I thought should be brought to your attention:

    1) When IE popped up that dialog asking if you want to run or save the exe, you probably should have clicked save. Then you could make sure your virus scanner had checked the file (BTW: from the comments, it looks like it was your virus scanner that caused the blank dialog box, not Firefox).

    2) The 7-Zip error was ugly, but was caused by 7-zip (a different program) because for some reason you ended up with an incomplete file (hey, it happens). Yes, 7-zip is packaged with the Firefox installer. It compresses the file much like MSI. I’m sure the dialog will eventually be made more informative, but really… it wasn’t a security bug, it was a user interface bug.

    3) Those aren’t random sites that you’re downloading Firefox from. They’re mirrors. If you can’t trust the mirrors, then you couldn’t have trusted the original site (mozilla.org). How do I know I can trust IE? It comes pre-installed with Windows, and it starts out full of security bugs. Millions of people have gotten adware from IE which is delivered from Microsoft. I don’t know of anyone who has gotten adware from Mozilla Products. I’m not saying that it can’t happen, but since most of the people I know use Firefox, it does seem a bit odd. Who should I trust more: mozilla.org, or microsoft.com? For now, I’ll trust Mozilla.org.

    4) I wouldn’t say that the default behavior is to install unsigned extensions. The default (and only behavior that I’ve found) is to prompt you if you want to install the extension. It even has a little timer to make sure that you’ve had enough time to read the warnings and click the right button. On top of that, it won’t install extensions unless they’re from a trusted site. The amazon extension you’re installing is very clearly coming from mozilla.org. Again, I’d trust mozilla.org over microsoft.com anyway, and yet to get my windows updates I have to allow ActiveX from microsoft.com.

    To respond to your closing points:

    ·Installing Firefox requires downloading an unsigned binary from a random web server

    Not true at all. See point 3 above (the sites aren’t random), and other comments pointing out that you can download it directly from the mozilla ftp site if you want.

    ·Installing unsigned extensions is the default action in the Extensions dialog

    Not true either. (Point 4) That’s just the default button after you’re clearly warned. If the extension automatically installed without a dialog at all, then you’d have a point. (Sort of like IE’s behavior for ActiveX once you’ve said you trust a site.) Honestly though, I think it would be nice if the Mozilla people changed the default button to Cancel, but it’s not really a security issue.

    ·There is no way to check the signature on downloaded program files

    I think other comments addressed this. You can’t trust signatures to protect you, a signature only tells you where the download came from, and you already know that because Mozilla does tell you that. If someone wants to install a certificate on their site, that’s a perfectly valid way to prove who they are.

    ·There is no obvious way to turn off plug-ins once they are installed

    Maybe it’s obvious, maybe it’s not:

    Tools->Options->Downloads->Plug-Ins

    I was able to find that in less than 1 min. I honestly spent twice as long looking in IE for a way to turn off plug-ins, and I couldn’t fine one. How for example, can I disable Quicktime in IE? How many clicks does it take? Do you really think it’s more obvious than how Firefox does it?

    ·There is an easy way to bypass the "This might be a virus" dialog

    And yet, you still have to click the run button. I actually have my Firefox set to not allow me to run the program directly. In this respect, it’s way more secure than IE.

    This should address all of your security concerns, or at least demonstrate that Mozilla Firefox is at least as secure as IE if not more secure. Once you realize that, you should be able to see that Firefox has a much better feature set. I hope you’ll be honest with yourself and admit that Firefox really is a better browser.

  262. MAS says:

    Your points about non signed software is valid.

    but for all its precautions about unsigned software in IE its simply useless. because most of the spyware that infects IE doesnt even ask from the user if they want to install them. it has happend to me many times most of the time the only indication that i get that something was installed is that download progress bar goes very fast. (yes i use the latest version of IE AND put all the updated from windowsupdate AND keep the security settings at high) its useless IE is so bug riddled that it might as well not use signed code at all. so compared to IE yes i do trust mozilla atleast with mozilla i only need common sense to not install suspicious looking software that come from suspicious urls. but with IE i dont even get a choice with some spyware.

  263. Brian says:

    Interesting article, some points I agree with (unsigned plugins, insecure defaults). However, I’ve found in the worste case scenario, that you can delete your entire Firefox profile (in your Documents and Settings dir for that particular user), and remedy nearly all issues.

    As a side-note, I’m happy to see you using 7-zip (another of my favorite Open Source apps for Windows).

    Flaming aside, there are faults to FF, it’s still my preferred browser though.

  264. Adam Cox says:

    I have been using FF for some time and love it. I trust it much more than IE. But even if security and ‘features’ were perfectly on par between the two browsers I would still use FF. Why? Light years ahead on standards compliance. Why do I care about standards compliance? Because I design websites. There are tons of great things I could be doing with CSS but can’t because IE butchers them. Please fix IE and make it compliant. Having to design for IE is stifling and painful. There is so much more I could show off on the web but IE is holding me back. It’s like making a professional painter use crayons.

  265. Brian says:

    I’d like to point out that this argument against Firefox is completely null and void.

    Remember folks, Internet Explorer is the browser that Microsoft suggests you manually type URLs into the address bar to avoid URL-spoofing and a whole myriad of other exploits.

    Reference: http://support.microsoft.com/?id=833786

    Quote: "The most effective step that you can take to help protect yourself from malicious hyperlinks is not to click them. Rather, type the URL of your intended destination in the address bar yourself. By manually typing the URL in the address bar, you can verify the information that Internet Explorer uses to access the destination Web site. To do so, type the URL in the Address bar, and then press ENTER."

    Alternatively, if you’re so worried about where you get your Firefox executable from, do the following:

    1. Download anything Firefox-related ONLY from mozilla.org and other affiliated sites (such as mozdev.org)

    2. In regard to extensions, Firefox 1.0 (by default) comes with no URLs pre-added into the "trusted sites for installing extensions." My suggestion is to do a reality check on the extensions (by reading the comments) and only install extensions from sites related to mozilla.org as I stated above.

    The title of this entry should be relabeled: "How can I not trust Firefox?"

    This is just another sorry excuse by Microsoft to gain back however many users they lost as a result of Firefox. You should take anything this company says by a grain of salt.

  266. blah says:

    Verisign. The same people who brought you sitefinder(tm) when the domains didn’t exist.

  267. Tim says:

    On a side note, I hope this page/site’s design looks better when fed to MSHTML than when run through Gecko. But I guess if you’re bashing a product that’s superior in terms of security, you might as well insinuate that its interpretation of HTML is flawed as well. Great job. Really.

  268. Joe Wollard says:

    The fact that IE can allow an attacker to steal my beloved .NET passport and all of the sensative data within by using one or two simple lines of javascript makes me feel _WAY_ safer than when Firefox ‘makes’ me download a naughty non-Verisign approved binary. (please see http://shiflett.org/articles/passport-hacking-revisited) I mean serisouly, look at the potential for damage to my beloved computer if I get the wrong one! I’d much rather be the subject of a malicious credit card harvester. Thanks so much Microsoft!…….for not making my hardrive sound like a yeti!

  269. albert liu says:

    the most unsecure and unstable plugin in my IE did come with a "CERTIFICATE"!!!!

  270. Mark says:

    How can I trust Microsoft, they make some of the crappiest and most buggy software in the world?!

  271. Jing says:

    I don’t think anybody do trust Firefox or Linux or any other open source apps distributed over the net. Firefox users who think they are safer would definitely understand what they are doing when they got hit with malicious software. Let them suffer and see the value behind IE. They will better understand whom to trust, after they realize that firefox folks do not care about their security in the first place.

    I use firefox btw, but I trust Microsoft and IE more than I trust mozilla, and I think IE is definitely more secure than Firefox.

  272. who is this guy???? Has he never heard of DePaul University. What as ASSHOLE HE IS!!!!! FU!

  273. Brian H says:

    Microsoft’s efforts with digital signing are very noble and they make some very valid points about Firefox here. Why does Firefox suggest having signed plug-ins when they don’t sign their own program?!

    [Being a Linux and Firefox supporter, I cannot understand that]

    But the whole comcept of using digital certificates and digital signatures is way too complex for the average non-technical computer user – and the thought of understanding it well is probably too technical for many technical computer users.

    SSL has the same problems that digital signatures has on software programs.

    Microsoft goes to great lengths to educate the customer with fairly decent descriptions when things aren’t signed, or with default options. But ultimately, the uneducated masses do something because someone else "educated them".

    So if your friend told you "hey, go install Morpheus file sharing program because you can get stuff for free." You’re going to go download it and all of it’s spyware.

    If your friend emails you a really neat screen saver with embedded virus, then calls you and says "Check out that hot-chick screen saver", you’re going to ignore every Unsigned notice error you get to see it run.

    The goals of Microsoft are Noble – and Firefox needs to follow it’s own recommendations, but I don’t believe digital signatures will ever be the solution to the problem.

    Users just want their computers to work. They don’t want to

    have to understand the technical details about how they work. Average users running Microsoft Windows should not be required to make a decision, because no matter what – <b>it’s russian roulette</b>.

    So if signed programs are the only way to add security to Windows, then just make valid signatures required and go on from there.

    You’ll just end up with lots of people creating their own signed certificates and the users will have to get a pop-up saying "I don’t know the Certificate Authority that signed the signer certificate." Yea, guess what… the average user has no idea what a CA is.



    Brian

  274. bob says:

    This website doesn’t display properly in Firefox…but does in IE.

    Feel like making a standards-compliant browser? Please?

    And why in your VPC? Isn’t Windows good enough for you?

  275. AussieGuy says:

    Hahahahahahaha…

    So your the person they use when they want to know if its idiot proof…

  276. /. AC says:

    And so at last the beast fell and the unbelievers rejoiced. But all was not lost, for from the ash rose a great bird. The bird gazed down upon the unbelievers and cast fire and thunder upon them. For the beast had been reborn with its strength renewed, and the followers of Mammon cowered in horror.

  277. John says:

    I find it even more interesting that he failed to mention that you have to force-enable the XPI installer to allow sites to install anything to Firefox.

    But that’s just me.

    I tend to notice funny things like that.

  278. Dick Lik says:

    How can I trust Internet Explorer. The only problem you pointed out with firefox is flaws in obtaining it (which you probably initiated by cancelling the download early). After obtaining a good copy of firefox can you point out as many problems as with internet explorer? I think not…

  279. I tried to install Internet Explorer on Linux, but it didn’t have an MD5 sum! How am I supposed to trust that?

    duh…

    OK, switching back from obvious retard mode… Using Verisign signatures is the OS default in Windows. That’s fine and dandy, but other operating systems have free, long-standing and open methods like MD5 which are incorporated into the package management systems. How do I trust firefox? "apt-get install", naturally.

    Just because your operating system doesn’t support the numerous open systems Firefox has available for checking trusted applications doesn’t make it a flaw in Firefox.

    And as for trust, how can I trust that my OEM version of Windows XP isn’t going to lock me out and demand re-activation because my floppy drive cable came loose and needed to be plugged back in again? I can’t? But I paid NZ$300 for that retarded piece of crap! And to make it worse, it won’t re-activate because – get this – I’ve installed it too many times. Why did I have to re-install? Well, at least one of those was because I was stupid enough to trust Microsoft to have done a decent enough job that a clean install of SP1A with IE could last long enough on the internet to download Firefox. While I was waiting for it to download I got hit by eight viruses and had to reformat the whole damn machine and start again…

    Linux, on the other hand, doesn’t hassle me about such things. And it checks the MD5 sum for me. Oh yeah, and I’m not running as the administrator. And my browser isn’t an integral part of the operating system.

    So hell, I guess that I can trust Firefox. What’s the worst that can happen? It’s not like I’m betting the farm like I have to when I run IE.

    I must ask, too – what exactly does Microsoft cock taste like? You’re obviously well used to sampling it…

  280. I’m curious… If you didn’t trust the first site you went to, why didn’t you look for one that you COULD trust? With the number of people who offer the file, couldn’t you just search on it or try a site that you knew like download.com. If I recall correctly, the site gets certified, not the download.

    It’s a mistake to point out an imperfect feature and use it to demean the entire body of work. Especially if this problem is easily avoided. Pointing out some of the flaws is appreciated, but the rest of the tone sounds a lot like MS manufactured FUD.

    I’ve defended both MS and Linux against FUD from their opponents… (all you need to do is check my website for confirmation of this) This is the kind of stuff that I defend against.

    PLEASE PLEASE PLEASE remember that there are actually people out there who know what they are talking about on both sides. This kind of FUD just inflames people and distracts them from the real problem: there are script kiddies and code degenerates out there to defend against.

  281. Dick Lik says:

    "In order to help protect customers, the default install of Internet Explorer will completely block the installation of ActiveX controls that are not signed"

    its a good thing gator and other spyware are signed then, since they can be installed automatically for you.

  282. McD says:

    The whole idea that software signed with a Verisign certificate is somehow trustworthy is a complete crock. The spyware that pops up in internet explorer often has a perfectly valid signature. Users, having read Microsoft’s security advisories, think "OK, this is signed, so it must be good" and click on Install. How is this better?

  283. PTorr Torrp says:

    Firfox is awesome in every way.

    I hope you go bankrupt soon, you money weaseling security hole carrying camel dumper.

  284. Eddie says:

    I use FireFox and am a former user of I.E but I love it when people post something and the people who hate I.E start mindless comments they heard someone say but they them selves dont know why they use FireFox, maybe they use it because Kevin Rose does. If it wenrt for people hacking and upto no good like spamers there wouldnt be a concern for secutiry holes. I will say some pages view better in FireFox but I want be part of the I.E bashers I like Microsoft and so do most people but as FireFox gets more popular so will the problems. I thank eventualy I.E and FireFox will share the same problems because people will exploit both. People now and days hate Microsoft because they heard someone else does and they thank there cool for using Linux, like this article about trusting FireFox you cant even do an article without the "I hate Microsft" people knocking you for it saying your a sellout or something. I read a post from a Linux user one day who said Linux will be compromised just like Windows once its popular enough and people start exploiting it. One thang also that makes me laugh is a friend who puts down Microsoft and says he Linux man but when you ask why he dont like Microsoft its the usual brainless answer " ah man there full of holes" but cant tell you what holes or even if the holes are fixed, Windows is 90+% of the users of course there will be flaws found. I use WinXP and Mandrake 10 and on extra box I have Fedora 3 but not changing and your article is just fine. We need people who arent afraid to say something the people might not like aslong as its true.

  285. Active X:

    Well sure you can disable Active X per your postings. Now guess what? You cannot use IE to update your system. O’Wait, now you can set up your zones to restrict access to certain key areas. With the average computer, guess what, this isnt going to happen.

    MS was founded in what? 1976 and now your jumping on the security bandwagon. I have been using your junk since the early 80’s and have seen promises come and go.

    Hey, concered about security? How about the fact no XP SP 2 install will happen on w2k? Your so concered about the user. What is that I hear? No SP5 for w2k, well that doesnt make corp america happy.

    What, no new browsers for anything below XP? O’Come on, the w2k users bought all their copies retail. Now ya just have to hose them.

    What, MS created an industry know as spyware due to their lax model on security?

    What MS created an industry know as Anti-virus because of inferior design?

    What MS created the habbit of having users run in Admin mode and encouraging bad practices, like config’ng a user account in admin mode. How about having software install in Admin mode and config’d in user mode. Now try undoing 30 years of bad habbits.

    I could go on but you points are acutally pointless.

    Now I have a link for you and bill gates:

    http://www.eyejabber.com/modules/coppermine/albums/funny/normal_cupof.jpg

  286. How can i trust microsoft?

    I take just a quick look into the past of the Microsoft monopoly and i ask myslef.. why do i trust this company…..

    Oh wait.. I don’t..

    I never will..

  287. Alec Leamas says:

    You are a moron. windowsupdate.com has been backdoored forever. Copies of Microsoft Windows being exported from the United States gets backdoored by *********** working for *****, yeah like the versions being sent to *****.

  288. AI says:

    Optimism :

    I think the author of this article wrote the article with a definite objective. I think he thought , this way he would get better feedback about IE and then MS will improve upon it and make it better.

    ……………<pause>

    ……………<pause>

    ……………<pause>

    ……………<pause>

    ROFL :))

    Man i cracked myself up :p

  289. Torr: Hmmmm, wait a minute. I went to http://www.getfirefox.com, not mirror.sg.depaul.edu. I don’t have any idea where that place is, and it sure makes me nervous….

    Torr: Do I really trust a bunch of kids at some random university I’ve never heard of? Hopefully, the average person will decide that they do not trust this web site, and they will click Cancel. No Firefox for you!

    Well, get this: blogs.msdn.com (66.129.67.14) doesn’t even have any reverse domain lookup at all! Why the hell should I trust anything I see or get there? That doesn’t seem any more trustable than my dynamic DNS setup, where at least you’ll get a reverse lookup, just not one that matches my subdomain.

  290. wanker says:

    this dude is a loser. He is jsut mad the LINUX is the future. He and and M$ are just scared and this si a simple little tackict to get stupid people to listen

  291. Ocoth says:

    Firefox is a better browser than Internet Explorer. There is no competition. Wake up and see the light. Get over Internet Explorer. And I’m not a Linux lover. I just know what is better for me. And that is Firefox.

  292. FireFoxy says:

    I don’t understand certificates in IE. 99% of your users don’t understand certificates in IE. YOU don’t understand certificates in IE.

    That’s the only reason that I can imagine why I always get dialog after dialog warning me about installing YOUR updates, whenever I run Windows Update.

    Disabling Flash, or any other plug-in in Firefox is easy: Tools->Options->Downloads. Click the Plug-Ins… button, uncheck the two Shockwave Flash Object types.

    *Much* easier to understand than IE and all its sliders and zones.

  293. Mikey says:

    Guys, the default on the download dialog in IE is "Cancel". The highlighting you see in the screenshot is when you hover your mouse over a button. The screenshot must have been taken when the mouse was hovering over the "Run" button.

    And, I don’t know why you clueless guys get spyware so easily. I have never had spyware on my computer which runs nothing but IE. Every so often I fall for all the slashdot shills insisting that my computer *must* be riddled with spyware if I run IE, but Adaware keeps telling me I’m clean.

