Mozilla's Eich: Trust Us, We're Open - InformationWeek
Mobile // Mobile Applications
09:06 AM
Connect Directly

Mozilla's Eich: Trust Us, We're Open

Firefox is trustworthy because its source code can be verified, says CTO Brendan Eich.

IBM Predicts Next 5 Life-Changing Tech Innovations
IBM Predicts Next 5 Life-Changing Tech Innovations
(click image for larger view)

Software can't be trusted unless it's open-source, claims Mozilla CTO Brendan Eich, in a bid to promote Firefox, Mozilla's open-source web browser.

Eich notes that it has become increasingly difficult to trust the privacy promises of our software and services because governments, corporations, organizations, and individuals may be surveilling us online without our knowledge. We have little recourse, he argues, because such surveillance may be conducted under statutes that limit oversight and public scrutiny.

Eich points to the Lavabit case as an example. Lavabit began offering encrypted email as a service in 2004 but shut down abruptly last August without explanation. Lavabit owner Ladar Levison was under a gag order not to reveal details about his reason for shutting the service.

With the unsealing of court records several months later, it emerged that Levison is resisting a government order to provide Lavabit's Secure Sockets Layer (SSL) encryption key to authorities, who are believed to be seeking information on ex-NSA contractor Edward Snowden. Levison objects to handing over the master key on grounds that doing so would give the government data on all Lavabit's customers rather than just one.

For Eich, as for many security experts, the fact that privacy promises can be subverted by secret order means that proprietary code can't be trusted. Indeed, were some major software company ordered by authorities to provide an undisclosed backdoor to facilitate surveillance and to remain silent about the order, it might fight the order in court, outside of public view, but it wouldn't necessarily prevail.

"As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users," Eich said in a blog post. "We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders."

That's not true for open-source software, however. Because the programming code for Mozilla Firefox is completely open to public scrutiny, it can be checked for backdoors, not to mention security flaws that could be exploited for access. Firefox can be trusted because it can be verified independently, he said.

Eich argues that this is Firefox's primary advantage over its competitors. Internet Explorer, he says, is closed-sourced, while Chrome and Safari, contain a mix of open-sourced and closed-sourced code.

And Firefox needs to make more of this advantage if it's to remain a leading browser. Whatever its transparency advantage may be -- perhaps not much given other potential weak links in the chain of trust like compromised SSL certificate authorities, tapped fiber optic cables, and sabotaged encryption algorithms -- Firefox's global market share has been eroded by the rising popularity of Google Chrome and by Apple rules that keep Firefox off iOS devices.

Eich advises "trust but verify." First comes "download and install."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
David F. Carr
David F. Carr,
User Rank: Author
1/14/2014 | 9:58:59 AM
On the other hand ...
Access to source code would also allow the spooks to compile their own version of the software with a backdoor inserted. They'd then need to figure out how to plant it on the PCs of their target or targets, but that's not so hard to imagine. And mess with any auto-update functionality so the user gets their software updates from a corrupt source rather than the original.

There's got to be a novel in this somewhere ...
Thomas Claburn
Thomas Claburn,
User Rank: Author
1/14/2014 | 8:20:12 PM
Re: On the other hand ...
Once you have physical access to a target's machine, it's game over.
User Rank: Ninja
1/15/2014 | 11:43:11 AM
Good for Firefox
You have to give credit to Mozilla to play the "Hey, here's our code, have at it" card when it comes to proving they are neutral when it comes to government interference.  I think a lot of users woke up a bit when they saw Chrome wasn't as secure as they would've liked to think, and so Mozilla promoting Firefox as a safe alternative is a great marketing move.  I don't expect other browser code to be as forthcoming, especially from major providers who have agreements with government entities.  

I wonder if they would repeat this when it comes to talk of their Firefox smartphone... I'd be curious to see if similar claims could be made as to the validity of the O/S.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll