Mozilla's Eich: Trust Us, We're Open - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
09:06 AM
Connect Directly

Mozilla's Eich: Trust Us, We're Open

Firefox is trustworthy because its source code can be verified, says CTO Brendan Eich.

IBM Predicts Next 5 Life-Changing Tech Innovations
IBM Predicts Next 5 Life-Changing Tech Innovations
(click image for larger view)

Software can't be trusted unless it's open-source, claims Mozilla CTO Brendan Eich, in a bid to promote Firefox, Mozilla's open-source web browser.

Eich notes that it has become increasingly difficult to trust the privacy promises of our software and services because governments, corporations, organizations, and individuals may be surveilling us online without our knowledge. We have little recourse, he argues, because such surveillance may be conducted under statutes that limit oversight and public scrutiny.

Eich points to the Lavabit case as an example. Lavabit began offering encrypted email as a service in 2004 but shut down abruptly last August without explanation. Lavabit owner Ladar Levison was under a gag order not to reveal details about his reason for shutting the service.

With the unsealing of court records several months later, it emerged that Levison is resisting a government order to provide Lavabit's Secure Sockets Layer (SSL) encryption key to authorities, who are believed to be seeking information on ex-NSA contractor Edward Snowden. Levison objects to handing over the master key on grounds that doing so would give the government data on all Lavabit's customers rather than just one.

For Eich, as for many security experts, the fact that privacy promises can be subverted by secret order means that proprietary code can't be trusted. Indeed, were some major software company ordered by authorities to provide an undisclosed backdoor to facilitate surveillance and to remain silent about the order, it might fight the order in court, outside of public view, but it wouldn't necessarily prevail.

"As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users," Eich said in a blog post. "We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders."

That's not true for open-source software, however. Because the programming code for Mozilla Firefox is completely open to public scrutiny, it can be checked for backdoors, not to mention security flaws that could be exploited for access. Firefox can be trusted because it can be verified independently, he said.

Eich argues that this is Firefox's primary advantage over its competitors. Internet Explorer, he says, is closed-sourced, while Chrome and Safari, contain a mix of open-sourced and closed-sourced code.

And Firefox needs to make more of this advantage if it's to remain a leading browser. Whatever its transparency advantage may be -- perhaps not much given other potential weak links in the chain of trust like compromised SSL certificate authorities, tapped fiber optic cables, and sabotaged encryption algorithms -- Firefox's global market share has been eroded by the rising popularity of Google Chrome and by Apple rules that keep Firefox off iOS devices.

Eich advises "trust but verify." First comes "download and install."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/15/2014 | 11:43:11 AM
Good for Firefox
You have to give credit to Mozilla to play the "Hey, here's our code, have at it" card when it comes to proving they are neutral when it comes to government interference.  I think a lot of users woke up a bit when they saw Chrome wasn't as secure as they would've liked to think, and so Mozilla promoting Firefox as a safe alternative is a great marketing move.  I don't expect other browser code to be as forthcoming, especially from major providers who have agreements with government entities.  

I wonder if they would repeat this when it comes to talk of their Firefox smartphone... I'd be curious to see if similar claims could be made as to the validity of the O/S.
Thomas Claburn
Thomas Claburn,
User Rank: Author
1/14/2014 | 8:20:12 PM
Re: On the other hand ...
Once you have physical access to a target's machine, it's game over.
David F. Carr
David F. Carr,
User Rank: Author
1/14/2014 | 9:58:59 AM
On the other hand ...
Access to source code would also allow the spooks to compile their own version of the software with a backdoor inserted. They'd then need to figure out how to plant it on the PCs of their target or targets, but that's not so hard to imagine. And mess with any auto-update functionality so the user gets their software updates from a corrupt source rather than the original.

There's got to be a novel in this somewhere ...
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Flash Poll