How do you know that the hash files are good? Well you check the signature of the files with the public key provided.
One of the more advanced things Mozilla is working on is verifiable builds. Which means given the source code, the exact same compiler, and configs one can end up with build that you did but would pass the same hash tests because it is bit for bit identical.
Now you have software that you can trust is from the source provided. However you are still not safe from what superfish is doing.
Superfish is not tampering with Firefox on download. It has a service that checks for new browsers. When it sees one it inserts its certificate authority (CA) into the browser's CA data store. The second part is that they force all the user's network traffic through a local proxy
You <=> superfish proxy <=> the internet
There are ways to detect this 'man in the middle'. The user can keep a list of certs and which sites they belong to. The browser can do this too which is called key pinning. The browser could warn the user on cert changes. It is difficult for users to make informed decisions as certs are replaced all the time for legitimate reasons. It also fails to catch the preinstalled superfish scenario.
Once you download the installer you can verify the hash for the installer via md5, sha1, or sha512 by checking against the file listing the hashes at https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/lat...
How do you know that the hash files are good? Well you check the signature of the files with the public key provided.
One of the more advanced things Mozilla is working on is verifiable builds. Which means given the source code, the exact same compiler, and configs one can end up with build that you did but would pass the same hash tests because it is bit for bit identical.
Now you have software that you can trust is from the source provided. However you are still not safe from what superfish is doing.
Superfish is not tampering with Firefox on download. It has a service that checks for new browsers. When it sees one it inserts its certificate authority (CA) into the browser's CA data store. The second part is that they force all the user's network traffic through a local proxy
You <=> superfish proxy <=> the internet
There are ways to detect this 'man in the middle'. The user can keep a list of certs and which sites they belong to. The browser can do this too which is called key pinning. The browser could warn the user on cert changes. It is difficult for users to make informed decisions as certs are replaced all the time for legitimate reasons. It also fails to catch the preinstalled superfish scenario.