A Microsoft Program Manager by the name of Peter Torr has posted a weblog entry about potential problems with security in Mozilla Firefox. Specifically, he singles out the fact that neither the Firefox installer nor most of the available extensions are digitally signed. By contrast, he notes, Microsoft Internet Explorer 6 Service Pack 2 will not install unsigned ActiveX by default. While many will immediately cry, “FUD!”, he’s actually right. Though the infrastructure is there, the lack of code signing in the vast majority of Firefox extensions has led to an environment in which many users simply install extensions without really knowing if they can trust the people behind them.
Peter Torr’s article, How Can I Trust Firefox?, sparked plenty of comments on his blog and over at Slashdot. This uprising no doubt due to the way he chose to bring up the issue: with a very hostile manner toward the Mozilla Foundation and its enthusiasts and with lack of depth in testing Firefox. The comments covered much ground such as outright flame wars, comparisons between IE and Firefox (which the author does not fail to take part in in his article) and their levels of security, The ins and outs of code signing and certificates, and whether we should trust VeriSign at all.
My uneducated opinions:
I think that Peter has raised a valid point about the lack of signing in Mozilla Extensions and in the binaries themselves. I lack all but a very shallow understanding about security, so I can’t comment on the questions: Is it even necessary? Should they use VeriSign? Are there other better methods to achieve this? Will it be too difficult and time consuming to implement? All these questions were raised and possibly answered with the lack of depth usual in comments and I was unable to gain anything other than confusion from them. I do think, though that it’s a good idea to implement some sort of code signing for the binaries and extensions. The extensions already have this capability implemented, but is rarely used. It seems that the folks at MozillaZine agree that this is a positive step, yet many in the community, including Asa (a Mozilla employee) disagree.
Peter’s method, as I mentioned earlier, may not have been the best to convey this constructive criticism, but I wouldn’t even know about it otherwise. Can we blame Peter for a lack of journalistic and unbiased fervor on his blog? I am willing to give him the benefit of the doubt that he is sharing his personal opinion on a personal blog. Just because his opinion may be colored by who he works for is no crime and he makes no secret of it. Let’s discuss it, but give him a break.
I personally plan to use Firefox until I find something better. I love it for the reasons I mentioned in another post and I don’t really like IE. To answer my title question, yes I do trust Firefox and the Mozilla Foundation. I would like to see signed binaries and extensions added in a secure manner, though.