    Finally, how come Firefox loads so slowly. I installed it just to check it out. The other day I click on the IE and FF icons in quick succession after a reboot, and IE was loaded and ready to go in a flash. FF was still loading. So I closed IE, and re-opened it again. I was able to do that 5 times before FF finally loaded.

    I’m yet to be convinced.

  294. Signed software is not a panacea. Relying upon expensive certificates and credentials is an option only to few businesses. Mozilla/Firefox now has an opportunity to do something about it, and they should. I am dissapointed in the lack of checksums on their "Get Started Now" type pages. These are normally found easily on other OSS project pages, and that is a more devastating blow then Verisign is.

    Do not take it personally, but this article smacks of sabre-rattling and fear mongering. I will keep my other opinions to myself, for this is merely a blog. However, I don’t buy a loaf of bread while having the baker shove health inspection approvals in my face. I feel that users require a system to offload the effort from them to content providers, because few of them want to be even annoyed into clicking an extra button.

    Many of us are responsible surfers, but we are not the problem. The problem is the vast number of people who know nothing of this and care nothing about it. Please consider keeping your good points concise and perhaps inviting open-letters and forums to the source: Mozilla or your next "battle du jour". Your fundamental message is splendid, especially considering that no checksums are readily visible on the "Get Firefox Now" pages without digging quite deep. But do not pidgeonhole the problem, nor attempt to offload it from Internet Explorer to Firefox. That type of favortism on a Microsoft site does not reflect well on you, even if this is your own opinion page, and will only serve to leave your good opinions and ideas ignored.

  295. Nice article. I’m glad they let you out of the padded room for long enough to blog… the mentally defunct do need to get out and about…

    As was stated before: Don’t complain, fix.

    As for stuff like "what if a single person found an exploit and didn’t report it"… you don’t develop code do you? Architechture is hard to grok. If you wanted to find an exploit, you would have to trawl line after line of code. If you are a malcious sort, are you going to waste that much time looking for one exploit without learning to appreciate the browser you are trying to exploit? One thinks not.

    You’d be most likely to be close to the project to be able to find and recognise a bug staring you in the face… typically not the kind of person to exploit it.

  296. Jeremy says:

    Here’s how I see things point-by-point:

    ·Installing Firefox requires downloading an unsigned binary from a random web server

    It’s not unsigned, MD5 signatures are available from the Mozilla server. It’s not signed by a Microsoft supported certificate vendor. Maybe a fair call…

    BUT there is little to no reason a malware vendor can’t sign their software, In fact I have SEEN it! What real protection does it offer?

    I suspect the licencing might be a tad costly considering the release schedule and distribution network that firefox has.

    Also paying Microsoft to dustribute Firefox is somewhat counter to Firefox’s / the OSS communities Goals. Yes, I said paying Microsoft … it’s no secret that verisign etc. pay microsoft to support their certificates.

    This is a much much wider issue than the Firefox project!

    ·Installing unsigned extensions is the default action in the Extensions dialog

    I point to the quote "… by the time I had finished reading the text in the dialog it was enabled …"

    You read the dialog … now you are making an informed decision, if you had chosen to not read it and immediatly clicked "ok" like a lot if IE users do, you wouldn’t be able too…

    I call that Good "usability"

    ·There is no way to check the signature on downloaded program files

    A valid and fair point. Again this is a wider issue.

    ·There is no obvious way to turn off plug-ins once they are installed

    Tools > Extensions … Uninstall!

    Since most plugins are small (in the 100kb range) just uninstall them.

    Flash is currently "overly complex" to install, something that I believe is being addressed. And there are still some issues with FF extensions, But the progress in resolving them from 0.9 to 1.0 has been dramatic! IE still has a munge of dialog check boxes to achieve the same.

    ·There is an easy way to bypass the "This might be a virus" dialog

    Yep sure is. But you STILL have to set it. How dumb are users ?? really ?

    As for the reported security issue with Tabbed browsing, the same issue exists in IE when using multiple windows… Its more a usability issue than a "bad code" issue.

    Understand it before you use it as ammo!

    There is enough bad code in IE to sink a ship, I know, I’m plugging holes in a super tanker! Not saying FF is bug free … but its a damn sight better at the web developers end of the scale.

  297. Anonymous says:

    Techindepth.com | The Latest In Technology

  298. wanchai says:

    <i>How can I trust Firefox?</i><br />

    Simple, quit your job and be honest.

  299. Mike says:

    This is the typical chum that MS likes to throw out to confuse the issue of IE insecurity. Typical.

  300. Gord says:

    The sheer ignorance of most of the posts here astounds me. People claiming everything from "going to a website using IE will install things without you knowing", to "Microsoft refuses to patch holes in IE"…

    Well first off, if you have all the available security updates (including service pack 2 for XP) the only time you will get spyware installed on your computer is if you do something STUPID… (as in install toolbars of ANY kind)

    I make a living off removing spyware and viruses from computer systems. And the majority (if not all) problems I have seen, are caused by people ignorantly clicking on links like "you have spyware on your computer, click here to remove it" and then running the program that downloads… Or by installing search toolbars. In fact the ONLY toolbar I would ever advise someone to install (assuming they’re not using service pack 2 for whatever reason) would be Google’s for it’s popup blocker.

    As for the moron who claimed MS was NOT patching IE, check the windows update lately? Also, they put out a report saying that they would not be doing the fixes _immediately_ becuase they still had to trace back where they were caused, or that the updates were going to be part of a package of updates.

    I will concede that Firefox is definately the better choice for computer users who don’t know dick about safely surfing the net… because there is less chance of getting spyware… but give it a month or so, and you’ll be getting toolbars in firefox just like IE…

    To adress the comment about trusting university students vs a corporation. I’ll put my trust in the corp, simply because it’s static. You know where to go if you have complaints, or take legal action… an open sourced project… anyone could dump in a snippit of code to create a backdoor, and as much as you’d like to flaunt that the code is "checked and rechecked" by project leaders, what person in their right mind is going to sift through 100,000 lines of code to make sure there’s nothing malicious in there to begin with… if that were being done there wouldn’t be ANY bugs in firefox at all to begin with…

    While on the topic of bugs, and bug reporting more specifically, not releasing information about flaws in the program (if they are discovered by the designers after a release) is a SMART thing to do. "Full disclosure" when it comes to security flaws is the stupidest thing anyone could do. It just BEGS hackers and crackers to come up with new and innovative ways to destroy your system. Even if the way of exploiting the flaw is not explained, often the description of WHAT the flaw is, is enough to lead people to look where they wouldn’t have before.

    One final note. I do sense a bit of bias within the original blog, towards having "digital signing" being the "best" way to prevent having malicious things installed on your system. Unfortunately that is NOT the case. most companies who make legitimate programs, especially small companies, cannot afford to get a digital signing. Nor does it mean that the signing will prove the program to be legitimate or not malicious.

    I can remember several instances of web browsing where I’ve had "this activeX component is signed by <name>" With a website and all. And everything looks legit, until you install it and find out that it was someting like VX2, or trojan.adware.downloader.

    Essentially this all comes down to one thing. It’s not a question of quality, or stability, or even security… since both browsers are essentially the same in all categories. It comes down to one simple thing. The public perception of large corporations. In general, people don’t like to trust large companies because they feel those companies have lost touch with the people they are designing their products for… so they turn to the smaller producers in order to get a more ‘human’ feel in their interactions. Or maybe in this case, it just comes down to too many people having a bias against Microsoft, and feeling that ANYTHING is better than using something they produce. Well if that’s the case, why stop at browsers? Switch over to Linux or Mac…

  301. Angel says:

    Hey,….

    How much money did you received from Gates?? yes.. bill gates, to publish this shit??

  302. Selkie says:

    Hahahahahahahahaha

    Don’t tell me you actually believe your own question !

    What did they do ? Pay you to post this ?

    What sort of a moron are you Torr…..

    Live with IE. You deserve it :)

  303. You really need to reinstall your Virtual PC’s OS. You have far more problems, probably caused by internet explorer than can be solved by firefox.

    It’s a classic case of removing the board from your eye before you point out the splinter in another’s

  304. me@here says:

    IE over FF?

    Marketscore spyware doesn’t work on FF, thats good enough for me.

    Are there trojans in FF?

    1) Prior to doing the install issue a netstat -an

    2) Install in the software

    3) Do step one and check for differences….

    Or on a REAL OS..

    use the lsof command.

  305. IE User says:

    Recently we started using EPM in our office (top-level decision – no comments!). Naturally, it won’t support any browser other than IE.

    Reason???

    I started IE, typed in the server URL and… within few minutes the server logged me in without asking anything to me!

    No questions, no comments and it got my domain login information without me knowing it???

    Which other browser in the world will let MS server app do that?

    Pretty secure isn’t it?

  306. doogle says:

    Who to trust indeed?

    I trust nothing, but must use something.

    IE. For sites that require a non-standards-compliant browser.

    FF. Everything else.

    When I must use windows I choose to use W2K. M$ tells me that because I’m a tightwad and won’t fork out for ex-pee I must have a 3 year old browser.

    I don’t think so.

    BTW, W2K3 isn’t scheduled for release for another 296 years. Can we get it right? It’s W2.003E+3 people

  307. IE User says:

    Comments are moderated… I wish you do it for the software that you release too!

  308. John Edwards says:

    <I>What’s really frightening though is that there is a "Don’t ask me again" option in this dialog… which means that if you check the box you could end up running any old garbage on your system without so much as a single warning. Doesn’t sound so secure to me…<.I>

    Now that is just funny, considering that this has been a standard in IE for as long as I can remember.

    If a site tries to install something, you get the pop-up, there is also the option (not including XP, SP2, since I’m not at home to check there) to "Always trust content from XXX"

    What needs to be added to BOTH browsers is an optino to NEVER trust content from XXX, then we can button things down as they come up, and will cease to see this bullshit all the time. Let the browsers simply tell the offending site to fuck off.

    John

  309. The very fact that some nobody from m$ wants to invite trust into a discussion is laughable. That’s all that needs to be said.

  310. Tronster says:

    I can trust Firefox [more than IE] because:

    1. I can download any of the code.

    2. I can (and have) submitted bug reports which I can track the status of, as well as update.

    3. the agendas of a community of white-hat hackers, programmers, and geeks are driven more by "making it work to the standard" than making it work well enough and leaving it as-is for years (i.e., PNG support, etc…)

    4. A blog on MSDN creates an article that doesn’t attempt to empathize with the thousands who downloaded Firefox. (e.g., If you walked in my shoes and was able to understand why I switched to a Mozilla based product for a primary browser over a year ago…you would be more effective in attempts to win me back to IE with your points.)

    End Of Line.

  311. As the author claims that IE will inform you about each and every small thing and then ask you if you what you want to do. IE egenerally swamps the user with so many messages and question that the user stops reading all the warnings starts clinking ‘OK’ or ‘Install now’

  312. Andrew says:

    Lack of signing from an alturistic organisation Vs. Malicious and incompetent business practises of a monopolistic company who, even with security as a focus and billions of dollars cash can’t secure their software.

    I think i’ll stick with the unsigned installer thanks, its a small risk compared to running IE in the wilds of the internet.

  313. Interesting post. Some good criticism.

    It would have been nice if you considered yourself able to make your argument without resorting to asshat logic.

    Observe:

    "I went to http://www.getfirefox.com, not…"

    See here is useful commentary. The site gets redirected somewhere that isn’t obviously related to firefox. However…

    "Do I really trust a bunch of kids at some random university…."

    Is a) An argument from ignornace since you have assumed that if something is from a university it is therefore the product of ‘kids’ and b) implicitly ad hominem as you have implied that there is some problem with trusting ‘kids’ ( BTW today we call them ‘students’ rather than the distinctly ageist term you used! )

    To continue:

    "but I have no way of checking"

    See the useful criticism would be "there is no interface to check built into the download process"

    Making this another argument from ignorance ( you assume that just because you didn’t know how to use an MD5 hash that no such check existed ).

    Moving on:

    "that kind of unintelligible dialog doesn’t do anything to make me trust the installer. Maybe this is a trojaned copy of Firefox after all?"

    So the logic here is "strange error message -> trojan". Surely you’ve got a strange error message from some other piece of software. Fallacy of non-support there ( you didn’t demonstrate the correlation implied ).

    Oh, the good criticism would have been talking about better error messages…attempting to relate them to security without proper support is bogus.

    Next paragraph or so….

    "It dutifully tells me the extension isn’t signed (good)…Now tell me again, which is the more secure browser?"

    Good advice…make the other the default.

    Stupid logic…implication that security is dependent on a single facet of browser functionality ( that’s a ‘prejudical language’ fallacy for you ).

    Continuing along this road we find:

    "the right thing to do would be to delete the file and never install Flash"

    Arguement by special definition here. You’ve manufactured a rather impractical and narrow definition of ‘right’. Seemingly implying that it is highly risky to download any piece of code that is unsigned.

    Good advice would have been "add this feature"…

    Anyway I could go on but the point being that you took a series of facts that could have been a useful article on features to add to Moz…and instead, by being more than a little dishonest about their relevance wrote an unconvincing article about the security of the browser.

  314. Ajay says:

    A totally biased way of viewing things. Hey "Dodo", remove your MSN(TM) glasses and live again.

  315. ztirffritz says:

    I think that you’ve raised some valid points. Having said that…I still think that just about anything else is better than internet explorer. It’s not that IE couldn’t be saved, but MS hasn’t so much as lifted a finger to try to update it in what 3 years? Not until SP2 did they make any noticeable changes.

  316. me says:

    This little bit of text at the top explains it all!!!! "Normal disclaimers apply. I am not responsible for anything, and neither is Micro$oft." with that in mind ill take FF ty.

  317. rwwmatt says:

    Impressive! I finally realized something! Microsoft’s security problem is that they are too busy finding problems with the competition, and not focusing on their own products! Somehow I have the feeling you will be the first of many MS supports fighting as they are backed into a corner by superior, open source products.

  318. I like my Fireforx. I doubt anyone could proudly say they like IE with much fervor.

  319. Well, let’s see here. Let’s compare the amount of time for Mozilla to fix a bug in Firefox compared to Microsoft fixing a bug in IE.

    Bugs are always existant. It doesn’t matter how well you code, because maintenance is the most important phase, not to mention the longest one, in software engineering.

    With Firefox, let’s use some examples like the shell exploit from a while ago: http://www.mozilla.org/security/shell.html

    This was fixed in a day.

    With IE, let’s see here.. there’s a bug that compromises your system almost daily, which is ridiculous!

    And if you think that Firefox is insecure, just go look at what Mozilla is doing to make it even more secure than what it already is.

    They have a "Security Bug Bounty Program" (announcement at http://www.mozilla.org/press/mozilla-2004-08-02.html) which allows the open source community to find bugs and eliminate them, paying the contributors in the process.

    Maybe you should learn from Mozilla and start paying people who know what their doing (the hackers who exploit these bugs) to fix the bugs in your ridiculous piece of software instead of sitting on your ass and expecting your crappy programmers to fix it.

  320. The Doctor says:

    Oh man, this is fantastic, a total backfire !!!!

    What was supposed to be a thinly-disguised FUD attack on Firefox has now turned into a drubbing and the sort of free publicity Peter’s MS bosses must be furious about !

    I note that the vast majority of replies here are along the lines of "You’re talking c**p Peter, get a clue" and praising the competition !

    I wonder how long it’ll be before this thread is "unavailable for technical reasons"?

    I briefly looked at Firefox when it was about 0.7 I think? After all this hooplah I have now downloaded and installed Firefox 1.0 (with no problems at all thank you very much Peter!) and I’m loving it.

    Here’s another user converted.

    Keep up the good work FireFox !

  321. Blue Demon says:

    Apparantly, someone here doesn’t know what a university is. Apparantly, someone here can’t tell the difference between a student’s personal page and the university’s site sponsored page. Apparantly, someone here is totally ignorant.

    Depaul 4 Life!

  322. eric g says:

    I agree with peter h. well said.

  323. mrp says:

    Why are Windows’ limitations Firefox’s fault? As it has been mentioned before, many ways are presented by mozilla.org (md5, sha-1 etc.) to verify the integrity of Firefox. I don’t give a damn if Windows doesn’t know how to use these mechanisms and provide eye candy (read: userfriendly bloat) that informs the user. If you don’t trust mozilla.org, in the other hand, go ahead and download the firefox source, inspect is as much as you wish, compile it yourself and use it. I don’t see any way Microsoft can offer better security, there is certainly no way short of releasing the entire code and build toolkit that you can convince me it is backdoor free.

  324. Dingletec says:

    There is no other alternative… What’s this about certificates? Windows comes from Microsoft, and you can’t trust it. You can’t trust IE not to install things without a user’s permission… Mozilla/Firefox has a history of security and reliability. IE gives countless viruses and spyware/adware complete control over systems. When I have a problem with Mozilla/Firefox, or actually meet someone whose system has been compromised because of it, then I will start to be cautious about it. On the other hand, it’s very difficult to find someone whose system hasn’t been compromised by IE or some gaping Windows hole.

  325. Martin says:

    It seems to me that the biggest argument you have is the lack of a digital signature. But you go off and say this:

    “just because a piece of software is signed (or you have the MD5 hashes for it) doesn’t mean it isn’t nasty;”

    There has to be some level of trust that you put in Firefox homepage.

    For being so paranoid about installing it you spent no time at the Firefox home page learning about the product.

    The extension was a problem for you also but you get your extensions from firefox. You can read wher ethe plugins come from in the big FAQ link at the extension page titled “How do I get my extension or theme listed?” refer to step 5. RTFM

    As far as the advertisement in the New York Times. The only people that should be mad about this is Microsoft and Microsoft ** employees.

    The 7-Zip error is rather amusing because the error is not related to firefox. Yet you make it seem that it was Firefox to blame. And the icing on the cake is that 7-Zip is licensed under GNU LGPL.

    When you downloaded that were you this certain that yuo were getting a original file.

    http://www.7-zip.org/

    This quote was priceless – Now we know the truth from your msdn.com url:

    This is what the "Secure Deployment" part of Microsoft’s SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well.

    What I hear :

    We know we screwed up in the past but were trying to fix it now.

    Another useless sentence:

    So, at this point in time, installing (and using) Firefox encourages exactly the sort of behaviour we are trying to steer people away from,

    What are WE trying to stear clear from:

    Open source software solutions that are free.

    Open source code that anyone can modify and fix to suite their needs.

    Don’t go there – I know what your thinking. Try to get a trojaned version of Firefox to link from the Firefox site.

    This article should have been titled.

    Can Mike and Robert be trusted to do follow up work.

    Remember this tasty nugget of joy:

    Just because you don’t see any unpatched security bugs in Bugzilla doesn’t mean they don’t exist, either.

    –Really

    Disable “Flash” plugin has to be an option for the next firefox version. Because you can disable most of the plugins from “Tools” – “Options” – “Downloads” – ‘Plug ins”

    Thanks for the feedback – See this is how Open software works.

  326. Great article mate.

    I thought about all these things too when I fired up the firefox.

    I am now using it mainly because of tabed browsing and some other small featured which IE could really benifit from.

  327. Hobbes says:

    Best FUD ever. Can’t claim that IE is better then Firefox, so lets attack installing it instead.

    Btw, Firefox 1.0 you can’t install extensions without manually whitelisting the install site before hand. Seemed to miss that in the description. My guess your trying to download a beta or developers copy.

    Also if Firefox is so insecure, why did microsoft just recently give screenshots to a press company showing them using it?

  328. Dan says:

    First, if you haven’t got anything useful to say (or if you find that more than, say, 20% of your comment is "ROFL", "LOL" or "OMG"), don’t say anything at all.

    Anyway, Peter, interesting discussion, although the same standards could be applied equally well to many other free- or pay-ware applications. If I purchase and download Macromedia Flash from macromedia.com, it does not arrive over HTTPS. Granted, it doesn’t arrive from a numeric IP, but relying on my DNS server for security isn’t a great idea (especially what with those IE address-bar-spoofing issues that were so widely publicised not so long ago).

    An interesting feature added by a number of Linux distributions–as well as other free OSes, notably the BSD’s–is integrated package management, which frequently allows some form of (sometimes minimally-valuable) integrity checking. Rather than visit some random mirror and download what may or may not be Firefox, I can tell my package management software to do so for me, with the bonus that it will then compare a hash of the Firefox package against a (hopefully digitally signed) hash provided by my vendor.

    As I said, the value here could be minimal; an attacker could conceivably have distributed a trojaned version to my vendor, as well. But at least I have verified that *my* version is the same as the one my vendor tried, which helps combat this risk you are discussing (specifically, it makes it unlikely that an attacker could corrupt only a subset of all the downloads, and if he managed to corrupt the download at the source, an SSL cert wouldn’t help anyway).

    Anyway, bit of a tangent, but nonetheless an interesting thing to consider, if you ask me; the lack of verifiable security by the Firefox team can be minimized by the OS vendor; it’s a shame that MS hasn’t the resources–or perhaps the inclination?–to provide such functionality.

    You also make a number of interesting comments about secure functionality, and you are quite correct on most of those. But yet, from what I’ve heard, the IE code is quite funky, and secure defaults on the alert boxes hardly circumvent an insecure code base. And this is tacitly acknowledged by your employer, in the reworking IE is getting in time for Longhorn.

    Oh, one more note for some of the critics: I don’t believe Peter ever said that vendors should not publish patches and workarounds. He said that vendors should not publish otherwise non-public bugs that do not yet have fixes available, a policy commonly held to even in the open source community, and embraced by all but the most rabid (read, DJB).

  329. <p>Peter Torr of Microsoft attacks <a href="http://www.mozilla.org/products/firefox/&quot; class="bb-url" target="_blank">Firefox</a> over, would you beleive, <em>security issues…</em></p>
    <p>In Peters blog post threadlinked above he talks mainly from a poin

  330. Tenshi says:

    You know that the windows platform you are using has coding from open source mostly Unix variants…

    Microsoft programs on an open source OS…

    So if they use open source to program then it is clear that THEY TRUST open source and if THEY TRUST open source to make programs you use then why should you not trust open source? Surely every program has flaws and surely everything is secure to a certain point… However it ends up to how much YOU are willing to trust which companie… Are you ready to sacrifice some time to learn more about something to use it properly and to make it more secure for yourself and others or are you just going to sit here and critises other programs because you are pre-judice/stereotypical? In the end it ends up being the consumer making a final choice to what s/he would install off the net and so it should be them who should be vigilant. it should not be companies that tell you what to trust it should be your own decisions… Afterall… in this world how do you know who to trust? or what is the right thing to do? It’s guts and experience… They say you should try everything three times, once to get ove rthe fear of doing it, a second time to learn how to do it and a third to see if you like it or not… That’s My 2 cents

  331. kittu says:

    /*******************/

    #define MicroSoft_Rocks 0

    #define Firefox_Rocks 0

    #define Opera_Rocks 1

    if (MicroSoft_Rocks){

    printf("Microsoft Rocks. Use Internet Explorer !!");

    }

    else if (Firefox_Rocks){

    printf("Firefox Rocks. Quit using IE !!");

    }

    else if (Opera_Rocks){

    printf("Opera is the king of all browsers");

    }

    /*******************/

    $ gcc browser.c

    Line 1: Syntax Error @#$%^^$ at keyword ‘MicroSoft_Rocks’

    :))

  332. eismeer says:

    I think your observations are superficial and of academic nature. Your main point is that Firefox isn’t signed using your favourite signing technology. If you’re that paranoid, relying on signatures alone isn’t sufficient anyway. You have to know where the source came from, who wrote it, who reviewed it, who compiled it, who signed it.

    Which do you trust more? A binary which you compiled yourself from sources you checked yourself using an open hashing algorithm? Or a binary you received from a multinational company signed by another multinational company using a proprietary hashing algorithm?

  333. Matt says:

    And apparently (note the spelling carefully) someone is making my alma mater look ridiculous (you didn’t misspell that word, but it’s a tricky one, remember it for later) by being cocky about said university when he/she can’t spell apparently correctly.

  334. HAHAHAHA!! This is really funny. I’m happy that I don’t ever have to use IE again.

  335. Anonymous says:

    Hahahaha… have you _ever_ heard of _any_ university?

  336. QuasInfinity says:

    While installing all these extensions from "anywhere on the web," it was failed to mention that you have to have the option in web preferences "Allow websites to install software" to be enabled (which it is by default), AND the server you are downloading from has to be in this list as well. This means that extensions from anywhere on the web CAN NOT be installed by default contrary to your report. This means you lied, and seriously buddy, lying just harms your credibility. Not that you cared about it in the first place. </me points to the obvious bias> Truly a shame, you otherwise would have made a very important valid point.

  337. Refrozen says:

    Well, you sir, are really dumb.

    Feel free to see my opinion here:

    http://www.refrozen.com/new/newer/content.php?a=wsn&i=9

  338. I just loved this.

    Really.

    I feel that this blog has been written to provide fodder for a FUD campaign.

    So basically Firefox has a certificates issue while installing it and plug-ins. OK. This corresponds to 0% of the security problems that I personnally had or heard of. I go to the mozilla web site and I trust them to check on their handful on mirrors.

    My issue is not with installation being unsafe, but with USE being unsafe.

    My issues have been whith invisible redirects, endless popup loops, Outlook Express viruses. Firefox + Thunderbird solve all those problems for me (though Opera remains my browser of choice as it does all of the above + mouse gestures).

    Anyway, I also install my friend’s machines. They’ll never have to worry about installs… but WILL go to every ungodly site on the web… so my choice is obvious.

    I Hope you’re paid well… they’re getting your mind and soul for it, apparently.

  339. Zarathustra says:

    Wow! You’ve touched a raw nerve! Not that there are any non-raw nerves left when it comes to MS vs the Open Source Community. It used to be the Mac vs MS in the good old days.

    Your article correctly points out some of the bugs and inconsistencies with FireFox. However, the focus on application signing is misplaced. Most people don’t know or care what that means.

    FireFox 1.0 is buggy as hell. It eats up a ton of memory. It stops opening new windows after a while. It crashes, etc. But I still can’t stop using it. It just has too many damn good features, especially for developers as mentioned in a post above.

    Microsoft is finally waking up an realizing that they can’t sit on IE for 5 years and hope for the best. But, instead of getting defensive and bashing FfireFox, how about improving your own product?

    As far as the open source geeks who are frothing at the mouth are concerned. Chill out. Use FireFox. Improve FireFox. Make Love!

  340. thx for this great article . now i’m gonna bdl firefox .

  341. Keith says:

    This article is completely garbage……….

    I dont think the security of a browser is in any way affected by the installation process. The security flaw of IE means it’s ability to run mal/spy-ware without any of my consent.

    Maybe this ‘default’ button stuffs are correct, but the design problem of IE is that: whenever IE fails something, it implies the fail of the OS. IE’s close coupling with the OS make Microsoft fails.

    Agree?

  342. Running IE is like driving a car with the hood welded shut; you don’t really know what’s going on inside. While running Firefox on Linux, I know exactly what processes are running and what network connections are being made. Don’t trust Firefox? Then try Konqueror, Opera, Mozilla, Dillo, Lynx, BrowseX or Safari. The only one I’m afraid to use for online transactions is IE.

  343. whocares? says:

    Oh my god, microsoft has a verisign. That sure makes the difference. Let’s all run around buy verisign and feel secure!

    Why don’t you just keep on having fun with IE surf-safe wannabe, the ones of us that actually visit pages outside of the intranet needs more protection.

    I where having fun surfing various serial sites with both IE and firefox, interesting results, with firefox i had 8 adware items found after 1 hour sufing, and with the same time with IE i had as much as 348 items!

    Another issue, microsoft should be able to get some tabs in to IE, everyone hates all those different windows. I read a article not to long ago where they clamed tabs was not supported because the users never said they wanted it. ain’t it kinda strange then that all the other popular browsers like konqueror in linux, opera, and mozilla have tabs?

    You said you don’t trust a university, do you EVER trust anyone else than yourself ?

    The time has come for open source to take over and let the users itself choose what to include or not, a load of programers thinking with there asses and writing bogus code that can’t be fixed before the next version is crap!

  344. What the hell is wrong with your computer? Why does it spit out random dialog boxes? Dude, I think you have spyware. You might want to check out Mozilla Firefox for secure internet browsing.

  345. Randy Smith says:

    It would be nice if every company used certificates….many don’t. Of course that does not stop windows from happily downloading and installing programs if someone clicks on a link in a web page or email.

    Microsoft is trying to over-engineer their security and are failing at it so very badly.

    One of the simplest things MS could do to help prevent the spread of viri is simply having the OS require the users password for ALL installs. Be it programs, browser plug-ins, drivers or whatever. This would put a stop to programs that get installed without the users knowledge.

  346. 1. Digital signatures cannot be used to prove that code is trustworthy, they can only be used to verify the source of code.

    2. The average Windows user will execute any programme they want to because your company doesn’t educate people about computer security, and more seriously, your company doesn’t care about computer security. (I’m aware of the many security "initiatives" you have apparently started recently. However, before you boast, perhaps you should take your head out of the bucket of sugar and look around at everyone laughing at your progress.)

    3. Most users will refuse prompts to install things they didn’t ask for. Internet Explorer always becomes riddled with spyware and adware for two main reasons:

    Firstly, such malicious software can be automatically installed through any of Internet Explorer’s many security flaws.

    Secondly, due to your company’s decision to disregard using your operating system’s multiple user system, and to give every new account administrative privileges by default, any application can meddle with Internet Explorer.

    4. If you don’t like blank message boxes, maybe you shouldn’t use Windows. I think your programmers confuse constant identifiers with rand(…) calls.

    I recently migrated to Linux after using Windows for years, and found it amusing that retrying the same action when something fails rarely produces a different result, unlike with Windows.

    5. Open source software is about freedom. If Mozilla Firefox only allowed signed code to be installed, it would limit the potential authors of such software to only those who could afford to buy a digital signature. Even if Firefox did employ such a restriction — again — digital signatures don’t prove that code isn’t malicious.

    6. The "Don’t ask me again" option is to preserve the sanity of users who have a good understanding of computer security. Yes — there’s nothing stop someone who is clueless about computer security from enabling this option. There’s also nothing to stop someone who is clueless about road safety from crossing a busy road.

    I think the most important thing you need to understand is that trust cannot be digitised; it can only be earned. Digital signatures can only assist users to verify the source of data.

    Frankly, I think the fact that eleven million people have switched to Mozilla Firefox, most likely from Internet Explorer, shows how little they trust your company’s competence.

  347. Instead of spending an exorbitant amount of money on a Verisign certificate, Mozilla Corporations rewards people with money for finding critical security problems in their products. If you ask me, that’s a much better use of money.

    If Microsoft gave out a few hundred dollars everytime someone found a critical security problem, they would be broke, which is more than they deserve.

  348. ace says:

    my only comment is that, while MS might be discouraging those behaviors, typically firefox has been used by computer geeks, the VERY computer literate, so ‘bad behaviors’ are fully understood and not so bad at all [sounds like sex ed ;) ]

  349. Hey Pete, after reading the comments I just thought I’d add:

    YOU GOT SERVED!!!!!!!!!!

  350. Pete says:

    >> Firefox does disable the Install button for a couple of seconds when the dialog is first displayed, but by the time I had finished reading the text in the dialog it was enabled and ready to go. <<

    *That’s the whole point* Users are conditioned (largely by MS products) to just click Ok to whatever dialog pops up so they can get on with whatever they wanted to do. The pause prevents this, meaning most people will read the text. Worked great in your case.

  351. I don’t think the main problem with security lies in whether some code is signed by Verisign. This is a lot of FUD spread by Microsoft to scare users into believing other products are somehow less legitimate.

    Here’s my counter question:

    Why should I trust a large corporation that has a poor track record on security, and a self-serving product line?

    The worst security flaws in IE, such as scripting, BHOs, and ActiveX attacks, are all Microsoft-specific, non-stanards conforming technologies that were engineered specifically to drive a wedge in the browser market. The flipside of this corner on the browser market, is that Microsoft alone assumes full responsibility for web browsing, and to hack IE is to hack 95% (thankfully, now dropping) of the Internet.

    Yes, I realize XPSP2 disables ActiveX by default. Thank you. But that is a minor detail. Proprietary technology is almost always going to be less mature. Why? Because a corporation can only devote so much resources to testing and QA. An open standard, and open software, OTOH, is subject to constant review.

    Mozilla could become a target for attacks in the future, but I’m willing to bet my security on those college kids. I already know what to expect from Microsoft.

    I gotta eat, and dog food always beats bullshit :)

  352. Zandar says:

    One question comes to mind after reading this..how much extra does Microsoft pay you?

  353. C. Rebert says:

    Yeah, i’m supposed to trust a webpage running on a technology that, according to its own homepage, has a major security vulnerability? RIGHT….

    Luzer!

  354. Ryan says:

    In case you haven’t figured it out yet, the blank dialog is caused by Mcafee’s buffer overflow protection. It is a known bug. Call them up and they’ll send you the patch. It’s what we had to do because it was messing with our VB.NET programs at work. You might want to try placing your blame in the right spot next time.

  355. Uninmportant says:

    I like the disclaimer:

    "Normal disclaimers apply. I am not responsible for anything, and neither is Microsoft."

    Or in other words: "Please don’t sue me. Whatever I write here is of no importance". This blog is without essence, Microsoft is not responsible for this guy (I hope), what was written here is pure fiction right? Well, I sure hope Microsoft has smarter and less shallow employees in their ranks.

    I can understand teenagers writing "flame posts" like this one against the all-bad M$, but an adult Microsoft employee?

    If I was your boss at Microsoft, I would fire you, and I wouldn’t be responsible for you losing your job – you would. Let me try and clue you in just a little bit on the real issue: FireFox v1.0 is free open source software that is dangerously close to IE v6.0 in quality, and on top of that it’s multiplatform.

  356. I think spyware and adware killed your parents. You are paranoid man! I never, ever, get any unwanted spyware or adware using firefox. Never ever get any compromising software. When i was using IE, my computer was full of shit by only entering a website. Hey guys, why not make IE more secure, i give you a ideea, rip off the address-bar an hardlink updates.windows.com into it! :)

  357. Ted says:

    I find it somewhat ridiculous that it takes an employee of a competing company running Virtual PC to point out these flaws. If it hasn’t been mentioned before, I don’t believe I or anyone I know have had any errors other than the ones specified bye Internet Explorer (which can be easily explained because why would Microsoft want you downloading a competing Internet Browser?). The flaw then is probably in teh software known as Virtual PC that if I am not wrong is owned by Microsoft, showing two flaws already on their part not FireFox’s. next we have to look at the fact that anyone who has rated the browser finds it superior in several aspects due largely to the fact that it deals with what consumers want. Don’t get me wrong IE does that too…3 months ofter FireFox does. Also, the whole bit concerning the "untrusted download mirrors"…Well the problem here lies in the fact that unlike microsoft, Firefox is not owned by a multibillion dollar corporation and has to rely on other trusted sites to release it software to the masses (Also, if you were linked from a trusted site why can’t you trust where you are linked to). Basically, this is another attempt to try and push the unimportant issues of the Firefox browser because of the fear of its superiority. And I am pretty sure this blog entry was probably done in firefox due to the fact that IE probably crashed a few times while our friend here was trying to post it :)

  358. Dan says:

    Hi. My name is Dan. I live under a rock. What is this depaul university? And what is ‘firefox’?

    Will you please tell me.

    Oh and you might be able to tell me why my computer is all slow and pop up ads keep coming up.

  359. john M says:

    I trust FireFox because thus far the organization that provides has proven itself to have a very credible track record in providing me more secure and better functioning software than its competitors.

    It’s been decades since I keep up with the technology enough to know if Microsoft’s pretty shield icon or FireFox’s obscure SHA-whatever are better technical solutions.

    But Microsoft’s pretty shield icon, as warm and fuzzy a sheild feels, is tainted by the decades of reckless disregard for my computers security shown by it’s organization – while Firefox’s is backed by a responsiveness nearly unmatched in responding to problems as soon as they’re reported and solutions known.

