Tuesday, December 21, 2004

Firefox Security

I came across this MSDN Blog: http://blogs.msdn.com/ptorr/archive/2004/12/20/327511.aspx

  • Installing Firefox requires downloading an unsigned binary from a random web server
  • Installing unsigned extensions is the default action in the Extensions dialog
  • There is no way to check the signature on downloaded program files
  • There is no obvious way to turn off plug-ins once they are installed
  • There is an easy way to bypass the "This might be a virus" dialog

It makes a good point about the differences in how Microsoft implements security differently than Firefox.

1 comment:

Napalm said...

"Installing Firefox requires downloading an unsigned binary from a random web server" -- Hmm, let's talk about unsigned. Almost all, if not all, critical security updates and any update for that matter put out from microsoft isn't signed. So how do we know Microsoft isn't putting any back doors in. How do we know microsoft's site hasn't been compromised and we're all downloading malicious patches. Hmm...

Installing unsigned extensions? It does tell you it's unsigned. And it does warn you that you should only install extensions that you trust.

No obvious way to turn off plugins? Maybe under tools? Don't have to be a genious to find it.

Oddly enough with the whole trust thing... Most people tend to trust the open source code, like Firefox, over companies that don't release their source code. How does one know that the company isn't saving and recording your data and your keystrokes and sending them back to the company. With open source, the entire world can see what is going on. Granted you have to know how to read code, but hey, it's better than not seeing it at all.

Side note... the only thing I generally find my self using IE for is windowsupdate. If firefox worked with that, i'd be set!