Trusting Firefox

I just read an interesting blog post by Peter Torr from Microsoft. The posting brings up some questions about the security of downloading Firefox from Mozilla’s download redirector as well as the need for digitally signing releases of software. I’d like to make a rebuttal to some of Peter’s points below.

I helped author the download redirector that Mozilla uses to distribute its software. We originally had 10 mirrors in the main ftp.mozilla.org rotation. This was all well and good when Firefox and the other Mozilla software products were not as popular. With the 1.0 release of Firefox our mirror network hit a wall and was about to meltdown until we were able to install the download redirector. The redirector works as follows: the user clicks on “Get Firefox” on the Mozilla website which redirects them to a download.mozilla.org URL with information like OS, language and product that they want to download. The redirector then queries its database of valid mirrors (more on that in a second) and then redirects the user via a HTTP 302 response. The entire response is a little over 100 bytes and allows us to now leverage 50+ mirrors now instead of just 10. In addition to that, we can weight the mirrors based on bandwidth available. This allows us to send more traffic to the mirrors that can handle it and less to those that have smaller pipes.

Every 15 minutes the download redirector queries each mirror and makes sure that the latest release of each product is on that mirror. If it is not, then it removes it from the queue and tags it as disabled. Bear in mind, this is a v1.0 application. What is v2.0 going to bring? We will actually download the files from each mirror and check their md5 hash. I’ll be the first to admit that leveraging md5 isn’t ideal but until there is an objective way to sign applications, I don’t see another option.

Now, in a perfect world I would love to be able to have all of this come off of one box but at the time of the Firefox 1.0 release we were pushing close to 4.4GBit/s across all of the mirrors (that requires a little math and extrapolating from the redirector statistics). That said, I believe the Mozilla Foundation is accepting donations. -)

Finally, Peter makes a note about how we must make it so users only trust software digitally signed by the vendor/developer. He even goes so far as to talk about getting a VeriSign code signing certificate for doing so. Now, I don’t think anybody has a problem with signing software; its a great idea. The big problem today, is having to buy that trust from less than savory vendors. This is a great opportunity for the likes of free, open solution to digital signatures and certificates.

It’s obvious to me that the honeymoon is over for the Mozilla Foundation and I’m excited to see honest dialog from the likes of Peter Torr … what doesn’t kill us can only make us stronger.

About The Author

scott

Other posts byscott

Author his web site

21st

December 2004


byscott
posted in Mozilla
No Comments »

Your Comment

Note: This post is over 5 years old. You may want to check later in this blog to see if there is new information relevant to your comment.

Additional comments powered by BackType