  360. Fred Monroe says:

    Well, it seems to me that Gator, Bonzi Buddy and all sorts of other spyware is signed software. I guess that I should just trust you and download this spyware to my comptuer since it is spyware. I sure am glad that this is all straight now.

    Hey buddy, make sure that what you are saying makes sense before posting in a section that is associated with your company. It reflects poorly on them and just makes me think lesser of them (not that it is possible).

    Oh, another thing, if you are going to claim to know so much about web browsers and things of that nature, try to keep the number of errors in your code to under 71.

    http://validator.w3.org/check?verbose=1&uri=http%3A//blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

  361. Hans Ridder says:

    Let’s see… Trust Firefox or trust a browser from a perjuring, convicted monopolist that has proven to be insecure. Tough choice.

  362. This article only goes to show that M$ is definitely worried.

    The King is dead, long live the King.

  363. Dave says:

    I’m sure that you don’t need to be told again — but there are hashes to check the validity of the Firefox binaries. Just like most people are simply confused by the M$ certification warning, and click straight through it, most people will ignore the hash sums, and will never bother to check if the md5s (or whatever hash flavour you prefer) match up.

    Stupid users are the biggest vulnerability on their machines.

    I’m also sure that you already feel sheepish enough about the fact that over half of the issues you have experienced had nothing to do with Firefox — in fact, the idea of running a binary instead of just downloading it and then running it simply points out exactly how short-sighted you are. I don’t think you have a concept of a world without extreme broadband — a person with a little grey matter easily sees that it is better to complete the download of an installer before running it. If for no other reason that it will more than likely run correctly. But also because, if it’s a Good Thing ™ that you downloaded, you can share it with someone else. But I guess the concept of sharing is something foreign to a Microsoft junkie.

    For your information, the blank warning message is not from Firefox. I think it’s your antivirus or something. Because I’ve installed about 16 machines here with iterations of Firefox from 0.9.something to 1.0. And never hit that problem. And the 7-Zip error is actually in *your* favour — because the 7-Zip installer verifies the integrity of the contained files, and will moan if there’s something wrong — which there was.

    And, for your information, the 3 vulnerabilities listed at Secunia are hardly worth mentioning. I think if you (or any of the readers of this post) had bothered to check on them, you would have found:

    1) a javascript bug that is in *every* browser — but it’s worse in browsers that don’t block pop-ups (like IE), because it has to do with the hijacking of a pop-up.

    2) an error in Netscape 7 on MacOS (what has that got to do with anything here?) — guess the Secunia guys are a little lazy with checking cross-references

    3) Some other arbitrary bug that is peculiar to MacOS only. And since you (and millions of other users) are all on the Micrcosoft platform, this should hardly concern you.

    But, when you’re trying to create FUD, any ammo will do, hey?

  364. Thomas Meyer says:

    sorry Peter, but you’ve really written a bunch of crap here

    So I went to download.microsoft.com and I ended up at download.microsoft.com.c.footprint.net. I don’t have any idea where that place is, and it sure makes me nervous.

    download.microsoft.com. 3600 IN CNAME download.microsoft.com.nsatc.net. download.microsoft.com.nsatc.net. 300 IN CNAME download.microsoft.com.c.footprint.net. download.microsoft.com.c.footprint.net. 230 IN A 63.210.62.190 download.microsoft.com.c.footprint.net. 230 IN A 166.90.248.221 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.30 download.microsoft.com.c.footprint.net. 230 IN A 206.24.190.187 download.microsoft.com.c.footprint.net. 230 IN A 206.24.192.252 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.221 download.microsoft.com.c.footprint.net. 230 IN A 208.172.48.222 download.microsoft.com.c.footprint.net. 230 IN A 208.172.128.251 download.microsoft.com.c.footprint.net. 230 IN A 4.78.214.61 download.microsoft.com.c.footprint.net. 230 IN A 4.79.74.61

  365. codepunk says:

    If the department of homeland security cannot trust IE now how can I?

    Of course most of the problems are foundation related. If you build a house on a poor foundation the house will be compromised. Get a great foundation for your house, give Red Hat a call they can help you.

  366. Patrick says:

    I work in a computer repair/system builder store. Most problems that people bring in machines for are spyware/adware and/or pop-ups, and most of it comes from Internet Explorer. They get anywhere from 300 to 1800 Ad-Aware hits on patched SP2 machines with only one user, and my machine at home with SP1 and several users(none using IE) got 9 tracking cookies on the last scan. Firefox consistently proves itself more able to guard against malicious software and websites, while IE breakm our customers computers.

  367. Indeed, don’t trust Firefox in combination with Windows.

    Used in combination with Linux is more secure anyway.

  368. Anon says:

    From reading your points, I guess Firefox is the lesser of two evils. :P Look, as long as you’re shopping online, paying bills online, doing online banking, hell… surf porn, per se… Regardless of whatever browser you’re using, you’re just bending over for malicious people to screw you over.

    So why is I.E. so unsafe? It’s because it used to hold 99% of the market. That’s 99% of web browsers surfing with I.E. Now, you as an attacker… Would you take your chances at harvesting credit card numbers from one dumb-looking guy, or would you rather distribute your malware to 99 dumb-looking guys? Think about it.

  369. Setting up any new Windows computer I eventually get to that loathsome, frustrating, and down right scary step: opening IE. I have to do it. I have no Firefox CD with me.

    As I open IE I get the Fear in the pit of my stomach. The moment it is up I start hitting the Stop button early and often, but my effort are in vain. I see MSN displayed on the screen, and I know that means I have a few fresh pieces of Malware. That would be the absolute low point of the experience.

    From there I simply type in mozilla.org and grab Firefox.

    But it isn’t quite over yet, you see as it downloads I sit and I ponder what IE could be doing to it. IE could modify it, and Windows could fake the MD5, and no one would ever be the wiser. I worry all the way through the download, and when I finaly run it I feel somewhat unfufilled–my shiney new copy of Firefox has been tainted by the touch of a untrusted program.

    Signing a binary is a poor replacement for public source.

  370. Simon says:

    The only people that care about those security dialogs are the ones that understand why they are there, and they are all capable of using the published GPG/PGP certificate for the file. It may not be inline, but come on – you just download and double click it after the EXE.

    The other option is that you can download the source, review every single line, then compile it.

    Personally I think the GPG certificate is an excellent solution, since it avoids the inherent security flaw of using Verisign, who happily issue certificates called "Just click run!" or "Microsoft Corporation" or "Clicking yes agrees to our EULA, click here to visit our eula blah blah" to ANYONE.

  371. pjsnyc says:

    id like to point out that seeing how internet explorer still has a huuuuuge portion of the browser market, it is more susceptible to security vulnerabilities because most virus-writers want to reach/infect the masses…and to reach/infect the masses, those viruses and security exploits must be targeted for IE…honestly, i hope IE retains its market share, so that the rest of the "smart" internet world can benefit from IE users’ ignorance.

  372. Alex Fung says:

    Someone say this page isn’t rendered correctly with Firefox. This true. And what I know is W3C website isn’t correctly rendered with IE. How can I trust this site more than W3C site? See here:

    http://www.w3.org/Style/CSS/

    I just wonder when will IE have CSS position:fixed implemented (not to mention a lot other properties)

  373. Trevor says:

    I typed http://207.46.144.222 in my browser and it loaded up a microsoft page ?!??!!??!?!

    WHATS GOING ON !!!!!!?

    Have I been hacked ?

  374. Mike says:

    About six months ago, I switched from IE6 to Firefox. When I installed FF’s software and during subsequent upgrades, I didn’t run into the problems you experienced here. Your article though does bring up some valid points regarding download security for core software and plugins. I hope the developers review those and improve in this area as well as educate users about md5/sha1 checksums or digital signatures (should they decide to implement that). Frankly, the average PC user is totally clueless on their purpose and meaning.

    I’ve used IE as my primary browser for years. The reason I switched over to FF was because of IEs/Windows constant security holes and Microsoft’s incredibly slow response in releasing fixes for them. After overtaking and crushing browser competitors, your company abandoned IE development (except for bug fixes) and thus your customers.

    Sure FF’s browser is not perfect, and there are areas which can be improved. At least, they deliver in a reasonable time while your multi-billion dollar company moves at the speed of a drunken snail. Their version 1.0 leaves IE v6+ in the dust and puts all your high-priced programmers to shame.

    Rather than picking on a small development project, your time would be much better spent reviewing and fixing your own damn code. One could write volumes on why IE6 and other Microsoft products should not be trusted.

  375. JeanMi says:

    Maybe with MS04-038 ? MS04-40 ?….

    Maybe because it’s unable to support standards ?

    Maybe because it’s made by a company that know the meaning of security since… 2 years ?

    No, I can’t and I will not trust it.

  376. dw says:

    Do I really trust a bunch of kids at some random university I’ve never heard of?

    Are these mirrors any less trustable than the Akami mirrors Microsoft (Apple, and others) occasionally use for content? That quote is non-sensical. Would I trust a random Akami server, or some random university server? (And, in this case, DePaul is a fairly well-known university.)

    That quote is non-sensical, but the general point is valid: who do you trust, how do you show what the source of the data is, and how do you prevent spoofing source identifiers (such as signatures and DNS resolutions)? How do you prove microsoft.com isn’t spoofed, that, when Akami servers are transparently used, Akami servers aren’t comprimised, or that mozilla.com isn’t spoofed? You can use digital certificates, but, then, the certificates may be forged (cryptographically, or through exploits in client verification codes or routines). Do you trust Microsoft, Apple, Macromedia, or the Mozilla Project?

    It is a good idea to have multiple ways to verify the source of data because each verification method (e.g., DNS name, cryptographic hash, or digital signatures) has a potential to fail. Mozilla could help verify downloads by visibly telling the user, through the mozilla.org domain, the mirror that will be used (i.e., grant trust to the mirror). Microsoft could do the same when it needs the help of external transparent mirroring services. How effective is Microsoft’s digital signature verification for an end user? How effective is Mozilla’s? (One could argue that Mozilla’s verification is more effective because users that know how the verification process works–including its flaws such as ultimately having to trust the provider of the signature, and potential flaws in software and policy implementation–will be most likely to use the provided digital signatures; users of Microsoft’s automatic signature verification process would be less likely to know the flaws and advantages of the verification process–and less likely to understand the consequences of using data that fails verification.)

  377. The talk about the commentary about Firefox called How Can I Trust Firefox? is raising an interesting question about security. The idea about SSL certificates signed by Verisign protecting people from malicious software is a piece to the puzzle but…

  378. Internet Expirer is closely integrated into the core of the Microscoff end-user’s operating system – its bugs would seem an order of magnitude more difficult to fix as a result of this integration. That, and given the opaquacity of the source … ahhh, damn it, I can’t even be bothered to go on. At least when *I* get code I can audit it, and that includes the kernel for the Free Software of my choice and all of the libraries for any software I regularly use. Maybe I miss something. Maybe I don’t. That is life, and I’d much rather trust some code written by non-ms outfits/individuals … ahhhh, damn, windows application code is just damn ugly, it feels convoluted and counter-intuitive to write and I’d really rather not have to pay money for broken dodgy tools when I could be using a superior compiler like gcc – and once you start living with microsoft products they invade your worldview and suddenly all of these stupid people start bothering you for support and given your natural humanity and niceness as an human being, you want to help people for free because its the Right Thing to Do and it makes you feel good and then they come and beat on your doors because their spaghetti-code os and app has just died and they’re wondering if it were them or the computer and then you start to get frustrated and angry because you don’t know why you’ve just seen a fatal exception for no apparent reason and then you start telling ‘em about cosmic rays and memory … just as I don’t buy physical items made in a sweatshop or gulag, I will not use software which is non-Free … am I a bigot? Is a proprietary software enthusiast (do they exist or are they bought and sold?) a bigot for having the opposing view?

    Proprietary software – cost limitation

    Free software – technical limitation

    You’re either limited by money or technological

    innovation, and given the problem domain you can’t automatically buy your way out of a technological problem due to the process of writing software – hardcore enthusiasts who are writing things for their own purposes want to get things correct! they are perfectionists! Having seen the drivel produced by five classes of software engineering students (I’m a lecturer) I wouldn’t trust their code anywhere near as much as I would Free-software …

  379. Brian Zaugg says:

    Interesting article. Anything that draws attention to the Internet’s desperate need for better application security and user education is good in my book.

    I’m a skeptical that an IT professional really had so much trouble with the FF install process. The tone and presentation of the article make it seem like you are trying to find the path of greatest resistance. A more honest appraisal and comparison between IE and FF would be better.

    What I’d really like to see from you is an apples to apples comparison. Let’s say you start with a vanilla XP box with no IE and no plugins and run through the same process. But, I guess that’s not really possible given MS’s bundling practices.

    Me, for the record, I’m using Firefox. IE has a long history of nasty vulnerabilities and I can read Firefox’s source if I’m really concerned. With IE, I have to trust the same developers that have failed release after release. I’ll give the new guys a chance.

  380. Oi fudu…!!!

    This is a free peice of software that woops ie.

    IE needs a new version now, not in a year or two or they will find good old word of mouth will prevail!!

    Google have there own version coming, i wonder if that is going to signed!!

  381. choco says:

    it all depends on the user. if the user is ignorant, he’ll do stupid things no matter which browser he uses. on the other hand, if the user knows to make educated decisions, it doesn’t matter which browser he uses

  382. Dave says:

    Perhaps you don’t need to trust Firefox.

    I don’t care if you do or don’t, if you don’t want to be a part of it then don’t.

    As for the ad in the paper, it wasn’t intended for you ok!

    So please just turn around and crawl back into your cubicle and go play with some lego or with some visual studio.

    There is nothing to see here.

  383. noydb says:

    10. If a large coporation can fuck you out of a penny, they will.
    <br>
    <br>9. Corporations will break anti-trust laws if they can make more money than adhering to their letter and spirit.
    <br>
    <br>8. Corporations are prone to the blind following of rantings and ravings of men with very small dicks who have an immature needs to feel important.
    <br>
    <br>7. #8 is only true because a) real people with real-sized egos have to feed their wives and children OR b) the employee is also an asshole with an insecure need to feel important. (This law applies to you, Pete. I’m guessing it’s option A for you.)
    <br>
    <br>6. Corporations just don’t give a fuck about anything but making money.
    <br>
    <br>5. Corporations will shift the blame onto consumers they create if they think the can get away with it. See <a target="_new" href="http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx">http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx</a&gt;
    <br>
    <br>4. In the coporate world, there is no truth, just good PR and bad PR. If good PR and the truth coincide, it’s by coincidence only.
    <br>
    <br>3. The people who rise to the top in corporations are those who are best at and enjoy playing mind fuck games with they perceive as mentally inferior. This includes making people feel appreciated when the reality is they are actually kind of despised for being so dumb as to actually feel appreciated.
    <br>
    <br>2. Corporations (and the men with small penises that run them) have created the cynical environment that cause people to despise them so much.
    <br>
    <br>1. Corporations are not a panacea. By themselves, they cannot change the world and can quite literally destroy it if there is no oversight of these powerful entities.
    <br>
    <br>
    <br>

  384. BonziBuddy says:

    Bonzibuddy uses IE, so you should too.

    Bonzibuddy says "Don’t do drugs."

  385. The real question isn’t, "how can I trust firefox", the real question is who do I trust more, firefox or IE, and I can with a completely clear conscience say IE sucks, when it comes to trust. It seems IE trusts everybody and invites infection.

    All the nay sayers can complain about open source, but independent studies have shown that Open source products are by far less buggy, especially the larger projects, linux, mozilla, mysql, php, etc … etc … etc .. etc … and why is that. Because corporations by default are concerned with one thing, and one thing only, profit and increasing the wealth of it’s share holders. No where does that require actually having a good product. Where the open source products arise out of an individuals need to create a better product, and actually having an interest in the project for projects sakes and not dollars sake. Now this is not to say there aren’t bad open source products, however, in the open source world if the product is bad, people don’t use it- that simple. There is not a marketing machine behind the product pushing sales of an unworthy product because research costs must be recouped, product development cost must be recouped, or profits must made and deadlines must be met, etc …

    And there you have it. IE the number 1 browser, hasn’t been updated in nearly 2 years, why because the company that developed felt that it was not profitable to continue down that path at the time. So, patches were slowly released, exploits were discovered consistently, features weren’t added.

    Being as there are limited options in the browser world, and firefox is the most trust worthy of the products, by default I will choose them. Now, if someone else comes along and builds a better mouse trap let me know, so I can jump on board.

  386. …except that they appear to have, as usual, completely failed to step outside themselves when analysing something.

    So in lieu of being able to welcome them as overlords, I’d like to thank Peter for providing a focus around which to collect such a handy and complete compendium of responses to IE-based FUD.

    "Thank you, Peter!" (-:

  387. Super says:

    I think Microsoft should use this blog as customer feedbacks and go back and fit IE.

  388. maciarc says:

    It’s real simple. I had 113 spyware programs installed in a week using IE. I had 1 installed after switching to Firefox for a week. Since I uninstalled IE 3 weeks ago, that number has been 0.

  389. rephlex says:

    How to trust Firef0x!?

    by running it 0n yo0r Mandrake b0x, sux0r!

  390. Uncle says:

    well, you use windows and care about "bunch of kids at some random university I’ve never heard of?" ;-P

  391. Kevin Taylor says:

    I think you raise some excellent points. Security is a hot topic these days and the shortcomings demonstrated in obtaining Firefox should be corrected. I think the one point that needs to be made is: I can’t trust IE, so I will have to look elsewhere – even without the digital signature. I’ll go through the trouble of comparing the SHA1 sums. To paraphrase the "Law #1" cited: If you run IE, it’s probably not your computer anymore.

  392. But wait a minute?! I thought that Firefox/ Mozilla wasn’t a threat in the first place? I mean… you *do* have over 95% of the browser market share, right?

  393. rogue says:

    Anyway I trust it more than any M$ program. At least I can remove Firefox from my system if I don’t like it, ever tried that with IE??

  394. lothar says:

    I’d rather trust an university that i don’t know than a large corporation.

    I’d rather trust an open source project where i can read the source than i trust an obscure object file.

    I’d rather trust a program which has fewer critical bugs than a program that is known for it security flaws.

    I’d rater trust a group which spends money on advertising that a group which spends money for buying a certificate. (why doesn’t firefox get it for free in the first place?)

    I’d rather trust a operating system that comes with compiler and tools than a operating system which lets me (initially) only run binarys.

    I’d rather trust a program i compiled from source than any binary, regardless of certificates or md5 sums.

    there’s still something money can’t buy: freedom

    if you live in a country where you have the freedom of choice, make your choice wisely, select what fits best, trust who seems trustworthy to you.

    best regards,

    lothar

  395. Richard says:

    You can always tell a good product by the users.. Intelligent people use Firefox, lazy people who no nothing about computers use IE… hope i haven’t been infected with spyware for writing this..i have to run micorosft at work.

  396. F.U.D.

    This article illustrates Microsoft’s tactics of spreading fear, uncertainty and doubt rather than competing on technical and social merit.

    As he mentions Slashdot, here is the link to the discussion of this article on that site which comprehensively debunks his FUD.

    http://it.slashdot.org/article.pl?sid=04/12/21/0038235&tid=172&tid=154&tid=109&tid=113&tid=1

  397. Bill says:

    It works just fine for me under Linux, Sun, HPUX and my windows 2000 server doesn’t bother me with signing stuff.. my antivirus and spyware removal save me from installing most malware.

  398. Dug says:

    Wow, almost 1000 comments in less than 6 hours! Many eyes offer lessons in everything from html error detection to English grammar. Fascinating, but I have to go to bed.

  399. surprised. says:

    I must say I am honestly surprised; I, for one, never thought I’d live to see the day when a site appeared supporting IE OVER FIREFOX. Then again, human stupidity is infinite.

  400. Rob says:

    If there is something about FireFox you don’t like. Go into the source code and change it.

    -Rob

    PS don’t forget to submit your changes, so we all can take advantage of a more secure FireFox

  401. JK says:

    Is this guy really serious? Just come to check my PC what IE did for it? Go check my Mom’s PC or my sisters. After "removing" (=hiding) IE from them there has not been a single time I’ve seen them that they didn’t thank me for making their computer so much better (and for them that’s also security).

    Btw, there’s some problem with the HTML on this web page.

  402. Another Man says:

    I have never had any security related problems with mozilla/firefox, but plenty with IE.

  403. Come on guys! Are you seriuos? There is nothing else you can attack you have to come up with this poor arguments?

    I could answer: instead of wasting your time in writing articles against Firefox, why don’t you work to make your browser works, or at least works reasonably well?

    Why don’t you tell us why just browsing the web with IE, even antivirus and firewall, we still have malicious software installed that force us to reinstall the OS every two months? Can you please give an answer to this? Why we should accept all this crap, if we pay you a lot of money?

  404. Citrix Geek says:

    FUD FUD FUD

    Those that know are running from IE in droves. With IE I would hear weekly from my parents and siblings about the computer being messed up and slow. Over Thanksgiving cleaned out the spyware/adware locked down IE so the only site it could visit was WindowsUpdate then put Firefox, Thunderbird, & AVG on the computer and now my family only calls to say hello and chat.

    Viva la Open Source ! ! ! !

  405. AHAHAHAAAHAHAHAHHAHA HAHA HAAHAHAAHAAA HOOHOOO AHAHA AH AHA AHAHAHAAAHHHAAAAAAA!! HOHOHO HAAAHHAHHAAH HEHE HEE HEE AHAHAHA AHAHAHAAAHAHAHAHHAHA HAHA HAAHAHAAHAAA HOOHOOO AHAHA AH AHA AHAHAHAAAHHHAAAAAAA!! HAAHAHAAHAAA HOOHOOO AHAHA AH AHA AHAHAHAAAHHHAAAAAAA HOHOHO HAAAHHAHHAAH HEHE HEE HEE AHAHAHA AHAHAHAAAHAHAHAHHAH!! A AHA AAAAA!!

    I disagree.

  406. Matt Jordan says:

    If anyone is wondering why this article has received so much more attention than its poor content deserves – its because of Slashdot http://it.slashdot.org/article.pl?sid=04/12/21/0038235&tid=172&tid=154&tid=109&tid=113&tid=1

  407. Kroc Camen says:

    You sir, have the debating skills of a tree-slug.

    Having been fixing computers for 8 years I have the first hand experience in knowing that IE (regardless of version, and yet still regardless of SP2) is the root of all computer problems. Every single machine I touch has been riddled with spyware, porn diallers and viruses – and why? Because when office Joe gets a message "Do you want to install this" with a big yes/no button he just clicks yes regardless because he is more concerned with getting on with whatever he’s doing – and this is the way it will forever be.

    The "real world" doesn’t contain users who can make any informed decisions about security, they barely know how to turn their computer on. Any delusion that home users will put in the effort to protect their computer is – a delusion.

    Having installed firefox on my customer’s computers I have received nothing but a) praise and b) a dramatically decreased volume of "it doesn’t work" calls.

    FF is only v1.0, it’s been released nearly two months and it’s had one / two medium security risks all patched within hours and distributed to all users the second they open their browser, no quibbles. IE has had… how many? in the span of one month!

    Quite simply MS are trying to pass off a dangerous product as more secure and simple than it really is, because I smell fear, and when a company is afraid, they resort to pathetic rumour-monging like this.

    Get your reality sorted, then give us a proper argument.

  408. volinaz says:

    I not only changed browsers, I am no longer running windows. I have 4 boxes and 1 laptop all outfitted with SuSE 9.1 pro.. After all the bs I had to contend with running windows, choosing Linux was the best idea. Peter, you have no clue!

  409. You make quite a valid point with regards to FF and checking digital signatures.

    That said, such measures are taken in IE and still spyware and worse are very common problems for IUE users, so the situation might not be as straightforward as you try to present it here.

    A very big issue here is that users simply get way too many questions that barely make sense to them, but from which they know that clicking no/cancel will result in something not working. This has created a horde of users who will automatically click ok without thought, and that is an even more dangerous situation.

    You seem to also have missed the fact that while many extentions may not be signed, you can only download and install them from pre-approved sources.

    Last but not least, the biggest problem with IE is that there have always been ways to bypass all the checks, and anyone who ever got gator/claria/whatever on their machine without ANY questions from IE whatsoever knows what I am talking about there.

  410. If you need true sucurity for a large or specialist rollout then compile everything from source and distribute it from your in house servers. Can somebody point me at the source for IE so I can do this ?

  411. msgo says:

    Note that signing code doesn’t make you safe from everything.

    See the linked advisories,

    "What steps could I follow to prevent the control from being silently re-introduced onto my system?

    The simplest way is to make sure you have no trusted publishers, including Microsoft."

  412. Gummibear says:

    The Point is … DO I TRUST IE??? -> NO WAY, MAN!!!

    Since years I’m getting far better software from the mozilla (or apache, most other OSS developers) team than from Microsoft. So why for heavens sake should I trust exactly that company that made viruses, worms, trojans, … possible just because the show me a certificate??? And as you wrote in your article: I certificate just shows me that that software comes from the company it saids its from. But wait … you can even sign a trojan, can’t you????

  413. Dermot Daly says:

    Are we all forgetting that a couple of years back Verisign issued code signing certificates for "Microsoft Corporation" to non microsoft employees? So even this is not enough. See http://www.nwfusion.com/news/2001/0322vsign.html

    (or google for verisign microsoft bogus)

  414. AC says:

    —–BEGIN PGP SIGNATURE—–

    Version: GnuPG v1.0.7 (GNU/Linux)

    iD8DBQBBj/LbJMSPgG0ezQcRAkdjAJ0TjSrX3/Ao/PpvLlYSphiPPX+rsQCeOqcB

    FMrGber5LG+ntgVTlUL6RZM=

    =ttFt

    —–END PGP SIGNATURE—–

  415. Dave says:

    Would just like to stay. You really have limited IT experience, what I can not understand is how someone with such a limited knowledge of IT is allowed to write articles?

    I have been in the industry for 12 years, and I highly recommend FireFox. It annoys me when I see this type of crap floating around. I get the impression that this is the type of person who plays with IRC scripts, and has limitited or no knowledge of the industry.

    He fails to mention the fact that at the moment, Firefox keeps you fairly adware/spyware safe, or that if FireFox crashes, it does not take the whole operating system with it.

    How he got installation errors? Well, I believe it has somthing to do with his lack of skills. Simple.

    IE has many many many major security flaws, and anyone who sticks with it, need an education.

  416. I’ve been using Firefox for 3 months and I love it. It works very well and the extensions are great. I’ve recommended it to all my friends and they love it as well.

    I’d like to know how I’m supposed to trust a piece of closed source software like IE where I have no idea what code it contains? Especially a program with sooooo many security vulnerabilities and bugs.

    No thanks I’m sticking with FireFox.

  417. First I have to apologize for not reading *all* the above comments, I just don’t have the time. I’ll just comment on the article.

    Digital signatures and preposterous messages alerting you of absolutely everything won’t help security. The sole fact that IE *does* have all the signatures and still *does* suck in the security department makes all of the points stated completely irrelevant. Try surfing on warez/pron sites for half an hour with ie and with firefox, at the default settings, and see how much spyware you will pick up at the end.

    4 out of 5 points at the conclusion of the article have to do with signatures and dialogs (the remaining one has more to do with usability than security). While the reminders and warnings are nice, they do not comprise the security of a product. IE doesn’t follow W3C specifications, and it never gives you a warning about that. It doesn’t say: this browser does not follow standards to the letter. We (Microsoft) included stuff that no one else recommends and no other browser uses.

  418. rspickles says:

    The real question is which do I turst more. – Easy – Firefox – However before doing business on line I boot to Linux and load Firefox – check the venders website for what they are running. If it is on IIS – I go elsewhere. True one can get a Sceure transaction with a Windows computer involved – but its much easier and more likly to be secure if you stay away from Windows. (yes this computer boots to both Windows and Linux – However Windows is now used only for games.)

    This is a classic case of Don’t ask the Question unless you really want to hear the answer.

  419. Let me be the one, says the original cast of Expose`.

    Random Commie Nonsense

  420. rob says:

    If your claims were really true, this would be acceptable. But I see it this way; You windows ppl got the worst security imaginable, the firefox browser being ported to windows must be a sacred gift from my point of view. Add to that there are thousands of people DONATING money to tell windows users about it so they can improve their lives for FREE. All they ask in return is a little bit of appreciation. Yet you spoiled ppl go and complain about things that don’t even make sense! Unbelievable. Well, if they were true it would be a different story, but then you’d have to report these problems to mozilla foundation instead of this pro-microsoft FUD.

  421. Dave says:

    That post is really weird. Do you really think like that? You sound like the Borg.

  422. indy says:

    - buy a windows license 300$

    - buy a msdn license 10000$

    - using msie and thus needing a psychoanalyst $100 per hour

    - critizing firefox being a microsoft dumbass and getting slashdotted priceless

    shut up

  423. Dappere Dodo says:

    "I kid you not! — a numeric IP address"

    Wow, really? A real NUMERIC IP address? Man, that’s special. I always get alfabetical IP addresses…

  424. four of my friends were having problems opening hotmail.com(!) and msn.com(!) in IE last month. they came to me with a problem of reading their e-mails and such in IE (again). i suggested them to try firefox. their problems solved but as an IT specialist i had to find what kinda problem was that. guess what. its impossible to find anything about a bug in a program that is proprietary until the company of that program releases the patch and explains the bug. I imagine if these friends of mine had the same or similar program with firefox or any of the open source browser there will definitely be someone that has seen the problem and inform me about the problem and maybe lead me to write a patch for that bug.

    this page does not show correctly in firefox because it is NOT valid HTML 4.0 transitional you can see the errors in the following link. Firefox does not care about a website being IE compatible. only thing it cares is being valid with the World Wide Web Consortium standarts. None of the companies in the universe can forget these standarts create their own.

    http://validator.w3.org/check?uri=http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

  425. bork says:

    I trust firefox because… it comes bundled with my distribution (which I trust, duh) – no seperate downloading for me :)

    See,

    http://packages.debian.org/unstable/web/mozilla-firefox

    It isn’t perfect, as you can see here (access to source, diffs and buglistings is a wonderful thing, hint, hint)

    http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=mozilla-firefox

    Cryptographic certificates required for validation are also packaged,

    http://packages.debian.org/unstable/misc/ca-certificates

    Furthermore, firefox has sane defaults for handling extension and plugin installations (which you can also turn off completely). Depending on how far you want to take this you can download the source yourself, audit it (hahaha) and build it with a toolchain you trust (on a system you trust, etc, etc)

  426. Peter says:

    Tu perdeli bļe, stulbenis! Padomā, pirms kautko raksti!

  427. Really I don’t care what browser I use, as long as it does what i want/need when I want it. How many years have IT professionals lived with the bane that is IE? I for one cannot say how nice and easy FF is and have had no issues with installing any instances of this under any of my vmware images as well.

    I can’t trust anyone who works microsoft writing unbiased and truthful information in regards to FF considering its a good browser that has passed every test i’ve find it required for myself and my work.

    I know enough people who work for the institution/religion that is microsoft who use FF at home because it’s better and SAFER…

  428. Low Renz'oh says:

    If I interpret this blogmessage correctly,

    It all comes down to:

    "If you know what you’re doing, you’re ok with firefox, but if you’re somekind of stupid ass that has no clue whatsoever, and that always clicks the default button, go for IE"

    correct me if I’m wrong!

  429. Really I don’t care what browser I use, as long as it does what i want/need when I want it. How many years have IT professionals lived with the bane that is IE? I for one cannot say how nice and easy FF is and have had no issues with installing any instances of this under any of my vmware images as well.

    I can’t trust anyone who works microsoft writing unbiased and truthful information in regards to FF considering its a good browser that has passed every test i’ve find it required for myself and my work.

    I know enough people who work for the institution/religion that is microsoft who use FF at home because it’s better and SAFER…

  430. Lenale says:

    FireFox focuses on ‘install now’ and not on ‘cancel’ by potential dangerous downloads, yes. But for me, that would be a reason to choose FireFox. I decide whether I trust a download source before I click the ‘download’ link, not afterwards.

    I bet John Average User does the same (which proves itself every time I run ad-aware on my parents’ computer… :) ).

    In my opinion, focussing on cancel is a good idea in theory, but bad in practice. People will just change their routine from *click* *enter* to *click* *left arrow* *enter*.

  431. Sylvain says:

    Peter’s initial post fits into Microsoft’s common trolling *strategy* when they are about to get screwed… Dead-end devotion from Microsoft guys ?

    This answer is just as pointless as this post is pathetic. Call it even, or not.

  432. momo says:

    the fact, that you qualify a 7-zip error a firefox error shows me, that you can’t differ between applications/OS/"services" coupled so thight everything I see on your plattform.

    Perhaps you make FF/IE responsible for any 404 you get ?

  433. John says:

    Oh my god. Do I trust Microsoft? No, I use Debian and at home Fedora Core 3 (linux flavours). They’re far superior in every way. Period. End of. Firefox is perhaps the most public way of showing that open source software is good.

  434. AR says:

    We must trust FF because we are about to start a massive client migration. So, the best browser for non MS platform is FF.

    We’ll complete the 3000 client migration at the end of 2005.

    By AR.

  435. Ronaldo says:

    Can you trust the piece of software that you write? I don’t trust anything that I write… :) This is a matter of faith. Security is actually the best lie someone told us. You believe that you are safe, but you aren’t. Even with signed controlled stuff you can sign a piece of malicious software and use some of the "social engineering" to get that software installed on your "victms" computer.

    Secutiry flaws on firefox? Oh, yeah, they are there for sure… Remember that we are talking about a version 1.0 of the software. What is the currnet version of internet explorer? Ah… And it still with that lot of bugs? Amazing!

  436. LentoMan says:

    I’m not going to read all the comments, my firefox could handle to display them all with no problems though.

    It is true, you can disable flash but the way to get there is through options->downloads->plug-ins. It would help if they added Plug-Ins to the tools menu perhaps.

    Many people (you included) don’t realize there is a difference between Plug-Ins and Extensions, but I don’t blame you for it. Plug-Ins has machine-specific code (like active-x) while extensions are based on a scripted language and thereby also portable.

    Anyway, I could point out more stuff but I’m not going to bother as it would be an entire article itself, gone in the masses of the comments.

  437. 123 says:

    It does not matter. what this loser writes about, because companies and countries around the world are replacing Microsoft’s software with Open Source software.

  438. LentoMan says:

    I’m not going to read all the comments, my firefox could handle to display them all with no problems though.

    It is true, you can disable flash but the way to get there is through options->downloads->plug-ins. It would help if they added Plug-Ins to the tools menu perhaps.

    Many people (you included) don’t realize there is a difference between Plug-Ins and Extensions, but I don’t blame you for it. Plug-Ins has machine-specific code (like active-x) while extensions are based on a scripted language and thereby also portable.

    Anyway, I could point out more stuff but I’m not going to bother as it would be an entire article itself, gone in the masses of the comments.

  439. 123 says:

    It does not matter what this loser writes about, because companies and countries around the world are replacing Microsoft’s software with Open Source software.

  440. Dimi says:

    Well, since IE is signed, but it lends our computer to scumware quite readily, I guess we have to resort to *gasp* unsigned installers.

  441. Doc says:

    "Every time you download a random piece of software from a random location, you’re taking your chances with your PC and all the information stored on it. You wouldn’t take candy from strangers, would you?"

    Erm, as opposed to having to pay for candy from a shop keeper, not to mention what you know that that shop keeper is doing to you…. and the fact that shopkeeper knows what’s he’s selling you is crap but does he care?

  442. Pete says:

    Ok, I have installed Firefox dozeons of times without any of these problems. I surf faster, without popups and have yet to have my tools bars, searches or bookmarks hijacked.

    Has the writer ever tried to remove a toolbar that installed itself without you even seeing a dialogue box (not even a blank one from my AV!).

    Has the writer ever tried to install a new version of internet explorer? When I installed IE6 the first time, it needed two reboots of my system, it crashed several times a day, sent information about my PC to M$ and immediately required a security patch. Restarting firefox twice isn’t really so bad.

