Protect Firefox Browser From the U.S. Government, Says Mozilla Exec



Among the issues that President Obama did not address in his lukewarm call for "reform" of NSA spying practices are allegations that U.S. government officials have used their clout to compromise encryption technology and strongarm companies into inserting backdoors into their technology. That's not a small issue, because it gives the NSA and other agencies access to vast quantities of information at least as sensitive as what they gather from sucking up phone meta data. Last week, even before the president's speech, Brendan Eich, the Chief Technology Officer of Mozilla, the organization behind the Firefox Web browser, called on the public to help resist such threats.

Wrote Eich in a blog post:

As a result of laws in the US and elsewhere, prudent users must interact with Internet services knowing that despite how much any cloud-service company wants to protect privacy, at the end of the day most big companies must comply with the law. The government can legally access user data in ways that might violate the privacy expectations of law-abiding users. Worse, the government may force service operators to enable surveillance (something that seems to have happened in the Lavabit case).

Worst of all, the government can do all of this without users ever finding out about it, due to gag orders.

This creates a significant predicament for privacy and security on the Open Web. Every major browser today is distributed by an organization within reach of surveillance laws. As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users. We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders.

The unfortunate consequence is that software vendors — including browser vendors — must not be blindly trusted. Not because such vendors don't want to protect user privacy. Rather, because a law might force vendors to secretly violate their own principles and do things they don't want to do.

His proposed solution? Since Mozilla and its products are all open source, he wants tech savvy users around the world to:

  • regularly audit Mozilla source and verified builds by all effective means;
  • establish automated systems to verify official Mozilla builds from source; and
  • raise an alert if the verified bits differ from official bits.

That way, no matter what Mozilla is ordered to do by a government body, and forbidden to reveal, any compromises stand a good chance of being discovered. Even attempting them might deterred.

Talk about watching the watchers.

Eich is right—open source does have an inherent advantage over proprietary technology because it's open to public scrutiny. It stands to grow in importance for just that reason.

NEXT: US Military Offers Anti-IED Tech for Olympic Security

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Open source is obviously going to have to be… wait for it… BANNED.

    1. my neighbor’s sister brought in $12350 the prior week. she is working on the computer and moved in a $353200 home. All she did was get blessed and make use of the guide made clear on this web page

      ———- J?U?M?P?2??6.???????

  2. Holy shit, WaPo dumps Ezra Klein shortly after getting Radley Balko and now they pick up the Volokh Conspiracy.

    Jeff Bezos is awesome.

    1. Behind a paywall, though:

      “We realize that this may cause some inconvenience for some existing readers ? we are sorry about that, and we tried to negotiate around it, but that’s the Post’s current approach,” Volokh apologized, before, in typical libertarian fashion, immediately listing multiple ways to access the blog’s pages for free: The blog’s WaPo-hosted content will be freely available for the first six months; after that, intrepid users can use RSS feeds, .edu and .gov domains, and social media links to access the blog.

      But good news all the same.

      1. This made me laugh.

        Koch Brothers will write twice weekly relationship advice column.


        1. Dear Koch Bros: Help! My Husband Wants to Buy Another Platoon of Janissary Rather Than The African Pygmy Colony I’ve Had My Eye On!

    2. How is taking a free blog and turning it into a paid blog awesome?

      1. Because libertarians are getting positions with a major media outlet?


        Libertarians after Bezos: GODDAMMIT, IT’S A PAYWALL?!

        This strikes me as kind of a looking a gift horse in the mouth situation.

        1. If I read the post correctly, they weren’t giving any new or elevated position, merely the promise they’ll get linked to from WaPo articles every now and again.

          That’s hardly a victory. Twitter drives more traffic than WaPo.

          1. “That’s hardly a victory.”
            You’d rather WaPo wouldn’t?

            1. If the goal is to spread libertarian ideas, that goal is better served with a free blog than a paywall, regardless of whether WaPo links in.

              If anything, this seems like Bezo trying to exploit Volokh Conspiracy readers than trying to broaden WaPo’s content.

              1. Some of you people will bitch about anything.

    3. Wow, I somehow missed the earlier Ezra Klein news. So the wish I made on the day the wapo sale was announced is now fulfilled. OK, I didn’t actually get to see the smug douchebag get his walking papers on a live webcast, but still.

  3. Who are you going to trust? Obama and the Most Transparent Administration in history or a private, profit-seeking corporation who’s logo features a Fox humping the globe?

  4. As discussed in a previous thread, this has only been alleged. I would hardly expect the Obama administration— any administration really to reform something that’s only been alleged.

    Now, do I think it’s happening? You bet your ass. Unfortunately, we won’t know for sure until Edward Snowden II, the Revenge of Edward Snowden pops up with some memos where the NSA admits as much. Like pretty much everything else they’ve denied, then reluctantly admitted was going on, but didn’t matter and due process.

  5. Verifiable builds, maybe do a P2P distribution to avoid having servers seized/compromised/mitm

    Also, remember folks, your browser and computer probably trust the DOD root CA for ssl (green lock for a cert signed by them), maybe others.

    1. The last paragraph means nothing to a non-ultra nerd such as myself. Could you explain?

      1. He’s talking about TLS (more commonly known as SSL, its predecessor, or as HTTPS, for its use on the web).

        TLS is most known for providing encryption to internet traffic, which it indeed does. But it’s also responsible for verifying the identity of the server (e.g., whether or not you are really talking to Gmail).

        To do this it relies on Certificate Authorities. The one you are most likely to have heard of is VeriSign. If reason wanted to make its site accessible via HTTPS, it would go to a certificate authority (or a reseller, like GoDaddy) and get a certificate for reason.com.

