Microsoft’s Peter Torr invites a flame war with his essay, How can I trust Firefox? He walks through the installation and configuration process with Firefox and determines that it reinforces some particularly bad habits for users. He concludes:
I actually think Firefox is a nice browser. It seems to render HTML without any problems, and the tabs are nice for browsing Slashdot. But just because it doesn’t currently have any unpatched security vulnerabilities talked about in the press doesn’t mean they don’t exist (Secunia currently lists three unpatched vulnerabilities, for example).
Mozilla has had its share of security vulnerabilities in the past (just as IE has), and — despite what the open source folk might say — Mozilla keeps their security bugs hidden from the public (just like Microsoft does) in order to protect their customers from coming under attack by malicious users. Note that this is not a bad thing; all vendors should treat security bugs responsibly to ensure customers are not put at undue risk. It’s just something you should be aware of. Just because you don’t see any unpatched security bugs in Bugzilla doesn’t mean they don’t exist, either.
But the thing that makes me really not trust the browser is that it doesn’t matter how secure the original code is if the typical usage pattern of the browser requires users to perform insecure actions.
- Installing Firefox requires downloading an unsigned binary from a random web server
- Installing unsigned extensions is the default action in the Extensions dialog
- There is no way to check the signature on downloaded program files
- There is no obvious way to turn off plug-ins once they are installed
- There is an easy way to bypass the “This might be a virus” dialog
This is definitely food for thought. My take? I use Firefox. It’s a nice piece of software, and in terms of usability I believe it is a better choice for folks who want a powerful Web browsing tool. But contrary to what some ill-informed folks in the media are saying, it is not a cure-all for security problems.