Mozilla's Eich: Trust Us, We're Open

Firefox is trustworthy because its source code can be verified, says CTO Brendan Eich.
IBM Predicts Next 5 Life-Changing Tech Innovations
IBM Predicts Next 5 Life-Changing Tech Innovations
(click image for larger view)

Software can't be trusted unless it's open-source, claims Mozilla CTO Brendan Eich, in a bid to promote Firefox, Mozilla's open-source web browser.

Eich notes that it has become increasingly difficult to trust the privacy promises of our software and services because governments, corporations, organizations, and individuals may be surveilling us online without our knowledge. We have little recourse, he argues, because such surveillance may be conducted under statutes that limit oversight and public scrutiny.

Eich points to the Lavabit case as an example. Lavabit began offering encrypted email as a service in 2004 but shut down abruptly last August without explanation. Lavabit owner Ladar Levison was under a gag order not to reveal details about his reason for shutting the service.

With the unsealing of court records several months later, it emerged that Levison is resisting a government order to provide Lavabit's Secure Sockets Layer (SSL) encryption key to authorities, who are believed to be seeking information on ex-NSA contractor Edward Snowden. Levison objects to handing over the master key on grounds that doing so would give the government data on all Lavabit's customers rather than just one.

For Eich, as for many security experts, the fact that privacy promises can be subverted by secret order means that proprietary code can't be trusted. Indeed, were some major software company ordered by authorities to provide an undisclosed backdoor to facilitate surveillance and to remain silent about the order, it might fight the order in court, outside of public view, but it wouldn't necessarily prevail.

"As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users," Eich said in a blog post. "We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders."

That's not true for open-source software, however. Because the programming code for Mozilla Firefox is completely open to public scrutiny, it can be checked for backdoors, not to mention security flaws that could be exploited for access. Firefox can be trusted because it can be verified independently, he said.

Eich argues that this is Firefox's primary advantage over its competitors. Internet Explorer, he says, is closed-sourced, while Chrome and Safari, contain a mix of open-sourced and closed-sourced code.

And Firefox needs to make more of this advantage if it's to remain a leading browser. Whatever its transparency advantage may be -- perhaps not much given other potential weak links in the chain of trust like compromised SSL certificate authorities, tapped fiber optic cables, and sabotaged encryption algorithms -- Firefox's global market share has been eroded by the rising popularity of Google Chrome and by Apple rules that keep Firefox off iOS devices.

Eich advises "trust but verify." First comes "download and install."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Editor's Choice
John Edwards, Technology Journalist & Author
Carrie Pallardy, Contributing Reporter
Alan Brill, Senior Managing Director, Cyber Risk, Kroll
John Bennett, Global Head of Government Affairs, Cyber Risk, Kroll
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing