Comments on: Signatures and Firefox Security

By: hilary

hilary — Wed, 22 Dec 2004 22:29:25 +0000

wow, excellent read. i actually understood everything you wrote, and i feel like i’ve learned something. thanks!

By: Pete

Pete — Wed, 22 Dec 2004 21:51:28 +0000

PK Encryption works both ways, but it's worthless when using the private key to encrypt... for pretty much the same reason that signing something with a public key is worthless.

Yes, it works, but the benefit is nil.

By: Brandon

Brandon — Wed, 22 Dec 2004 21:17:54 +0000

http://www.w3schools.com/brows....._stats.asp

Firefox/Mozilla has grown to 21.2% of browser use, at least according to this website.

By: Brandon

Brandon — Wed, 22 Dec 2004 21:12:32 +0000

Well, Torr's article never says Firefox is bad, but that's the implication I made from the sarcasm in most of his comments. Giving him credit, he does say it is a nice browser. And yes, I realize the main focus of the article is on how it is distributed. The article should be titled "How can I trust my copy of Firefox?" The only references he makes to poor security in Firefox are default actions and the ability to bypass security, both of which leave security up to the user. He states in a followup that he was wrong about his comments on turning off plugins.

The point I was trying to make was that PK encryption always works in reverse, and PK signing and authentication works the way you said.

By: Pete

Pete — Wed, 22 Dec 2004 16:44:27 +0000

Brandon: Torr's article is not saying that Firefox is bad, it's saying that you should be weary of the method by which you obtain it, which is 100% correct.

Also, it took you two long comments to make a point that I had already made in the article... yes, you are starting to sound like someone you work with.

Minor point to note: signing something with the public key is absolutely worthless. ENCRYPTING it with the public key is useful, but the public key is worthless for signatures.

By: Brandon

Brandon — Wed, 22 Dec 2004 15:54:07 +0000

Wow Pete… help me… I’m starting to sound like someone I work with…

By: Brandon

Brandon — Wed, 22 Dec 2004 15:52:18 +0000

Sorry, didn't finish out my train of thought:

Pete was correct in what he said, for email security. The point isn't to get some private information to you. The point is to make sure you know that only I could have sent it.

In that regard, encrypting with the private key and decrypting with the public key is the correct method. Both keys complement each other, so it doesn't matter which you define as the public key and which is the private. All that matters is that one person is the only who has access to one of them.

By: Brandon

Brandon — Wed, 22 Dec 2004 15:43:56 +0000

This article isn't a bad thing. However, it does imply that Firefox is bad because of these problems. On the contrary, the article itself is part of the F/OSS initiative to make a better system. It's up to developers to listen, but really... it's probably the biggest criticism of FF yet, so they will listen.

"When something is encrypted with the private key, it can only be decrypted with the public key. The reverse also holds."

For those not familiar with PGP, the reverse is typical.

Basically, I have a private key and you (and everyone else) has access to a public key. You encrypt it using the public key, and only I can decrypt it with my private key. Nobody can decrypt it with the public key.

This is different from the majority of cryptosystems where only one key exists, and it must somehow be secretly shared between both parties.