With all of the hype about the security improvements in Firefox there is one thing that they overlooked which is being pointed out by Peter Torr over at ASP.Net:
I personally don’t care if people choose to run Firefox or Linux or any other software on their computers – it’s their computer, after all – but we’ll never get past the spyware / adware problem if people continue to think that installing unsigned code from random web sites is A Good Idea.
[Via Microsoft WebBlogs]
Basically, he points out that they are distributing the exe for Firefox unsigned by any certificate provider. Which means that anyone could post their own version of FireFox with a ton of security exploits, backdoors etc.. and distribute it to thousands of unknowing PC owners.
Now, I know all of you open source people are jumping up and down right now to point out that you can go download a PGP Key, MD5 and SHA1 Sums from the Firefox website and then compare them to the downloaded executable. However, this gets back to the one thing that is forgotten by the open source community: Most people hate their computers. To do this type of comparison requires effort above and beyond what most computer users want to do. They view their computer as a tool that helps them perform their daily tasks, not a delicate machine that they can control, manipulate and design to perform specific tasks for them. That is the realm of the computer programmer.
In this specific instance, for the average user to compare the PGP key against the executable, they would need to go out and purchase the commercial PGP product or have enough tech knowledge to go scour the GNU site to find the latest version GnuPG. If they went with the free version, which only comes with a command line interface, they would then have to learn a long list of esoteric commands in order to compare the signature to the executable. The MD5 and SHA1 compares aren’t any easier.
This is not what most computer owners want to do. They want to download a piece of software, install it and have it be easy enough for them to figure out with out having to go to a help page. They DO NOT want to understand how their computer works, what the latest technology is and how to access it via a command line. Until the open source community figures this out, they have no reason to bitch while Microsoft outsells them while charging high prices.
It’s much like that old joke about Linux: “Linux is only free if your time is worthless.”
Not that I have any strong opinions on the subject . . .
[Listening to: Eisenhower Blues/Single Version - J.B. Lenoir - Martin Scorsese Presents the Blues: A Musical Journey (02:52)]