    Has the writer had to use antivirus software, popup blockers and spyware removers? I don’t need to anymore, I use FireFox.

  443. So if IE and Mozilla are insecure, instead of WHINING, MAKE YOUR OWN BROWSER!!!!!!!!!!!!!!!!!!

    The web standards are published, so you could make one that complied, and you would be the ONLY person with control over it and who knew about it. This is the best because you aren’t gonna flame yourself about how weak, insecure, or poorly designed it is.

  444. Hemie says:

    Typical reaction of Microsoft about a new product which is far better than theirs at the first version. IE is on the market since many many years and at its 6th version.

    They should learn from it, instead of flaming it.

  445. Aaron says:

    how can i trust microsoft? should be the real question, with anything they sell me they make sure that i can’t sue them for any loss of productivity/ or anything… basically they aren’t responsible for their software..

    you sir are a bafoon… a stupid bafoon….

  446. MSIrony.exe says:

    Another interesting question is "How can I trust Microsoft?"

    Considering that the company has earnt antitrust convictions on multiple continents and that senior Microsoft executives lied under oath in the US DOJ case, the answer is that no sane person can.

  447. Scarbez says:

    Thanks for the (mis)information. I have used Firefox since the early versions and I never got any of the dialog boxes you depict here.

    It is true Firefox might not be totally bullet proof, but come on, are you comparing it with IE?

    I see you have stopped replying to the comments a long while ago. I am not surprised.

    I guess Micrsoft chose you to say all this cr*p to not compromise the name of a better known Microsoft rep. By the way who are you?

  448. Debian-lover says:

    I trust firefox, I have been using mozilla for years, but I do not trust microsoft, signed or not.

  449. Ben Roe says:

    You might want to fix your page: it’s not even HTML 4.0 transitional. I think you’re missing a couple of closing tags somewhere, causing it to render incorrectly on many browsers.

  450. harhar says:

    hahah what an idiot. and you WORK for microsoft?
    <br>
    <br>how fucking hard do MS want to try.
    <br>
    <br>try harder!

  451. FireFox is just for people who dont know much about computers. it sucks! everytime i sent links to other people they say they cant display the page and then they have to use IE! lmao admit it FireFox Sucks

  452. fabian says:

    if u dun trust firefox at the first place,why the hell u mind to try it?

  453. steyr says:

    Well, you should keep using IE and all the nasty flaws that come with it. Keep watching pop-ups and banners just like people like TV ads.

    Since you trust Microsoft so much and want to make a Flame War out of it, there is no reason to critisize.

    I guess more than 10 million downloads isn’t considered good enough.

  454. Marc says:

    This article is very biased.

    It assumes Microsoft(R) tools have to be used to verify the contents. It assumes users are stupid, and have to use Microsoft tools to verify the integrity.

    Firefox ONLY allows installing extensions by default if the site is signed and comes from update.mozilla.org.

    I did never (since the Firefox 0.5 beta) seen the problems cited in the images of this blog.

    I do not thing this article is objective. I hope more people react.

  455. Mr Fixit says:

    Like most of the computer competent people posting on this thread, your uninformed comments make me mad. Why? The hundreds of hours I have spent cleaning up friends and family computers from problems which are ultimately your (Microsoft’s) fault. When I install Firefox they go away. Ask not for whom the bell tolls, for it tolls for you.

  456. Kroc Camen says:

    I have come up with a simpler answer:

    the day I can install IE on a users PC and they don’t have any spyware or viruses by the end of the week (ala firefox) then you have something to say – until that day your argument is pointless.

  457. TheMan says:

    I just wanted to say that the author of this post has no clue what he is on about, is clearly a newby to the internet. If for one secont you thought that the people at firefox would/should give money to their enemy(microsoft) to register their software as ‘microsoft approved’ and that this in itself wouldnt be admitting defeat (to think anyone needs microsoft approval..???).. And another thing, in all my years of using the internet not once have i ever hit ‘run’ rather than save to disk! – Do you really hit run? I mean your internet temporary files directory must be huge! And if you dont know what a mirror is, you must have been on the internet for all of 5 minutes. Seriously, do yourself a favour follow the steps below:

    1. Unplug computer

    2. Plug yourself into the power socket

    3. Your not microsoft approved!

    David.

  458. Not security related, but Firefox always claims to be the fastest browser. Though on my system:

    - Firefox boots slower than IE

    - Firefox opens websites way slower

    The only reason why I use Firefox is indeed for the fact that it can prevent me from getting some viruses (like the one’s hidden in fake image files). I know I shouldn’t mind a slower browser if I get security in return, but then they should stop saying they’re the fastest on earth.

    If IE had a tabbed browsing solution and the same W3C implementions as FF, a lot of users wouldn’t make the switch.

  459. Hauled!

    They are all hauled!

    The truth is that from when use

    firefox I do not have every a lot to clean up my PC

    with spyware removal tool.

    Facts!!!

    IE go pension!

  460. sage says:

    >>1-1000 is DQN.

  461. jc-denton says:

    apt-get install mozilla-firefox downloads and installs firefox directly from my trusted debian mirror ;) the problem is just win i guess :P

  462. Ulmo says:

    The M$ countdown has begun.

    1 – they will have to open their code more and more.

    2 – they’r money will be spent without efficiency

    3 – they will have to use their IP to retrieve money

    4 – loosing the rest of credibility

    5 – the will have to take the OSS train or die.

    BUT they will never renounce to FUD like this little post. Do you believe in it ? Do you trust more M$ than Mozilla (for example) ?

    I don’t think, so i don’t fear. It’s a matter of time and it’s slowly exponential, hihi.

  463. Lucason says:

    Tell you what. Next time you don’t trust an internet vendor, ORDER THE CD!

    If you want I’ll be more than happy to send you 10 CD of UBUNTU linux which comes with "Firefox and Thunderbird for Windows" on the CD free of charge.

    All this ‘I don’t trust the download’ crap really bigs the #@#| out of me. Ever thought of the fact that the reason they don’t have a verisign certificate is because a verisign certificate cost to #@&é# much!

    Chuck versign and enter common sense.

  464. jtepisseocul says:

    How can you damn compare this bloody IE which as to be pacthed every 2 weeks thought it is signed !!!!!!!!!!!! and Firefox which is far more secure ???, the question is it better to install a signed piece of shit or install a secured open source software powered by real developpers with signature when you know that the product is recognized by experts ???????.

  465. Derrick says:

    While I agree to some points you mentioned above that make Firefox "insecure", but still I choose it over MSIE as I trust Opensource. If what you mention is indeed going to be a threat, I am sure the devs over at Mozilla are going to take that in mind and address the problems soon.

    Nice post by the way.

    Derrick

    Happy Firefox User

  466. Main Thing says:

    Some MSFT developer is putting up some FUD. aka fear, uncertainty, doubt. Don’t do it. If you want to start messing around we can. MSFT has 57,000 employees. Firefox has 50,000 registered users at SpreadFirefox and a wonderful, advanced user…

  467. Wolf says:

    I’m left with no words. You call this a blog? you are clearly being paid to make this stuff up. It’s so senseless that I can’t find another explanation for so much FUD.

    Here I thought blogs were for personal opinions.

  468. Lattie says:

    Why should I trust a verisgn certificate?

    Gator has a verisign certificate, C-dilla has a verisign certificate… Since when is verisign a guarante of spyware free, bugfree or any other type of free?

  469. Harald Heuer says:

    Well, unlike IE, firefox is not programmed by morons who created more security problems per lines of code than any other browser has.

    IE developers couldn’t find a dangling pointer even if it would stick in their arse.

    Unlike IE, Firefox is not published by a company who thinks a browser is a strategic weapon supposed to lock users into a certain sub-standard OS and keep competition out.

    Unlike IE, in Firefox development and bug fixing is not a business decission, but a technical decission.

    Unlike IE, Firefox is done by people who want to be proud of their work. Proud of what they created – unlike Microsoft where people are proud of what they destroyed.

    That’s why I trust Firefox. But it’s OK. Just continue to use IE if you like to get rear-ended every few weeks when a new security issue in IE is discovered- Some people apparently like that feeling

  470. Aux says:

    Well, use Opera – IE + FF really suck! (:

    And ’bout IE – spyware installs WITHOUT ANY PROMPTS!!! That’s even worse, than default choise in FF.

  471. Eadz says:

    Dude, fix IE before you go slagging off other browsers.

  472. Robert says:

    "The publisher could not be verified, do you want to install this spyware ?".

    Now, if IE users would have answered that question correct, Microsoft wouldn’t be in so much trouble. But in fact, they were never asked.

    Their fault ? I don’t think so.

    You’re suggesting that installing only verified software would be the solution, but do I have to remind of the fact that signed spyware already exists, and as some pointed out: the verification only tells you *who* made the software, not whether it’s spyware or not.

  473. Fubar says:

    You sire yes you the starter of this blog , yes you , what aload of absolute twaddle you post ,you have no clue what so ever about firefox , obiously your abit scared that its cutting into MS’s precious little IE market , i cant believe MS still emloyes total knob jockeys like you , no wonder IE is such a pathetic browser

  474. MeaCulpa says:

    The FUD you’re spreading always reminds me to never ever stop advocating the value of open source.

    Thanks you, come again.

  475. Fabio says:

    How can you trust Microsoft? Just a lot of lies… as usual!

  476. Alan says:

    Okay, so you go on about the wonders of digitally signed software, and you say that Firefox can’t be trusted just because you don’t have a digital signature to look at… but then you admit that a digital signature gives you absolutely no guarantee as to the legitimacy of the software!

    "Of course, just because a piece of software is signed […] doesn’t mean it isn’t nasty"

    You simply state that it helps you make a trust decision; but with the above in mind, it’s clear that this gives you a false sense of security. Gator and other crapware can very easily get their software signed, and then the unsuspecting user comes along and installs it.

    You also mention that MD5 sum is no guarantee, but it’s a fairly good indication if you get both the installer and the MD5 sum from the official site at http://ftp.mozilla.org.

    The main difference of course, is that if I don’t trust a binary, I can download the source code, examine/audit it myself, and when I’m satisfied with the security, I can compile my own version, secure in the knowledge that there are no nasty surprises in the software. And if you aren’t a programmer, you can quite happily get someone else to audit the code for you. I do *not* trust Microsoft to do that for me.

    And the FUD being spread here ignores the truth of the matter; namely how much more secure and standards-compliant Firefox is than IE. With Firefox, you have true standards compliance, you have tabbed browsing, popup blocking (which MS have *finally* gotten around to, to be fair), ad blocking, and the ability to add on extensions to create whatever functionality you like. With IE you have a shitty browser with virtually no new features for years, no tabbed browsing, and the ability to very easily load up your computer with tracking cookies, porn diallers, home page hijacks, unwanted search bars, and all sorts of other horrible stuff… and to add insult to injury, it’s so tied into the bloated OS, you can’t even uninstall it. Where’s the freedom of choice in that? Oh my bad.. it’s Microsoft. To them, "freedom of choice" means "freedom to choose Microsoft".

    Every time I have to go fix someone’s computer, I *always* find that it’s a result of spyware/malware which has been installed through IE. I have yet to find a computer running Firefox experiencing the same sort of problems.

    It’s a good attempt at FUD; don’t try and compete in features or security, where IE is a horrible, insecure, buggy pile of trash that couldn’t even begin to match Firefox, just attack the theoretical security of the installer.

    I don’t know if you’re hoping "Big Bill" will see this and give you that promotion, or if you’re really taken in by the MS FUD machine, but either way, try again.

  477. Wing says:

    On first reading of the post, it isn’t hard to come to the conclusion that the blog poster just wanted to find things to blame FireFox for.

    1) A failure to unzip a corrupted or interrupted download isn’t the fault of Firefox. You’ll get that code if your network connection is faulty.

    2) Verification of the publisher is about as secure as IE is against spyware. The who "signed binary" bit is a legacy of MS’s attempt at getting more revenue and locking out competitors. This started with drivers for the operating system and continues on with "signed binaries". The gist of it is that a company who pays the service fees gets a cert to sign their binaries with. Whoopee. All a cert does is validate that I am getting code that was signed by someone, somewhere, who paid microsoft some money.

    3) Blaming FF for what is a user behaviour issue(installing a binary even when you know it is risky, installing programs you don’t understand, not taking care to CHOOSE to avoid installing plugins which, whether signed or not, can be compromised through their own signed code.

    4) Firefox’s bugs are documented in the Bugzilla system. Serious bugs reported at dealt with. Firefox doesn’t have a financial incentive to conceal its bugs whereas Microsoft DOES. It would be educational and revealing to look at the bugs in the following manner:

    - How many are reported in a given year

    - Percents of those bugs which are: OS compromises, Application compromises, or just annoyances.

    - Time between bug submission and bug fix, also grouped into the previous categories of risk.

    - Number of recurring bugs of the same nature that have been "fixed".

    If you are going to make it sound like both browsers have equivelent bugs, you should at least break it down in a meaningful way as opposed to saying both are similar in behaviour.

    5) IP addresses are no less secure and no more secure than domain names. Your statement that "… Forging blindly ahead, I download the software again (this time coming from — I kid you not! — a numeric IP address, the bastion of spammers and phishers and all manner of other digital rogues) …"

    shows the same kind of flawed logic that: something which is labelled as a known quantity == secure/safe. So a domain name is more secure than an IP address? Even when there are domain name poisoning attacks which can fool domain name lookups to redirect victoms to different addresses?

    This kind of thinking, I thought, was put out to pasture along with hostname-based-authentication.

    Your mention of:

    "This is what the "Secure Deployment" part of Microsoft’s SD3+C campaign is all about; we design and develop secure software, but we make sure that customers can deploy it securely as well."

    doesn’t exactly fill me with warm and fuzzy feelings. Basically, it means that your views are slanted and biased. That your posting is not without ulterior motives.

    Contrary to your slanted perception of FF in relation to IE and the security issues on the web currently, I think FF is a step in the right direction.

    FF is being developed by an organization which is comprised of people who actually want to put out secure code as opposed to a business which wants to start profitable security initiatives.

    The use of "signed binaries" or "signed" programs is a step in the wrong direction. By signing programs you are getting people into the exact behaviour you claim you want people to avoid: blindly installing programs without checking them. How? Using certificates, you are making the claim that "signed" == "secure/safe". So people who subscribe to the signed==safe/secure belief will blindly install a program that is signed, believing it is secure.

    Which is, I think, what we are seeing in the field. People believe they are safe because the IE browser uses "signed" technology for security. So they go visit pages with their "secure" browser and get infected and don’t know why. Sure, the people who write the code that infects the computers are to blame for creating such things. But the fact that the browser is given an air of security by slapping on signed certs instead of actually correcting the underlying problem is an outright shame.

    To say that security is at the top of the list is fine. It helps to actually follow through and achieve results. It helps to be actively responsive to notices and requests about security issues.

    For MS to tell people to "buy a new computer" if they want to be secure is utter BS. To have someone in the MS SD3+C security campaign write a slanted posting like this to make FF appear problematic is likewise utter BS.

    Here’s some food for thought:

    I run an Win XP Pro system at home. Have had it online for about 2 years. All I have guarding it is a simple "share your connection NAT firewall" box from the local computer store. No anti-virus and no anti-spyware. No SP2. Everyone who uses the computer has only a few rules to follow:

    - Don’t use IE.

    - Use FF or Mozilla.

    - Don’t use Outlook/Outlook Express/etc.

    - Use FF/Mozilla to access webmail.

    - Don’t use P2P, Chat, or IM.

    - Don’t download and run programs without asking first.

    Guess what? No virii. No adware/spyware/malware. No problems with the machine aside from it crashing because of a loose power plug.

    All of the rules above, along with a simple firewall, would be easy to implement. Signing doesn’t prevent user mistakes. Signing doesn’t prevent remote exploits of signed code. Signing doesn’t protect against remote attacks on your computer.

    So if the user has to ultimately make a choice about how to use their computer safely and signing only stops the poor adware/malware/virus writers who can’t afford to get a cert… what good is the cert?

    I’ve supported Windows based machines since around 1994. The main solution back then was: if Windows is acting funny… reboot the machine. If that didn’t fix it, re-install. Coincidentally, those were also the solutions which people told me they got from MS when they called in.

    It’s been over 10 years. I still see reboot/re-install being listed as primary means to "fix" a terminally problematic Windows machine. Thanks to a recent MS Rep’s statement, we can now add "buy a new computer" to that list.

    Yes, I’m ending on a slanted note. No, I don’t trust MS to secure my machine.

    In answer to how can I trust firefox? Because it has proven to be trustworthy with a strong operational trackrecord over the last year of solid use on my laptop(MacOSX+Windows via VirtualPC), my desktop(WindowsXPPro), and my workstation(Linux). The same program operates in all these environments and performs remarkably.

    In contrast, IE has proven itself to be a continual risk to a stable system. To the point where one university campus administration made a suggestion to not use IE and use alternatives like Firefox.

    Now tell me: How can I trust MS and IE?

  478. Andy says:

    your html doesn’t validate properly. Maybe because IE doesn’t support CSS the way it should ?

    And that is the main reason I throw IE away : as a webdeveloper I hate it with a vengeance. It is absolutely worthless.

    First develop a working standards-compliant browser, then return and bitch about the competition of Firefox.

  479. Peter Torr says:

    I am off to bed now; any more comments will have to wait until the morning to be moderated.

  480. Please go to http://www.slashdot.org to read the flamewar you started (oh, and by the way, the points you make suck)

  481. AV4TAr says:

    Why do i have to? Why do i have to trust all microsoft software if i dont know how it works? i cant change it for my needs. I cant even test with my friends..

    why ??

    AV4TAr

  482. Well, as a contributor to the moz project, I appreciate all the input. I can help to repair some of the user interface glitches you found. I can furthermore suggest we purchase a vanity domain for the stpaul mirror. Oversights, I agree, but IE drag and drop vuln’s or address bar spoofing these are not.

    Now that I have been fair, perhaps it’s time you identify the errors you cited properly! Attribute the 7 Zip issue to that vendor, NOT to firefox. Attribute the blank msgbox to whatever caused it, because I haven’t seen it. Perhaps something on your MS box is hosed.

