mozilla Firefox To Get Option To Verify All Binaries To Protect Against Compromise

[vissha]

Firefox To Get Option To Verify All Binaries To Protect Against Compromise

 

Binary Transparency is an upcoming Firefox security feature that allows anyone to verify that Firefox has not been compromised.

 

Mozilla is working on a new security project for Firefox, called Binary Transparency, currently to allow all Firefox users to verify the binary files of the web browser to ensure that the files are save and have not been tampered with.

 

Firefox is an open source project. This means that anyone may build the browser from source, and even change code before that.

 

Most Firefox users however don't do that. They download pre-compiled versions of the web browser that they download from Mozilla's own website, third-party sites, or even -- once installed -- using the automatic update feature of the web browser.

 

Binary versions of Firefox don't come with any assurance that they correspond to the Firefox source code of that particular version of the browser. While users could in theory build Firefox from source to compare the downloaded binary version of Firefox with the version compiled from source, it is not really something that is very practical.

 

Also, if you have the tools and knowledge to build Firefox from source, there is really no need to download the binary of the browser in first place.

 

Firefox: Binary Transparency

 

 

Mozilla plans to change that by adding a feature to the Firefox web browser that allows anyone to verify that the binary files

are genuine and not compromised.

 

The main idea is to log all Firefox binaries in a publicly verifiable log. Anyone may look it up, and compare the binary files of the local Firefox installation with the log data to make sure that the files are the same that any other user of the web browser got during download.

 

While that is already helpful, plans are underway to implement that functionality in the Firefox updater as well. This means that Firefox's automatic update feature will verify any new update that it discovers before it is downloaded or installed on the user system.

 

Mozilla details the logging and verification steps on the official Wiki entry of Binary Transparency. The process is technical, but it uses certificates, SHA256 hashes, a Merkle tree and unique domain names for each release. You can check out the details on the wiki page if you are interested in additional details.

 

The verification process at its core requires that you verify one, some or all binary files of the release against the hash values of the public log file of that release. Again, there is more to the process than just described, so head over to the wiki for details on that as well.

 

You may be interested in the meta tracking bug over on Bugzilla, as it highlights the progress made to implement the feature. A target milestone has not been announced yet.

 

While you can use the feature to check Firefox binaries before download or updates, the feature may prove useful as well to check existing installations of the web browser.

 

Now You: What's your take on Binary Transparency?

 

Source

[truemate]

huh.. ok but no compromise on speed.

[straycat19]

Firefox has become useless.  With the latest update it hangs on a 'js.xxxxxxx.xx' javascript file and locks up.  Before the update we had no problem with it running this type of script.  The help desk was getting so many calls, we had to uninstall it from all our systems which meant backing up all the users bookmarks and then uninstalling it and adding their bookmarks to Chrome.  Fortunately, System Center made this fairly easy to do for over 15,000 systems.  All our systems nationwide will have it uninstalled by the end of the day.  Mozilla just secured their way out of desktop use.  We could use the ESR version, since it still works, but would be looking at making the change down the road as it updates to version 52 so it is just easier to do it now.  We also had to remove it from our authorized software installs to make sure no one reinstalls it on any of our systems.  It is a shame that Mozilla decided to take this action on its own rather than trusting that security professionals knew how to secure their own systems.  Normal home users and organizations without a security group will never be secure regardless of what Mozilla does because they will find other ways to do what they want to do, it will just be without Mozilla.

[steven36]

4 hours ago, straycat19 said:

 We could use the ESR version, since it still works,

Firefox Extended Support Release  is meant for businesses anyways  most of the major bugs get worked out etc but its never really been popular with businesses anyways. IE use to have  the most of the marketshare  before Google Chrome took  the market from them a few years ago  and IE never had good security like Firefox did people used it because 

 

Quote

Cut to the present scenario, many companies still persist with IE because of majorly 2 reasons:

• Legacy support-Until recently, many sites were optimized for IE and many such services and sites used by enterprises  run best on IE.
• Microsoft Support-Microsoft reaches out to consumers and enterprises in equal manner. Long term support was virtually guaranteed to enterprises for IE.

 

Quote

When Firefox had its hey days, IE was dominant. Then Chrome popped up and stole market share from Firefox away. Add to that the newer versions of IE caught up to speed and Firefox fell furthur away.

ESR for Firefox only have updates for one year before Microsoft has always supported there browsers for many years it was not tell they stop supporting  older versions of IE that Chrome took the market.

 

Back in 2011 it was like this Mozilla and Google force businesses to use Internet Explorer

https://betanews.com/2011/06/24/mozilla-and-google-force-businesses-to-use-internet-explorer/

So really you're company abandoning Firefox  is just bringing it in line with most businesses today it's unusual to hear of a company who uses it .  Most Businesses have always been dominated by fortune 500 companies products they could care less about you're privacy all they care about is being able too get the task done as fast as possible .

 

Only tell recently did  some of them  start caring about security because of all the data breaches . Still there are many  companies who cut comers anyway they can and they dont even  have  real time protection  on there server and  Trump is for businesses to succeed and they will not be passing any bills at lest tell 2018 mid term elections to penalise businesses. If the Republicans  dont make any improvements soon they will be voted out of congress  and if Trump dont do something to fix the economy and create jobs  soon he will be voted out  after his 4 years. 

 

Businesses are very important but when there not hiring displaced workers and  just laying them off there not worth a hill of beans but too those who have jobs.  Another problem is there's many in the work force that could retire and want they should be made to retire. It's just like the Government in there most of them is as old as dirt and rich already there should be laws against  people not retiring   George Washington  was not but 57 when he took office  if you are above 61  you should not be allowed to run for office . Old people trying keep in power while my generation and the one after mine have to do all the work too keep them in power . Even the soldiers that protect the USA are not very old because the Government it's self is too old too fight ! By the time these old people retire they never get to enjoy it because we ship most of them off too nursing homes because they waited too long too stop working. 

[dcs18]

8 hours ago, vissha said:

Now You: What's your take on Binary Transparency?

Sounds good (to me) — every step towards security (and privacy) is a step in the right direction (even if it appears to be a baby step.)

[pc71520]

On 31/3/2017 at 2:13 PM, vissha said:

Now You: What's your take on Binary Transparency?

 

No further comment...

 

[DKT27]

On 31/3/2017 at 6:40 PM, straycat19 said:

Firefox has become useless.  With the latest update it hangs on a 'js.xxxxxxx.xx' javascript file and locks up.  Before the update we had no problem with it running this type of script.  The help desk was getting so many calls, we had to uninstall it from all our systems which meant backing up all the users bookmarks and then uninstalling it and adding their bookmarks to Chrome.  Fortunately, System Center made this fairly easy to do for over 15,000 systems.  All our systems nationwide will have it uninstalled by the end of the day.  Mozilla just secured their way out of desktop use.  We could use the ESR version, since it still works, but would be looking at making the change down the road as it updates to version 52 so it is just easier to do it now.  We also had to remove it from our authorized software installs to make sure no one reinstalls it on any of our systems.  It is a shame that Mozilla decided to take this action on its own rather than trusting that security professionals knew how to secure their own systems.  Normal home users and organizations without a security group will never be secure regardless of what Mozilla does because they will find other ways to do what they want to do, it will just be without Mozilla.

 

Kind of strange. While I do not know much about JS, I wonder if it's a common bug which can be fixed. Should have let Mozilla know about it.