        So essentially the certificate authority “vouches” for them. In most cases the amount of effort actually put in is minimal, but there are also Extended Validation certificates for important sites (the green lock SweatingGin mentions).

        So, I go to reason, and they send me back the certificate issued to them by VeriSign. But of course, I can’t just take their word for it.

        So browsers and operating systems ship with “root certificates” with which they can verify that a site’s certificate was actually issued by a legitimate Certificate Authority.

        So know we have a way for reason to verify its identity (by hooking up with a CA) and for the browser to verify that reason has hooked up with the CA (the root certificates). Now, the problem is: the first time I visit reason, how do I know what certificate authority reason actually verified its identity with?

        1. The simple answer is that you don’t*. You have to hope that the first time you visit reason, an interloper hasn’t spoofed your computer into going to another server. You just trust that a certificate authority wouldn’t “go rogue” and issue someone else a certificate for reason.

          And hence the problem: the US DOD is a CA and has its own root certificate shipped with browsers. So they can set up an evil fake reason, complete with an evil fake reason certificate, and the browser would trust the certificate.

          (Note that for reason that is beside the point, since they don’t use TLS in the first place and hence it is trivial to set up an evil fake reason)

          *there are work-arounds which I won’t explain because they aren’t needed to understand the issue at hand

  6. Worst of all, the government can do all of this without users ever finding out about it, due to gag orders.

    Even if you buy the argument that collecting metadata doesn’t violate 4A (which is complete bullshit BTW), how in the fuck do they think they can usurp the first amendment?

    1. Because National Security and FYTW.

      /servile judge

      1. And Commerce Clause!

        1. And Necessary and Proper!

  7. Really he should be encouraging the use of Tor, which is based on Firefox.

    1. Tor is a network protocol that is browser-independent.

      1. Should’ve been more specific. I meant the popular browser bundle.

    2. That’s what I use.
      I’m actually Joe from Lowell.


    3. Unfortunately, it there’s a security hole in firefox, and the Tor devs don’t spot it, using Tor will simply not protect you.

      1. Moreover, Tor itself has been compromised.

        1. Not 100%. Only if you don’t dot your i’s & cross your t’s, ie, not well educated users. Snowden released some stuff on this. NSA can get “a lot” of TOR traffic, but not if the user uses correct implementation.

  8. I see the alt-text has already been banned?

  9. I stand firm with Mozilla and Linux. They will be the future to internet freedom

    1. also pgp and bitcoin. gotta love the open source movement.

      1. Agreed!!!

    2. “Given enough eyeballs, all bugs are shallow.” – Linus’s Law


    Too early?

    1. “Too early” is only one of the things wrong with that post.

  11. What he asks is easier said than done. The browser code base is huge – too huge for any one or small group to audit. This means you need a large, organized group to do the audits. Yet Mozilla releases nightly, alpha, beta and production releases of Firefox. How much and how often can things be audited? What if some of your auditors are compromised?

    Further, binary builds are difficult to normalize. It is quite possible for the same binary built on different machines to not turn out identical. Likewise, unless you have built your compiler from audited, known to be secure code that too is vulnerable.

    Open source may offer theoretical advantages over its closed brethren but the reality is that for all but the smallest of projects it is a mostly impossible chore.


    1. Stilgar is quite correct as was shown by Ken Thompson of Bell Labs in 1984.

      Reflections on trusting trust

      The exploit described by Thompson has been discovered in the wild.

    2. Open source may offer theoretical advantages over its closed brethren but the reality is that for all but the smallest of projects it is a mostly impossible chore.

      That must be why netscape did so well and why firefox is doing so horribly.

      1. It’s not a question of their success in the market, but whether one is inherently more secure. Even though auditing a large code base is very difficult, it’s hard to argue that having access is worse than not having it. It’s at least theoretically possible to audit Firefox’s code; it’s not even theoretically possible to audit IE or Opera or Chrome, for example.

    3. This is an extremely difficult problem. However, there are a few ways to spot exploits.

      – The source control system (Mercurial in this case), makes all commits permanent. If I get an exploit in there and then remove it, it still leaves traces in the history of the project. I can still put in a backdoor, but I can’t hide the fact that I did that.
      – There are tools to create reproducible builds. This lets 200 people all make the same build in a way that produces exactly the same object. This protects against inserting an exploit right before compiling. I don’t think firefox uses it though.

  12. And if the Firefox source code is ever suddenly pulled by Mozilla, we’ll know that they got an order from the government to do so.


    1. There are so many copies of the Firefox repository at this point, many outside the official mirrors, that FF would still be able to function. The trick would be which build to trust at that point and from where.

  13. It may be theoretically possible to audit Firefox and all its myriad releases. If it is being built from source the compiler must also have been audited to have a chance at security. Any libraries llinked must have ben audited. Etc. It is a very complex problem.

  14. On a related note, to my view, the Freedom of Information Act should rightly allow us to request any source code or algorithms that the US government is using in its role with regard to citizens. Such as code used to compute taxes, etc. Basically, the US government should be *required* to use open source code because it is a public institution. Exceptions might be some code used by the military and intelligence agencies but these exceptions should require massive justification and the code should still be open to internal auditing by the DOJ tech squints with appropriate clearance. Code used by the NSA on US citizens would *not* qualify for an exception.

  15. No question about it, the USA is the new USSR. What a disgrace.

  16. “You have to hope that the first time you visit reason, an interloper hasn’t spoofed your computer into going to another server. “

Please to post comments

Comments are closed.