    And for driver signing, that’s so easily spoofed it’s pitiful. Hell, with the "features" IE gives me, I can present a pop-up to the user that states it’s properly signed and have him click through to real ownage.

    When quality coders are in short supply, rely on FUD.

  483. mike says:

    Instead of trying to nit pick fault with Firefox, how about encouraging your employer to fix up IE?

    Other browsers have come a long way since IE 6 was released in 2001. In 2001 Firefox did not even exist. The addition of a pop-up blocker in XP SP2 aside, (years after Mozilla offered this), IE has stood still and a new version apparently won’t be out until Longhorn arrives in 200whenever.

    When held up against other freely available web browsers IE looks inreasingly poor.

  484. akbar says:

    well, i can

    And firs of all, go 2 secunia.com and see what’s happening when you use IE.

    It’s bormal 4 you, you work @MS.

    If you were in mozilla team, you would blame ms’s IE.

    You cannot convince me to change my opinion.

    Forefox has already over 11 milion downloads.

    And this doesn’t mean nothing 2 you ??

    The Browser, Reloaded.

    P.S.

    Try to use Mozilla. It’s free :)

  485. Gorgonzola says:

    I guess you have succeeded..

    1. By starting such a flame you have brown-nosed your boss with well targeted fud and advertising to the geek community, far better than a two page ad in the NYT…

    2. Getting us all to try and set you straight, you edit out the serious comments and only post the tripe written by script kiddies, or perhaps you just typed it all yourself… to make us all look "untrustworthy"..

    3. diverted attention from the latest and greatest acheivement of your departement and employer… THE HOLE IN YOUR FIREWALL!!

    Maybe you could transform this to a beg site and we could all pitch in to get a two-page spread in the washington post commending you on your achievement!

  486. Trelane says:

    Are you really sure, that you have installed the latest Firefox Version?

    http://www.mozilla.org/products/firefox/

    It doesn’t wait for you at a universities site, nor das is have an empty dialog box nor does it make problems with flash.

    Go figure. As it seems you installed an old maybe beta version.

    Trelane

  487. Jeff Joker says:

    It s pleasing me to see someone so hardheaded and lobotomised to microsoft way of thinking and saling their software and licences saying that the rest of the world is shit, contagious, infamous and killing you when you click on a web link.

    Also, it pleasing to see that even MS people don t know how to navigate, find a installation package, install software, use it … on their own OS !!!!!!



    So much more to say

  488. hello says:

    Use Gentoo. It checks for you. HAHAHAHA SUCKER. God you guys suck.

  489. Nobody says:

    IE is just as secure as Firefox. only that firefox is easily configurable.

  490. a says:

    your are so biased its unbelievable

  491. Erik says:

    We all just have to realize that whenever new software is developed there are going to be security issues, it is just the nature of the business.

    IE was created very early on during the early childhood of the Internet and thus far has been an assimilation of many programmers and ideas. As time has gone on and Internet security has become more prevalent IE has become more secure through patches trying to secure the security holes created when IE was first developed.

    Now you take Firefox, which started out with SECURITY as one of its primary goals, if not its number one goal, you are going to inherently going to have a more secure browser then on that has been assimilated over time like IE. However, with that said, this still doesn’t make Firefox 100% secure either.

    Addressing you statement regarded digitally signed files and extensions being unsigned etc … It is to my best knowledge (reference: <a href="https://addons.update.mozilla.org/faq/?application=firefox">Firefox FAQ</a>) that all extensions and themes get assigned and tested by a Firefox technician. Just because Microsoft is big on digital signing doesn’t mean that it is the only way to verify that the software is "good". If you trust the source, mozilla.org, for example, which you can download Firefox, extensions, and themes from Mozilla directly then there isn’t a problem.

    My last point is that you have to remember that Mozilla is an organization run primarily by the donations of users. It offers it products for FREE.

  492. Warp says:

    If only they had spent some of that money on improving the security of their users by, say, purchasing a VeriSign code signing certificate.

    - If anything verisign should give the Mozilla foundation a certificate, it would serve as good PR for verisign too. It makes no sense to demand huge investments in certificates when you’re not a huge corporation.

  493. BK says:

    You are a complete idiot! IE is a complete piece of trash. Before you go and attack other browsers for being un-trustworthy you should take a look at the garbage Mr. Bill Gates is churning out. I’m willing to bet my house that more people have gotten terrible viruses and spyware through IE and Outlook than anything else. And I never encountered any of the supposed errors during installation that you did.

    Please note that CERT apparently trusts Firefox more than IE because they reccomend using it instead of IE to prevent the spread of spyware and viruses

  494. ninjakarl says:

    did u notice that the ‘get more extensions’ button is smaller then the ‘uninstall’ button in the extensions area. how biased can u get man.

  495. curk says:

    no offense meant, mr torr. but i really think the points u mentioned in your post have nothing to do with whether we can or cannot trust firefox.

    you can work fairly well with firfox without ever being concerned with security issues _after_ you have installed it.

    and i dearly hat ie, too. i (and millions of fellow-webdevelopers) have spent too many countless hours trying to make the simplest of websites work with ie.

    darn, i’ll go get a cup of coffee before i endanger anyone in this office … we can only hope, that this post wont make anyone who doesn’t know a thing about computers use ie instead of ff.

    on question to you, mr torr: have you ever seriously tried ff and found it a "wors" (in any way or whatsoever) browser then ie?

  496. ranger says:

    This blog item seems to imply that:

    -firefox is only for Windows

    -everyone installs firefox via the mozilla.org binaries

    However, many non-Windows platforms (such as most linux distributions) provide a better means than Windows to deploy software, including support for package signing and built-in file verification methods, which are the de-facto standards for installing software on those platforms.

    For instance, the distribution I am using provides firefox packages, which were built from source (and the source package is publicly available and contains the original source, some patches, and the signature of the source tarball, and is itself signed by the distributors cryptographic key), and the binary packages are signed by the distribution key. The software installation tool will only install packages signed by certain cryptographic keys without warning the user. The binary package includes md5sums of every file shipped by the package, which can easily be verified.

    The de-facto "standard" on the Windows platform is the unsigned setup.exe …

    So, you’ve pointed out once again that Windows trails in security considerations.

    The machine I am using now has no antivirus software, yet I don’t get any spyware, I don’t see any spam (thanks to Thunderbird), and I get no unwanted popups, but of course I’m not running Windows …

  497. Cypress says:

    Another useless text probably sponsored by Micro$oft. It’s just like the "Get The Facts" campaign trying to discredit Linux. They simply don’t like the fact that anyone else comes up with a better idea than theirs, the fact that IE is A PIECE OF CRAP. I wouldn’t allow my worst enemy to surf the web with IE.

  498. AntaBaka says:

    Tool.

    Get FireFox from a cover CD and be done with it.

    You have no clue how stuff works.

    Please sto posting about stuff youd on’t know a thing about in the future.

  499. Me says:

    How I can trust IE?

    I’ve been using Linux for a while now, and Firefox for a number of month, and _never_ got any virus/trojan/spyware/etc install on my machine.

    Sometimes I reboot in Windows to play a game, and the next thing you know, I’m infected. I haven’t even browsed the web yet!

    And you expect me to trust IE over Firefox? Thanks but no thanks. I know there is no perfect security, but there’s no doubt that some system are more secure than others. Also, please don’t bring up the argument that Windows owns the market, and that’s why they are targeted by viruses. Apache proved that argument wrong.

  500. dmt says:

    Wtf? So please, scream to all the downloads, saying: "it’s not secure to download at all". M$ downloads are not secure too, if we’d watch all da processing during this. F***ing stuff is diz.

  501. Trilla says:

    I’ve been hitting off with IE for years now, and have not encountered any problems, ever.

    I can’t stand the extra clutter of another web browser on my computer either.

  502. yoyo says:

    i trust people who make a something for free cause they care

    not cause they where paid to "care".

  503. BK says:

    I forgot to mention that its interesting that Microsoft won’t officially say that they are worried about Firefox, but they are forcing employees to flame Mozilla. By the way Peter, I hope you enjoy moderating all these comments and I hope you feel the wrath of the Community. THE PEOPLE HAVE SPOKEN!

  504. Tassoman says:

    You could trust firefox by downloading sources, verifying them reading ‘em all and then compiling on your machine.

    Another way maybe trashing windows, that could be already damaged by Blaster virus, migrate to linux (i suggest debian), and download sources and apt.

    Otherwise, keep your self, your business, your data in the misteryous and bugged hands of microsoft.

    Have a nice surf with your IE and jpeg altered images!

  505. Monkey says:

    Ha! Don’t make me laugh i.e. more secure than Firefox? Not if you’re running any OS other than XP, as <a href="http://it.slashdot.org/it/04/09/23/1411217.shtml?tid=201&tid=128&tid=109&tid=1">MS have stopped supporting IE for any other OS.</a>

    At least FireFox doesn’t force users to upgrade their OSes – and shell out hundreds of pounds to do so – every couple of years!

  506. recrudesce says:

    ironic that this comes from an MS employee..

    have you used IE pre-XPsp2 ? go back to a boggo standard install of XP and then do all that again.

    i use firefox in our offices, and since i rolled it out our spyware infections has dropped considerably !

    that’s a good enough reason to trust firefox. ie is the gateway to all the crap on the internet, because it’s so insecure !

  507. Jason says:

    This is one of the most off the wall posts I have read in a while. Reading the obscure logic provided reminds me of george bush trying to justify the torture of prisoners on TV today.

    First and foremost i do not believe that the problem with IE and malware was ever really simply people downloading and installing software that may contain spyware. I find it hard to believe that any amount of dialog boxes will deter people from installing p2p software or smiley central. When people had installed these programs on thier computer they became infested with spyware. And still today with windows XP sp2 they will again be infested with spyware. I refuse to believe that dialog boxes make a significant difference.

    The biggest problem with IE was and is malicious software being installed on the users computer without thier knowlege. Many companies exploited ie by building scripts that installed toolbars, invoked browser hijaks, open relay mail servers, you name it you could get it without even knowing that it was happenning at all.

    When compared to problems like these, the problems you had mentioned are extremely nominal.

    Another good point is that all of your screenshots and great security features shown only exist in windows XP serice pack 2.Windows XP always has and will be geared towards home use, It has allot of issues in the work enviroment such as security(outside of ie) and slow LAN access. In which case there is still a large percentage of computers running windows 2000. These customers cannot download a new version of IE that will bring them up to date with sp2. Do you not support windows 2000 any longer ?

    Bottom line thought Firefox may have its minor quirks it is still a better product than IE, even with SP2; And a no brainer on windows 2000.

  508. Sean Ellis says:

    Well, after yet another piece of annoying spyware on my machine, I decided to switch away from IE, but went one stage further than most of the correspondents above. I’d been wanting to look at Linux for some time, so I thought that this was the ideal time to give it a try.

    I got a new hard drive, installed a fresh copy of Win2000 on it in a small partition (yes, I have a legit license), just in case I didn’t get on with Linux at all. I also turned off ALL networking, and then installed Mandrake Linux 10.0 on the main partition so I could dual boot. (I couldn’t do this the other way round, because the Windows installer doesn’t like it to coexist with other OSs.)

    It was a little fiddly at first, but took no more time that a good scrub for malware would have.

    6 months on, I have had virtually no reason to go back to Windows at all. Well, there is no 3D Garden Designer software available for Linux yet, so my wife uses that occasionally, but she hardly noticed the fact that she’s using Linux for browsing the web and doing e-mail.

    I was also asked to set up a new XP Home box for my brother-in-law. I trusted IE and Outlook enough to remove them (as much as possible) and replace with Firefox and Thunderbird, but just to be safe I also installed loads of anti-spyware stuff too. And OpenOffice.org.

    Since I’m the one who would be called if there’s a virus on this box, I’m basically putting my money (well, time is money) where my mouth is.

    Although I probably won’t need to examine the source for Firefox at any point, it is important to me to know that I *can* if I need to, or at least pay someone independent to do it. I can contribute. I have some measure of control. If I need to, I can *see* what’s going on.

    IE is like a car with the hood welded shut, and unfortunately, after each service, its reliability appears to get no better.

    So instead of throwing more time at the thing, I’m investing that time in a cheaper, faster, better car with more features and better reliability (so far).

    Sorry if this isn’t what you want to hear, but you did ask!

  509. jki says:

    > How can I trust Firefox?

    You should not. The guestion is actually "How can You trust Yourself".

    When making the initial decision to install Firefox, or software X – you have (or you should have) previously made the decision to for whatever reason (such as just to start a flamewar) to trust the publisher of the software enough to go through the installation.

    (Do you feel less sad or stupid if you break your computer by running a signed install? I remember feeling very stupid after installing (signed) updates from Microsoft and then realizing they fucked up everything).

    You do not trust a signature, you trust yourself in determining the provider and source (and path to) download.

  510. Hydra() says:

    If you look at the average user that uses firefox he/she isnt some dumbass that will download random things. This is just another pathetic attemp by microsoft becuase they are getting scared of the competition.

  511. Jonathan says:

    Fix YOUR product BEFORE you berate a competitor. You have more than just browser issues to fix, you know…

    /using Firefox until IE can rival it.

  512. legine says:

    Can anybody tell me what is this Versign?

    Do I only have to pay the money the selling company wants to get it?

    What tests are made for securing the safety?

    Are these test apropriate?

    Who makes these Test? – Are they economical independed from others?

    Do they have other marketing Interests then selling these Certificate?

    Could these Interest conflict with a neutral view on the product which is checked?

    Thats the question which are popping up in my mind.

    Check these Question and trust no one. If you can answer any question (and others) to youre satisfaction, then you have found a Certificate you can trust. I have not found one I am trusting yet.

    For The software:

    Since no software is secure, which ways do you have to report insecurity?

    Which ways does the company gives you feedback over your report?

    Where can you check the true security of the software?

    Is this source independent? (now you can apply the question to the certificates here too)

    And the most importend:

    Because Security is always just an illusion, which software can you work best, take that one.

    So thats my 2cent.

    bye

    Peter

  513. Who would you trust, a company – with signed downloads – that’s known to release buggy software for the last 20 years, or an Open Source Project where everyone can point his finger to the thing to fix. And gets it fixed quickly.

  514. Sean says:

    Service Pack 2 fixes a lot of problems with IE – making it more secure and more user friendly but it is too little too late.

    Why do I trust Firefox? Because if something goes wrong I know that the firefox people are going to fix it quickly. Because it displays sites the way they are supposed to be displayed and because it IS secure and it is a better browser. I am an unbiased user who switched to Firefox after a tried it out and realised these things.

  515. Raptor says:

    It’s kinda sad and funny at the same time. Microsoft is still saying Internet Explorer is secure! How odd!

    If I may ask… After all these years, do you believe ActiveX was a good thing or a bad thing? Before SP2 for Windows XP, Internet Explorer was completely insecure. Popups, ActiveX, HomePage Hijackings… I could continue for ages.

    You seem to target a very wide range of operating systems. Windows XP SP2. How wide is that!?

    Tell me exactly how secure are people using IE on Windows 2000? Or even people with Windows XP SP1? How easy is it for them to uninstall/disable the Flash plugin? Oh wait, they can’t? They need to look elsewhere?

    So far it’s the sad part. Now let’s move on to the funny part.

    Although Microsoft seems to fully trust IE as a browser, it’s a good thing it was given a proper position in Windows 2003. Disabled. Talking about defaults, anyone? If IE is so secure, why would it be disabled by default?

    For many years, I was using Internet Explorer. Frankly, I stopped using IE because I got tired of dealing with security issues.

    Oh and by the way, even with SP2, Internet Explorer STILL messes up with my toolbars (I enable the Google toolbar and get the NAV toolbar and vice-versa). Do I really need that?

    And don’t get me started on the spyware which affects internet explorer. Do I get any warning that my homepage was changed? Or maybe a warning that 7 new toolbars were installed while Internet Explorer was closed?

    Since you mentioned the HTML engine, what did you think of Firefox’s egnine? Did you notice it renders .PNG files? Did you notice that Microsoft websites dont render correctly? Did you wonder why? It’s called standards. The firefox engine, it seems, is better, even though it’s much smaller in size than the MSHTML engine.

    How about the download manager? Did you like the Pause function? Where exactly is that in Internet Explorer?

    Also, is there a variety of plugins for IE? The only ones I know are toolbars… Toolbars for this, toolbars for that… Anything which adds tabs? No. Anything which adds a decent FTP client (The one in IE is a joke)? No.

    Statements like yours make hate Microsoft. An other Microsoft guy said a while ago (in an indirect way) that the features found in Firefox are not useful, yet he admited he has never tried Firefox. Please, it’s pathetic.

  516. kmself says:

    ]$ host http://www.microsoft.com; host http://www.windowsupdate.com

    http://www.microsoft.com is an alias for http://www.microsoft.com.nsatc.net.

    http://www.microsoft.com.nsatc.net has address 207.46.156.188

    http://www.microsoft.com.nsatc.net has address 207.46.156.220

    http://www.microsoft.com.nsatc.net has address 207.46.244.188

    http://www.microsoft.com.nsatc.net has address 207.46.245.92

    http://www.microsoft.com.nsatc.net has address 207.46.245.156

    http://www.microsoft.com.nsatc.net has address 207.46.249.252

    http://www.microsoft.com.nsatc.net has address 64.4.21.221

    http://www.microsoft.com.nsatc.net has address 207.46.156.156

    http://www.windowsupdate.com is an alias for windowsupdate.microsoft.nsatc.net.

    windowsupdate.microsoft.nsatc.net has address 207.46.249.56

    windowsupdate.microsoft.nsatc.net has address 207.46.134.90

    WHOIS nsatc.net?

    Organization:

    SAVVIS Communications

    nsatc host

    225 W Hillcrest Dr, Ste 250

    Thousand Oaks, CA 91360

    US

    Phone: (805) 370 2100

    Fax..: (805) 370 2101

    Email: nsatc-host@savvis.net

    Who is Savvis?

    Savvis outed as big-time spam host | The Register

    http://www.theregister.co.uk/2004/09/09/savvis_spam_canned/

    Clearly some random spammer’s website. Certainly wouldn’t want to install any software from there.

