How safe are copies of Firefox that are on various Mozilla mirror sites?

Question

If I end up downloading a .dmg or .exe (depending on OS) installer from some mirror site, how can I be sure that a virus or trojan or spyware has not been added?

I don't see any mechanism for ensuring that the files are not tampered with.

Answer 1

Mozilla downloads are always signed. On Windows you right-click the downloaded file and go to the "Digital signatures" tab. There you can see the signature (should be "Mozilla Corporation") and whether it is valid. When you try to execute this file after downloading it from the web you will get a warning anyway and you will see the signature there as well.

I'm not sure about the particular steps to do the same on OS X but I know that .dmg files are signed as well and the OS can validate the signature for you.

Answer 2

They're a little hard to find, but Mozilla provide hashes of all the files in the current distribution of firefox at:

https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

Note that you can use the same URL to download firefox directly from mozilla themselves, bypassing mirrors altogether.

Answer 3

Glad you asked about Firefox, because they do something funky.

I can suggest three ways you can validate a download:

• The easiest method is to make sure you download it over HTTPS, and from a site that has a good reputation and that you trust. (Not a mirror site.)
• The next-easiest is to check the signature on the installer. Some places will sign the installer, and you can check the signature as Wladimir Palant suggests and check that it is signed by the organization you expect.
• The hardest method is to separately obtain a hash checksum of the correct file from a trusted source, then check that the hash of what you downloaded matches the known-good hash checksum. But then you have to ask: how do we make sure we got the correct hash? For that, see the above answers: you either download it over HTTPS from a trusted, reputable source, or you get a signed version and then somehow validate that it was signed by the right key.

All of these methods have significant pitfalls. When downloading over HTTPS, you have to make sure you haven't been exposed to some chain of redirects that takes you back to HTTP. When checking the signature, you have to make sure that the signer matches who you expect and that the organization name is correct. When obtaining hashes, you have to make sure the hash is trustworthy, or it was all a waste of time.

It turns out that Firefox's release system makes it especially tricky to download a known-good version of Firefox. See this blog post for details. In essence:

• If you already have Firefox installed, and you use the automated update process, then Firefox provides strong protection to make sure you get a valid copy of the updated binary. It downloads the binary over HTTP from a mirror site, but it also downloads the correct hash over HTTPS directly from Mozilla and checks that they match before using the download. So using Mozilla's built-in update process is a good, secure method.

• If you are downloading Firefox manually, then good luck. It is very tricky to validate the download. When you click download, they automatically redirect you to a mirror site over HTTP, so you do not have the protection of HTTPS. There does not appear to be any way to download the Firefox binaries directly from Mozilla over HTTPS. Fortunately, you can download the hashes of all the files, over HTTPS, here: https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/ Good luck finding that URL on your own without going through HTTP; it's a real pain. This aspect of Firefox's software distribution process could use some improvement.