Current Status:
Red
Peter Torr (from Microsoft) has just blogged an article entitled
How can I trust Firefox?. It has also been
slashdotted so I have no doubt that an all-out IE vs. Firefox flamewar is brewing.
This seems to me to be an essentially single point rant about (as the title suggests) whether one can actually trust that you are downloading and installing the real Firefox itself.
His main point is basically this - how can you trust the Firefox install when it is not signed, and as part of the download process you get redirected to a mirror site of which you know nothing? Fair point?
We all know there are solutions to this, such as supplying an MD5 signature to verify that the file has not been tampered with, but in truth I think his point is a bit of a red herring. How many times does a user (newbie or expert) download unsigned files? Most of the time IMHO. How many times does the average user click to install an unsigned file in IE? Lots. In my experience you'd be pretty damn limited in what you can install if you insisted on only installing signed downloads.
When is a security measure not a security measure? When no-one actually uses it.
As for his point about the mirrors (if you click "download" link on
http://www.mozilla.org/products/firefox/ your download will come from one of a number of mirrors) - again most people are more than happy most of the time to download from a number of mirrors. Not every organization has the resources to be able to host all their applications with enough download bandwidth for all - in fact very few do. It would be nice, as Peter points out, to have a fully qualified domain name instead of the decimal IP address that you get on some mirrors, but again this is missing the point. This is a normal
modus operandi for large numbers of net users.
What Peter fails to really do in his article is tackle the issues as to why people perceive that Firefox (once it is safely installed) is a more secure browser than IE. Instead he focusses on a handful of install based issues which, while true enough in their own right, do nothing to progress the discussion of security.
For all the apparent weaknesses in Firefox that he talks about, most people's experience of IE involves at least some level of spyware, unwanted pop-ups, application crashes (which more often than not kill all your IE windows) and other extreme annoyances. I don't think that most Firefox users have had such a bad experience, so far at least.
As for Microsoft's attempts to improve security in IE under Windows 2003 with Internet Explorer Enhanced Security; most people I know turn it off; why ? - because it makes the task of browsing and downloading items absolutely intolerable. I refer you to the answer I gave some moments ago: "When is a security measure not a security measure? When no-one actually uses it."
To my mind the article represents a deliberate attempt to prevent people from actually daring to install Firefox. A thinly veiled attempt at spreading FUD.
Maybe it will succeed to some extent, but it is an embarrisingly poor attempt in my opinion.
By the way - I do quite like IE, and have been using it for years. I just happen to think that the young pretender (Firefox) has turned up as an outrageously usable browser.