Every now and then a real jewel comes out of the blogosphere. You hear about it when it happens, because everyone else links to it in their own blogs. I did this recently, linking to a blog entry by Peter Torr of Microsoft.
Audacity sells, and Torr had the audacity to entitle his piece “How can I trust Firefox?” The bottom line of the article is that—unlike Microsoft downloads— Firefox is not digitally signed. How can he be sure that the file he downloads is what it purports to be? Theres more to the post, some of it significant, but Id like to focus briefly on the signature part.
For many, many years, Microsoft has supported digital signatures of files and other items such as ActiveX controls. What these signatures do is to allow a user to verify, with a very high degree of certainty, that a file is from who it purports to be from.
Firefox, needless to say, is not distributed with a signature, but Torr exposed many other weaknesses in the process for a user obtaining and installing it. Responding to an advertisement in the New York Times, he went to the advertised URL, www.getfirefox.com. This redirected him to www.mozilla.org/products/firefox, which makes a kind of sense. But the actual download proceeded from mirror.sg.depaul.edu. I just downloaded it myself and mine came from ftp.funet.fi.
.fi? Im supposed to trust this?
Why the mirrors? Microsoft may be able to throw a few zillion dollars at a problem and get some servers and some bandwidth and distribute huge files, but Firefox, like many open-source projects, relies on mirror sites for distribution. Theres nothing inherently wrong with this—its efficient in a way—but it does underscore Torrs problem, which is that he has no way to confirm that the file is what it purports to be.
One of the common responses to this issue is to claim that Microsoft doesnt sign half the things it puts out either, and to be honest, thats the way I remembered things, too. So to confirm things I went to Microsofts downloads page and downloaded what the page calls the 12 most popular downloads. Every one had a signature. I then trolled the site for obscure patches and other downloads that looked lower-key; I got eight of these and all of them were signed as well. I suppose Microsoft has, over time, gotten their signature act together.
I then went looking at other companies downloads. These were all signed by the companies that made the program:
- The iTunes setup program
- The Adobe Acrobat 6.0x setup program
- The ArgoSoft Mail Server setup program
- The AOL Instant Messenger setup program
Many other programs I use (my text editor TextPad, ActivePython, Spybot Search and Destroy—even Snood!) were not signed.
Open source and signatures
The No. 1 (as of this columns publication) shareware download on WUGNET,“The Ultimate Troubleshooter,” is signed, although not in a way that inspires confidence in me. The program comes from a site called AnswersThatWork.com, but the file is signed by eSellerate, “a leading software commerce provider focused on providing the tools and solutions for software publishers to sell more of their software.” Im guessing that eSellerate helped to get that placement on WUGNET, but the point is that having a third party sign the program only confused matters (not that there was any chance Id install this program).
As one of my blog readers pointed out, there are open-source projects, such as OpenAFS (“a distributed file system product, pioneered at Carnegie Mellon University and supported and developed as a product by Transarc Corporation [now IBM Pittsburgh Labs]”), that utilize signatures. In fact, Open AFS signs every executable they distribute. The signature belongs to “Secure Endpoints Inc.,” but thats OK, since it only takes a few minutes to see that Secure Endpoints is now responsible for AFS development.
But with open-source projects its even more important, in that anyone can make a modified copy. Combine that with the fact that these files could be appearing from almost anywhere and its clear that open source needs some sort of system to let users verify the authenticity of programs they download.
The popular approach to this has been the MD5 hash, a mathematical function run on the contents of the file, something like a super-checksum. You get the MD5 value for a particular file from the same place you download it (it may be in a file in the same download directory) and, using a variety of free utilities, you can generate your own MD5 hash and confirm that it matches.
I eventually found the Firefox MD5 values in the file ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.0/M5SUMS. I checked the specified values against my own MD5 of the Firefox Setup 1.0.exe file (I generated it with Cyohash, the download for which was not signed), and—lo and behold—it matched.
Now I expected it to, but this verification was not an easy thing to do. Very few people check signatures, but Windows very often puts the details of the signatures in your face, especially in Windows XP SP2. Firefox makes no mention of it. As a matter of practicality, the MD5 process is opaque.
And in the long term, MD5 may be inadequate as a security mechanism. Researchers are already working on ways to defeat it, although the attacks are, for now, “not wildly practical.”
The open-source community needs to come up with a solution to this problem. Signatures really are a good solution, and they can be gotten for free. Development tools need to make it easy to sign files, and user environments need to make it easy to check the signatures. At that point it really wont matter where the mirrors are or how many times you get redirected. You can know that the file you download is what it claims to be and from whom it claims to originate.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.