Steve Lamb's Blog

Security Matters

Blogs

Why isn't the Firefox code signed?

  • Comments 11
  • Likes

I'm having a look @ Firefox and have noticed that the code is not signed and therefore it's theoretically possible for a trojan to have been inserted in it.

Comments
  • Funny, I saw that yesterday and found it funny, too. While the trojan talk is nothing more than Open-Source FUD, it still might give people a reason not to install a brilliant browser. You should probably ask this question in MozillaZine.

  • heh... would a trojan infested Firefox be more, equal or less secure than Internet Explorer? I'd rather take my chances with firefox. The Internet Exlorer code might be signed, but it will take a hell of a lot more than that to make it safe.

  • RMS, you totally missed the point for "signed" code.

  • Yeah, when Firefox overtakes IE and becomes 90% of the market and has the same backward compatibility, we'll see how safe FireFox is.

    Trojan talk just open source FUD? So are you saying that code signing is irrelevant?

  • yeah, RMS (you are not _the_ RMS, are you?). you and I know exactly that once Firefox has the userbase IE has now, it will no longer be 'more secure' than IE.

  • Please take down your blog, this posts is so stupid, you don't deserve to pollute the Internet.

  • Port - everyone's entitled to an opinion - hence I've posted your feedback!

    If you don't want to read my opinion then don't read my Blog.

  • In theory you're right, but if you only use mozilla.org for downloads (and firefox by default only downloads from that site its extensions) how is the trojan code to end up on hte user's hdd?

    Besides that, signed code is useless unless you can verify the signature. Firefox runs on a lot of platforms, how is firefox going to utilize a universal signing system on all these platforms? If you really want to be sure though, you can verify the MD5SUM with the ones Mozilla provides. That's a way to check if you really have the proper binary in your hands. (Or compile the source of course)

    But nevertheless, unsigned Firefox code is at the moment more secure than IE with 20 holes pending for patching. The recent trojan banner misery (last weekend in The Netherlands and in England) shows IE has more problems than signed code can solve at the moment.

  • well it is pgp sigened. they probably think that is good enough.

  • I'll follow Claude's sugggestion of posting to MozillaZine.

    The aim of this post was to find out WHY the code wasn't signed. I was not aiming for an IE versus Firefox argument. IE's clearly had security vulnerabilities, Firefox is new and hasn't had any.

    Thanks for all of the feedback.

  • The Mozilla Firefox browser comes pre-loaded with spyware, but their users are just too clever for them: http://www.cebit.de/newsanzeige_e.html?multi=1&back=/homepage_e&news=11982&back=%2Fhomepage_e&x=1

    Nobody is pure of heart…