  517. Vincent says:

    I really like your article, even as a Firefox-user. You really pointed out some serious problems with Firefox! But IE has some serious problems concerning spyware which Firefox has solved.

    Mozilla.org should

    - use subdomains like <supplier>.mirror.mozilla.org

    - solve the problem around default-options.

    - have better contracts with suppliers of plug-ins.

    MS should

    - solve the spyware-problem, so my friends don’t have to check for spyware after having surfed the internet.

    - start using official HTML and javascript instead of it’s home-brew one.

    What both browser have are the I-don’t-want-to-read/understand-but-just-press-enter-users.

    You can *not* ask those users to read, because they don’t understand the question.

    A possible solutions for that is enabling ‘trusted persons’ like ‘msdn-technician’, ‘slashdot-users’, ‘FireFox-crew’, ‘MS developers’, etc. When there is a messagebox there is also everybody’s favourite paperclip which says "your advisor (….) chose ….. here" and some more information. Offcourse there must be a big warning when the advice changes. I think MS wants the siging in their own hands, but decentral signing might be a solution in this fast changing world.

    In one year or two we have two great browsers which can compete by options and not by security.

  518. Dean says:

    You’ve got to be stupid to use the generic default browser your computer came with. Internet Explorer is just as good as browsing the web with Windows Explorer.

  519. Acro says:

    yes its true that firefox shoudn´t have "Don’t ask me again" option for the exe files, thats a insecure because kids that download everything with all people know selecting that can lead to not knowing that exe files are runned without confirmation and can be backdoors. i like firefox, used alot from version 0.8 to 1.0 and what many ppl said is valid than looks more secure, the spyware isn´t installed like in IE (but FF doesn´t have activex), etc and FF doesnt render correctly many pages (like many php layouts) and has weak code for javascript codes (for ex links with cursor effect and text effect, in FF that links in page will not be treated like links, only show as simple text).

    in IE if you disable ActiveX, IE becames spyware/malicius code free in SP2.

    like i said, i was a FF user but because of many pages doesn´t work properly i was sick of using "view at ie extension" and give a try at maxthon browser. that browser is what IE should be, popup and content blocker, activex protection, etc. and of course no more pages rendered incorrectly

    be webmaster fault or FF fault, many pages arent simply rendered correctly and in bug forum 70% of posts are "fix ff for x page", "x page doesnt render properly" etc, and in bugzila, the changes in FF "fixed page x", "fixed render at page y" etc.

    Because of this if FF whats to supress IE has to work on that. if MS make IE like maxthon with activex protection etc or even better FF dies

  520. Nick says:

    When you say ‘random’ do you really think it is the correct use of the word? Maybe you should check a dictionary.

  521. MackanZoor says:

    Hm this was interesting… Security is good to have.

    What I wonder however is, do FireFox have as good JavaScript handling as IE? Or does the same scripts that work on IE crash on FireFox?

    If FireFox can’t handle the same scripts written for IE I would never change browser since IE have set the standard due to the amount of users it have.

  522. Dualism says:

    How can you trust Firefox? It’s easy.

    Download IE and use it for a few days. When you’re done with your days and days of normal browsing, I’d suggest you run both a spyware detection/removal tool as well as a virus scan on your computer.

    As phase two of this testing process, do the same with Firefox. I can guarantee that unless you’re doing something deliberately more harmful to your computer (and even then it’s questionable) that you’ll have far less problems with Firefox than you would with Internet Explorer.

    I think a better question is, "How can I trust Internet Explorer?" As it’s been mentioned probably several times above, a lot of people, including myself, don’t feel like letting SP2 have it’s way with our most private regions? In that case, then your new security measures are useless, and a much better option for all involved would be to switch to Firefox immediately and never look back.

  523. Damn! Now I know why MS products have so many flaws!

    I couldn’t stand reading all the way down to the bottom of this page because there were too many comments… But the author of this blog is moderating any and all entries (so it seems, judging by the comment posted at 2:40am today)! It sure takes some valuable time…

    Shouldn’t he be better off working to squash some bugs <and|or> add some functionality to the product he’s involved with?

    Well… Mr. Torr could tell me he’s moderating his blog on his spare time, not at work. But still, wouldn’t it be better for his work and health if he just went to bed and took a good rest? I am a developer myself and I don’t really perform very well without a good night of sleep.

    Maybe he’s not a developer… Maybe he’s just being paid to run this blog. How can I trust him or his employer?

    Mr. Torr, please forgive if I’m being intrusive… Take it as an advice. And don’t try to argue with Slashdotters. They will prove you wrong sooner or later…

  524. Thorben says:

    Interesting points. Why don’t you come Firefox developer. By my subjective point of view, it runs faster. And two minutes ago, MSIE crashed, but I didn’t mind because Firefox crashes rarely.

  525. bob_c_b says:

    I’m not sure anyone at MS or anyone involved with IE can, at least with a straight face, debate security with any other product on the market. Seriously, this comes off as typical MS FUD, and while I agree that a Verisign or Thawte certificate would be nice, I trust the FireFox (and many other OSS dev teams) as much if not more than I trust Windows Update.

    I think this quote "Normal disclaimers apply. I am not responsible for anything, and neither is Microsoft." from your own web site says it all.

  526. RedShirt says:

    It seems you missed the biggest difference between FF and IE regarding installation of 3rd party software:

    FF always asks if you want to install it and if you say "no" it accepts your "no", so it is your own choice if you run software you trust or you don’t trust.

    IE however has so many bugs that there are ways for an attacker to run code of his choice without any notification of you, the user. So it doesn’t matter if the code is signed or not. You never will have a choice, the code is run without you even knowing.

    So good luck to you all with IE and your false sense of security.

  527. burn 0xDC says:

    Microsoft Suxx & IE 2 !

  528. Sérgio says:

    Strange… why the comments are not for help IE?

    Hmmmm I think none trust MICRO$oft…

    Long life for the Open Source and Freedom…

  529. barbarossa says:

    one argument stands out:

    only visit websites that are owned by certain corporate entities. in fact, why bother with the internet? lets just have a nexus hub of links to corporate websites and turn the internet completely into a seller-buyer scenario, where end-users are no more than hapless "customers"…

    disempowered

    disabled

    and the contributive co-operative collective known as the open-source community becomes irrelevant.

    man… why didnt you download the damn source and checked out what it does and compiled it the way you wanted?

    if you want to own a car, learn to drive.

  530. Jamei says:

    only run software from someone you trust eh what about all those people who dont trust microsoft.

  531. Tim says:

    If this is the kind of mindset that Microsoft employees have when it comes to security then I’m glad I’m staying well away from their products. Peter Torr has launched a ridiculous and non-sensical attack on Firefox and Mozilla based almost purely on the fact that their software is "unsigned".

    All that signing does is verify that the software came from a company who payed verisign (or whoever) for a certificate. It says absolutely nothing about the software and trying to use it as some kind of verification device that the software is safe to run (as Torr implies it is) is worthless and extremely dangerous security wise.

    Many pieces of spyware are signed (the infamous (although now renamed) Gator for example). Although in an ideal world everyone would check that software really did come from Microsoft or Mozilla or wherever using either digital certs or MD5/Sha1/whatever in practice it is enough to go to the official Mozilla.org site and download.

    Remember that the mozilla.org site would likely have to be compromised for someone to manage to trick Firefox downloaders into downloading a trojaned executable. And if the site was compromised then it is likely that the attackers could also access and use alter any digital certs or MD5/SHA1 hash files. So the attacker may simply have to sign their trojaned executable with the digital cert that they find when breaking into the site.

    Far from "encourag[ing] exactly the sort of behaviour we are trying to steer people away from" Mozilla developers seem to focus more on the real issues affecting security (such as a robust, simple design and clean seperation of components and modules) rather than getting distracted with wild goose chases about digital certs and the misplaced notions of trust they bring.

    To sum it up this article looks like FUD, pure and simple.

  532. xDude says:

    looks like u got spyware mate ;)

  533. entity says:

    "Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer any more."

    I think bill gates is a "bad guy", he has persuaded me to run plenty of his programs – who owns my computer?

  534. ZeroReality says:

    IE does not strictly stick to the html standards.

    IE is allow to run VB script which is not limited like is should be so if you know vb you can use this to your advantage.

    yes open source hands everyone the blue print, but it also allows quick evolving software.

    if ff has a flaw or security loop hole. one out of the million of half decent programer can fix it. the new cerson or patch can be summited for a review by the maker of ff.

    IE on the other hand has to wait for enought complaint to be consider then they must wait for it to become more profitable to fix tnen to just hide it then the patch comes out.

  535. Meeble says:

    I have xp SP2 fully updated on 4 machines and I have installed Firefox on all of them without any of those error messages. I’ve also never encouneted XP telling me they were unsigned or giving me any indication of anything like that.

    "My confidence in this software is growing in leaps and bounds."

    rinse.repeat.direct at windows.

    Mirrors for download are provided because of the obvious demand for the product and the drain on the Mozilla servers that don’t have the finanial backing of M$ so I don’t even know why someone would make this a point.

    This entire article comes of as damage control because of the obvious attention firefox is receiving. The bottom line is they’ve accomplished more in one point release than IE has in years of havin complete dominace and free reign in the marketplace to build the best product they could. There, I’ve bottom lined it for you.

    If you want to get on the unsigned, site warnings etc – there is an official mozilla ftp to grab any mozilla.org file from as well as hash checking for all files. The reality of this is only true geks care abou that and th majority of people a.) don’t know what it is b.) will never use it anyhow

    Of course FF has bugs, of course now with all this publicity and spike in userbase you will now see more come to fruition. Unfortunately this is always the case when the common sheep start mass migration to any product. Take the internet for example. The internet was a haven for most of us in the early nineties, you didn’t have half the problems out there today. Flash forward – now that joe public is on the internet, all of the stupidity of mankind have also jumped aboard and look how well the internet has de-evolutionized in the past 3-4 years.

    This is really the bottom line of thi article "Peter Torr (who?) from Microsoft invites a certain flamewar with his essay ‘How can I trust Firefox?" — from Microsoft. Damage control. Fear. Loathing. You know you guys could always use thi as motivation to oh I don’t know….. make a functional product that isn’t swiss cheese. There’s better ways to spend your time.

  536. ROFL says:

    So.. I should only download files from vendors who have paid Miscrosoft to be a "Signed vendor" ? please. We both know that IE har APPALING standards compliancy, APPALING security with more holes than a fishing-net ++

    As long as MS chooses to stand on the outside of W3C, and shows no interrest of fixing and updating their extremely lacking browser, blog posts like yours is nothing but funny entertainment.

  537. AlexW says:

    WTF, ur such a noob dickhead
    <br>
    <br>Why would u open it with Internet Explorer in the first place?

  538. AlexW says:

    Oh, im sorry, why would you want to use Firefox anyway, ur a microsoft geek

  539. nasta muumio says:

    this best post blog ever ! me now trust only microsoft !

    microsoft is tarzan me jane … love me long time tarzan !

  540. Funklord says:

    I downloaded ie_install.exe..

    There was no MD5 to compare it with, but hopefully I’ll be ok.

    I cd to the dir

    > make

    make: *** No targets specified and no makefile found. Stop.

    > ./configure

    bash: ./configure: No such file or directory

    What is wrong?

    IE must be a very insecure browser since it is not possible to install it on my PC.

    firefox installed very easily.

    LOL OMG BBQ

  541. Xcen says:

    I would cry if I had tears left… I’m buying a Mac next, enough of this nonsense already.

  542. bizarresk says:

    I stopped using IE because it just really sucks.. as hard as it gets.. Since i am using firefox there is no spyware, no shit in my pc.. I will not touch IE ever again. AND: I really hate MS.

  543. First of all, there must be a FREE(as in speech) way to certificate code on ALL PLATFORMS and OSes.

    Once there is such a thing, I’m sure the Mozilla devellopers will be able to adopt it.

    Oh yeah… but I doubt Microsoft will implement such a thing… since they already advocate their own closed, obscure DRM format.

  544. Anonymous says:

    The Equivocal Ramblings of Kevin Francis &raquo; Another Microsoft Troll About Firefox

  545. Anonymous says:

    :: n00.be &raquo; Someone bring some marshmallows&#8230; ::

  546. Aleh says:

    Peter, I do understand you work for MS, but don’t try being so offensive. You are defending a product with a 3 year old code, which I, if I was in your place, would be ashamed of. You have no idea how many people have thanked me for hooking them up with Firefox. A standard install has everything they need and nothing they don’t. No addons to install to get tabbed browsing, no IE bars to install to get a quick access to search engines, and if you are geeky enough you can get some cray customizations – to make your life even easier or just for the hell of it. It’s the matter of FREE CHOICE. And before starting a talk about bugs, I’d try my best to replace the ASP buttons from the bottom of your website with the buttons from here: http://validator.w3.org/check?verbose=1&uri=http%3A//blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

  547. When I get as much malicious software on my PC from browsing with Firefox as I did with Internet Explorer, I’ll consider a change. Until then, you can’t get me back to that piece of junk.

    And by the way, I like being able to write in CSS 2.1. Oooops, IE doesn’t really support that, does it?

  548. somebody says:

    I agree that there are flaws in everything but… If flaws were found in FF, it wouldn’t be as leathal as an IE flaw.

  549. Chris says:

    lol, you honeslty think Internet Explorer is better than firefox? MS IE has alot more security issues than firefox. Firefox looks better, loads faster and is open source (unlike MS who only want to make money from their products). Bugs are found faster and less frequent than MS IE.

    Its a pity MSN Messenger doesnt allow a default browser as firefox is definetly my favorite browser.

    And honestly, look how low microsoft have got. They said firefox wouldnt be a problem but realising that it is changing the browsing tool of alot of people they are suddently changing to pointing out security issues with other browsers.

    Have you found any law suits to file against mozilla yet?

    Maybe if you spent more time patching your own software, less people would be infected with dialers and spyware (my own friend got a £400 phone bill), where as firefox by default blocks activx unlike IE.

    But, thank you, im glad you a microsoft employee have finally turned into the light side and have dedicated your time into finding minor flaws in open source software. Maybe you could earn yourself a few extra bucks by helping find real security issues.

  550. This is Microsoft drinking their own Koolaid.

  551. Cataclysmic says:

    After years of having to fix my family’s computer up every month or so from the rampant sidebars and spyware/malware/virii they were getting via IE, i spent an hour getting firefox and teaching them to use it and NOT IE. For the first time ever, i can come back to their computer after a month and have it actually functional, even without all this confirmation stuff.

    On a personal note, as a more advanced computer user than they will ever be, I cant stand all those dialogs with IE. I am aware that anything I download could possibly contain malicous code, verisigned or no. I am aware that running executuables could install a virus. I am tired of the endless confirmation boxes, and cannot stand microsofts policy of "Are you sure, are you really really sure?" on everything. I woulden’t even be using windows if anything else could run the apps I like to use. On the other hand, I understand why they exist, for people like my family. I think they should be enablable, or at least ask you when you install if you want to enable these things, not default. Cheers for a browser that dosen’t assume i’m an idiot.

  552. Anonymous says:

    Don&#8217;t trust Firefox – Elliott Back

  553. coachz says:

    I thought the original article was very enlightening. For those that just bash without substantive content, I say, "Rather than raise your voice, reinforce your arguement". If responders are not willing to discuss the technical merits and flaws then they contributing only heat and not light.

  554. b says:

    still using ff and im still loving it.

  555. soony says:

    Yeah, yeah, yeah. Keep up with the slamming of other software. Maybe you should spend your negative campaigning time on fixing the crap that you sell. The superior technology of Firefox will kick IE’s butt every time. You guys at M$ just don’t get it.

  556. Anonymous says:

    dimator | head &raquo; How can you trust IE?

  557. janeiro says:

    i fail to see how Firefox is worse then Internet Explorer in any of these complaints. I, as a hobby developer, would not pay for a certificate to have my code signed, and I don’t expect most other people to, especially free (as in beer and speech) software.

    and what does signing get me? when MS started doing windows driver signing, no vendors had signed drivers for their downloads and the ones available on Software Update were often terribly out of date. So, to get the latest vendor supported driver, I would have to install an unsigned driver. This troubled me at first (not fully realizing the joke signing was), but eventually the dialog box became a hassle were the text was simply ignored.

    i think anyone who tries to compare Firefox’s security track record with Internet Explorer’s is trying to play on user ignorance. Internet Explorer’s 20 unpatched security vulnerabilities easily eclipses Firefox’s 3 (at least one of which affects both Firefox and Internet Explorer as well as Safari).

    And even worse, trying to download software in Internet Explorer results in the same type of cryptic warnings EVEN WHEN DOWNLOADING FROM MICROSOFT.COM. i just tried downloading the halo for windows trial and i get the a similar box, but instead of being given the option to run the program, i’m given the option to "Open" it. as a user, i might think this is some kind of benign document (oh, except with programs like Word, even documents can be malicious). so where’s the code signing? am i missing something or is this slightly hypocritical? i can see that Microsoft wouldn’t be able to ensure software on other sites is signed, but if this is the ultimate next step in security, they could at least make sure their software is signed.

    change the screenshots above (of course throwing in pop-ups and bonzi-buddy confirmations in there) and change the name from Firefox to Internet Explorer, and you can have essentially the same blog entry. Microsoft, the blight of the computer security world, should be the last person pointing fingers at others for security problems.

    OT, but the underlined comments are insane to try to read. is this a .text default or just the theme’s default? either way, it’s horrible on the eyes.

  558. kurtworld says:

    In any way Windows is bullshit and Internet Explorer double bullshit

  559. Jason King says:

    Of all the dribble you described, I NEVER saw any of that on my install of firefox. My firefox install was flawless and I’ve installed it several times on different machine since. I’ve never run into the problem that you have had. Are you attempting to left-wing this?

  560. Miles says:

    Despite the author’s crack-headed belief to the contrary, the vast majority of software the people download and install from the internet is unsigned. The author attempts to make the case that *Firefox* is the problem because Firefox is unsigned, but as we all know, pretty much only software from Microsoft and AV vendors is signed.

    The real problem is that the software signature product hasn’t caught on and nobody uses it. Maybe if Microsoft addressed this need, we’d see more signed products.

  561. Adrenalin says:

    Have many problems with IE