Mozilla's Eich: Trust Us, We're Open - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
09:06 AM
Connect Directly

Mozilla's Eich: Trust Us, We're Open

Firefox is trustworthy because its source code can be verified, says CTO Brendan Eich.

IBM Predicts Next 5 Life-Changing Tech Innovations
IBM Predicts Next 5 Life-Changing Tech Innovations
(click image for larger view)

Software can't be trusted unless it's open-source, claims Mozilla CTO Brendan Eich, in a bid to promote Firefox, Mozilla's open-source web browser.

Eich notes that it has become increasingly difficult to trust the privacy promises of our software and services because governments, corporations, organizations, and individuals may be surveilling us online without our knowledge. We have little recourse, he argues, because such surveillance may be conducted under statutes that limit oversight and public scrutiny.

Eich points to the Lavabit case as an example. Lavabit began offering encrypted email as a service in 2004 but shut down abruptly last August without explanation. Lavabit owner Ladar Levison was under a gag order not to reveal details about his reason for shutting the service.

With the unsealing of court records several months later, it emerged that Levison is resisting a government order to provide Lavabit's Secure Sockets Layer (SSL) encryption key to authorities, who are believed to be seeking information on ex-NSA contractor Edward Snowden. Levison objects to handing over the master key on grounds that doing so would give the government data on all Lavabit's customers rather than just one.

For Eich, as for many security experts, the fact that privacy promises can be subverted by secret order means that proprietary code can't be trusted. Indeed, were some major software company ordered by authorities to provide an undisclosed backdoor to facilitate surveillance and to remain silent about the order, it might fight the order in court, outside of public view, but it wouldn't necessarily prevail.

"As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users," Eich said in a blog post. "We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders."

That's not true for open-source software, however. Because the programming code for Mozilla Firefox is completely open to public scrutiny, it can be checked for backdoors, not to mention security flaws that could be exploited for access. Firefox can be trusted because it can be verified independently, he said.

Eich argues that this is Firefox's primary advantage over its competitors. Internet Explorer, he says, is closed-sourced, while Chrome and Safari, contain a mix of open-sourced and closed-sourced code.

And Firefox needs to make more of this advantage if it's to remain a leading browser. Whatever its transparency advantage may be -- perhaps not much given other potential weak links in the chain of trust like compromised SSL certificate authorities, tapped fiber optic cables, and sabotaged encryption algorithms -- Firefox's global market share has been eroded by the rising popularity of Google Chrome and by Apple rules that keep Firefox off iOS devices.

Eich advises "trust but verify." First comes "download and install."

Thomas Claburn is editor-at-large for InformationWeek. He has been writing about business and technology since 1996 for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Thomas Claburn
Thomas Claburn,
User Rank: Author
1/14/2014 | 8:20:12 PM
Re: On the other hand ...
Once you have physical access to a target's machine, it's game over.
David F. Carr
David F. Carr,
User Rank: Author
1/14/2014 | 9:58:59 AM
On the other hand ...
Access to source code would also allow the spooks to compile their own version of the software with a backdoor inserted. They'd then need to figure out how to plant it on the PCs of their target or targets, but that's not so hard to imagine. And mess with any auto-update functionality so the user gets their software updates from a corrupt source rather than the original.

There's got to be a novel in this somewhere ...
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll