Mozilla: Firefox Has No Government Backdoors

By Kevin Parrish
published

Andreas Gal, Mozilla's vice president of mobile and R&D, and Brendan Eich, CTO and SVP of Engineering, have updated Gal's blog with a long entry about how Firefox users can trust Mozilla when it comes to government backdoors and user privacy.

In the blog, they point out that due to laws in the U.S. and elsewhere, Web surfers must interact with Internet services knowing full well that even though cloud service companies want to protect user privacy, eventually one day those companies will be required to comply with laws. The government may acquire information that seems to violate privacy and could even force surveillance. Even more, the government can do so while enforcing gag orders on the service, leaving the consumer unaware.

This creates a problem in regards to privacy and security. Every major browser today is distributed by an organization within reach of surveillance laws, they point out. Injecting surveillance code in a web browser is quite possible.

"The unfortunate consequence is that software vendors — including browser vendors — must not be blindly trusted," they report. "Not because such vendors don't want to protect user privacy. Rather, because a law might force vendors to secretly violate their own principles and do things they don't want to do."

They also point out that unlike other browser vendors, Mozilla's products are truly open source. That's a "critical advantage," as Internet Explorer is closed, and both Safari and Chrome have open-source rendering engines, but contain "significant" fractions of closed source code. By being 100 percent open source, security researchers can verify the executable bits contained in the browsers Mozilla is distributing.

However, the answer to getting real trust, it seems, is to create a global audit system verifying that Firefox isn't immediately injected with government-tainted code at the request of court orders.

"To ensure that no one can inject undetected surveillance code into Firefox, security researchers and organizations should regularly audit Mozilla source and verified builds by all effective means, establish automated systems to verify official Mozilla builds from source, and raise an alert if the verified bits differ from official bits," they suggest.

"Beyond this first step, can we use such audited browsers as trust anchors, to authenticate fully-audited open-source Internet services? This seems possible in theory," they add.

Kevin Parrish
8 Comments Comment from the forums
  • Grandmastersexsay
    Is Mozilla trying to say Firefox is safe from government agencies inserting code into their program because they are open source? I guess they haven't heard of SELinux.

    http://en.m.wikipedia.org/wiki/Security-Enhanced_Linux
    Reply
  • Estix
    Is Mozilla trying to say Firefox is safe from government agencies inserting code into their program because they are open source? I guess they haven't heard of SELinux.http://en.m.wikipedia.org/wiki/Security-Enhanced_Linux
    No, that wasn't what they were saying; they were saying that, because they are open source, the source can be audited, and then verified as safe, by comparing an "expected" compiled binary to the actual distributed one - that is, by making sure that, as the article said:
    "To ensure that no one can inject undetected surveillance code into Firefox, security researchers and organizations should regularly audit Mozilla source and verified builds by all effective means, establish automated systems to verify official Mozilla builds from source, and raise an alert if the verified bits differ from official bits,"
    Reply
  • dextermat
    Either way, your ISP is surely cooperating with the government and they know what website you go onto and probably collects other info without us knowing...Privacy is just a myth anyways.
    Reply
  • qlum
    It is never a 100% secure way as backdoors can very well be hidden in legit additions to the browser and chances are in such cases that a government manages to insert backdoors but I still think its pretty backdoor free if only for the fact that attempting to add a backdoor and failing would be very problematic and the chance of someone finding it out is always there. Still if a clever coder manages to put it in and it gets past screening there may still be backdoors in firefox.
    Reply
  • dalethepcman
    Why give them a backdoor? The garage door opener / keys to the front door are much easier.
    Reply
  • Wong Dong
    Firefox have to work with isp.. government is really eating us alive every way they can.
    Reply
  • Cleber Zarate
    Validating that the compiled binary is the exact same binary produced if you compile that code yourself can be a very tricky task, first because your compiler version and every library used might make a difference in the resulting binary, the second is because there's no good way for them to ensure us the own firefox download servers that we use to download firefox isn't tampered to offer different binaries and md5s to different IP addresses or something. I know this might be unlikely but hey, didn't we all think unlikely that the whole NSA deal could take place?
    Reply
  • s32ialx
    Well we've lost the fight and the big ISP's can control what we view on the net.http://www.wired.com/opinion/2014/01/internet-freedom-day-year-net-neutrality/
    Reply