Mobile // Mobile Applications
News
1/14/2014
09:06 AM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
100%
0%

Mozilla's Eich: Trust Us, We're Open

Firefox is trustworthy because its source code can be verified, says CTO Brendan Eich.

IBM Predicts Next 5 Life-Changing Tech Innovations
IBM Predicts Next 5 Life-Changing Tech Innovations
(click image for larger view)

Software can't be trusted unless it's open-source, claims Mozilla CTO Brendan Eich, in a bid to promote Firefox, Mozilla's open-source web browser.

Eich notes that it has become increasingly difficult to trust the privacy promises of our software and services because governments, corporations, organizations, and individuals may be surveilling us online without our knowledge. We have little recourse, he argues, because such surveillance may be conducted under statutes that limit oversight and public scrutiny.

Eich points to the Lavabit case as an example. Lavabit began offering encrypted email as a service in 2004 but shut down abruptly last August without explanation. Lavabit owner Ladar Levison was under a gag order not to reveal details about his reason for shutting the service.

With the unsealing of court records several months later, it emerged that Levison is resisting a government order to provide Lavabit's Secure Sockets Layer (SSL) encryption key to authorities, who are believed to be seeking information on ex-NSA contractor Edward Snowden. Levison objects to handing over the master key on grounds that doing so would give the government data on all Lavabit's customers rather than just one.

For Eich, as for many security experts, the fact that privacy promises can be subverted by secret order means that proprietary code can't be trusted. Indeed, were some major software company ordered by authorities to provide an undisclosed backdoor to facilitate surveillance and to remain silent about the order, it might fight the order in court, outside of public view, but it wouldn't necessarily prevail.

"As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users," Eich said in a blog post. "We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders."

That's not true for open-source software, however. Because the programming code for Mozilla Firefox is completely open to public scrutiny, it can be checked for backdoors, not to mention security flaws that could be exploited for access. Firefox can be trusted because it can be verified independently, he said.

Eich argues that this is Firefox's primary advantage over its competitors. Internet Explorer, he says, is closed-sourced, while Chrome and Safari, contain a mix of open-sourced and closed-sourced code.

And Firefox needs to make more of this advantage if it's to remain a leading browser. Whatever its transparency advantage may be -- perhaps not much given other potential weak links in the chain of trust like compromised SSL certificate authorities, tapped fiber optic cables, and sabotaged encryption algorithms -- Firefox's global market share has been eroded by the rising popularity of Google Chrome and by Apple rules that keep Firefox off iOS devices.

Eich advises "trust but verify." First comes "download and install."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Ninja
1/15/2014 | 11:43:11 AM
Good for Firefox
You have to give credit to Mozilla to play the "Hey, here's our code, have at it" card when it comes to proving they are neutral when it comes to government interference.  I think a lot of users woke up a bit when they saw Chrome wasn't as secure as they would've liked to think, and so Mozilla promoting Firefox as a safe alternative is a great marketing move.  I don't expect other browser code to be as forthcoming, especially from major providers who have agreements with government entities.  

I wonder if they would repeat this when it comes to talk of their Firefox smartphone... I'd be curious to see if similar claims could be made as to the validity of the O/S.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Author
1/14/2014 | 8:20:12 PM
Re: On the other hand ...
Once you have physical access to a target's machine, it's game over.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
1/14/2014 | 9:58:59 AM
On the other hand ...
Access to source code would also allow the spooks to compile their own version of the software with a backdoor inserted. They'd then need to figure out how to plant it on the PCs of their target or targets, but that's not so hard to imagine. And mess with any auto-update functionality so the user gets their software updates from a corrupt source rather than the original.

There's got to be a novel in this somewhere ...
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.