back to article Mozilla CTO Eich: If your browser isn't open source (ahem, ahem, IE, Chrome, Safari), DON'T TRUST IT

Mozilla CTO Brendan Eich has cautioned netizens not to blindly trust software vendors, arguing that only open-source software can be assured to be free from government-mandated surveillance code. "Every major browser today is distributed by an organization within reach of surveillance laws," Eich wrote in a joint blog post …

COMMENTS

This topic is closed for new posts.
  1. Sebby
    Stop

    Yeah, Whatever

    If I were in a happier mood I'd be drafting a news story about a Mozzy spokesperson telling the world how great it was that Firefox now included EME and a load of closed-source modules so it could be used to stream all the latest blockbusters, and never mind what we said about security because people love Netflix.

    Mozilla used to be really credible and I don't want to detract from the importance of the points they're making here, but right now the taste is sour.

    1. Anonymous Coward
      Linux

      Re: Yeah, Whatever

      @sebby -

      Are you referring to W3C's decision to include EME DRM modules in the HTML5.1 standards? Because all I've seen is that Brandan Eich with Mozilla keeps saying that they are opposed to implementing the modules.

      1. Sebby

        Re: Yeah, Whatever

        @ Andy, yes, see for example:

        http://blogs.computerworlduk.com/open-enterprise/2013/11/brendan-eich-mozillas-cto-on-eme-and-drm/

        Or in short: what's right for the users, and that includes Flash, so it must include DRM too.

        Don't get me wrong, I appreciate Open Source and the principle that it's ideally more secure, I just think it needs to be taken with an appropriately-sized pinch of salt. EME is incompatible with his claims of security, and worse, claims to solve problems that it can't possibly solve without also being a complete contradiction in terms by requiring separate plug-ins, putting us back where we started and closing (some part of) the browsers again. Mozilla should, IMO, fight this.

    2. wolfetone Silver badge

      Re: Yeah, Whatever

      "and never mind what we said about security because people love Netflix."

      Well those idiots can suffer then by using IE, can't they?

  2. 02X7Cm

    And even if it is open source, don't trust it.

    Firefox health report (on by default, and telemetery - not on by default) submits so called anonymous data back to their servers but if their servers are compromised by government surveillance schemes, they could still be used in combination with other meta data to determine the status of individuals.

    There is also the option to use Chromium, which IS open source, though I'm not sure if that also has phone home statistical collection "features".

    I wish Firefox would at least ask for ANY collection permission when it's installed, last I checked they didn't.

    If recent events and revelations hasn't prompted the open sourcers to rethink their stance of "collecting for statistical reasons is perfectly fine" and they seem to think they can trust their own servers then frankly they're being naive.

    1. Anonymous Coward
      Holmes

      Re: And even if it is open source, don't trust it.

      @02X7Cm - "Firefox health report (on by default, and telemetery - not on by default) submits so called anonymous data back to their servers but if their servers are compromised by government surveillance schemes, they could still be used in combination with other meta data to determine the status of individuals."

      So? You're a big boy. Turn it off if you don't like it. Isn't that why they give you the warning up-front about it? So that you have a choice? I always turn that crap off, on every product.

  3. FordPrefect

    People go on and on about open source as though it automatically makes everything more secure. Given the size of most open source projects it would most likely be fairly simple for the NSA to slip in a back door and thats not even considering slipping something into libraries. Additionally unless you've actually downloaded and compiled the source you cant be sure that the source code online is whats been used to compile the executable you're using.

    1. Schultz

      Open source [...] makes everything more secure

      The possibility that a back door can be found does act as a deterrent. This does no guarantee absolute security (you gotta smoke something heavy if you want to feel absolutely secure), but it is better than nothing.

      Even the NSA will be careful when there is a risk of exposure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Open source [...] makes everything more secure

        As with Schultz's comment, imagine if a backdoor was planted and discovered in a Open Source project? The commit would be traceable which would also raise questions on every commit that programmer ever did. Even if they were a false identity or it was found they themselves didn't commit the code (a fairly risky undertaking since commits you didn't make would surface rather rapidly) there would be a witch hunt to try and establish who and what was responsible and the political ramifications would be dire. Evidence of this kind of activity would also raise the barriers on a lot of projects which would encourage deep vetting of code, especially on high profile projects like OpenSSH.

        Not to say it couldn't or hasn't happened, just that it is shortsighted among governments agencies. They would prefer the 'softly softly' approach as it plays to their hand.

        1. Tom Chiverton 1 Silver badge

          Re: Open source [...] makes everything more secure

          "The commit would be traceable"

          No one ever found the source of the Linux kernel back door though did they...

    2. Bob H

      I too was thinking, "how do we know Mozilla doesn't modify the source before compiling?"

    3. Anonymous Coward
      Anonymous Coward

      A back door was allegedly planted in the OpenBSD source code, by a contractor who was working on a US government defence contract from what I remember. If true, then it shows it's possible to get a back door into a large open source project and have it there unnoticed. However, Eich quite rightly suggests ongoing audits, automated where possible, to catch this kind of thing. As Eich and another poster has said above, open source is not a silver bullet, but at least it gives you the possibility of auditing the code - something that's impossible with closed source. The best you can do with closed source stuff is sandbox it, and try to audit things like the network activity it performs, although this is something that should be done with binaries from open source code as well.

  4. RobHib
    Facepalm

    Right!

    All that ought to go without saying!

    'Nuff said.

  5. Spoddyhalfwit

    Not just back doors

    The risk with open source projects isn't so much back doors as insertion of deliberate bugs. Many modern vulnerabilities are buffer over runs and the like... Easily inserted, hard to find, and when found look like an accident rather than deliberate back door.

    Open source is certainly better than closed source, but with the NSA with their tentacles everywhere, I imagine open source projects are probably riddled with their handiwork.

  6. Adus

    The man has a point

    He has a point, but as has already been mentioned, Firefox does collect "anonymous" usage data, and the project is so big there is really no way of being highly confident there isn't some backdoor in the millions of lines of code, multiple libraries and versions etc.

    I used to really respect Mozilla/Firefox, but my recent experience has been that, like a lot of big projects, it's getting bloated with unnecessary features which ultimately have impacted performance in a big way.

    It would be great to have an alternative, but the WebKit/Blink based browsers, and Chrome in particular, clearly have the edge at the moment. They are faster, lighter and given their penetration increasingly better supported by sites.

    1. Anonymous Coward
      Anonymous Coward

      @Adus - Re: The man has a point

      You're (not so) subtly switching the topic here.

      The man did not say FF is faster, lighter etc. He just said FF is easier to audit and can be compiled into a trusted binary. If you're not interested in this then pick up any browser you feel like and let's all be friends, OK?

  7. Salts

    Got it covered

    Slightly off topic but we could all follow GCHQ's information security arm CESG's advice :-)

    There new report is out if anyone is interested, have not read the whole document yet but Ubuntu 12.04 comes out well, I guess that means DON'T use Ubuntu 12.04.

    https://www.gov.uk/government/collections/end-user-devices-security-guidance--2

    http://www.omgubuntu.co.uk/2014/01/ubuntu-12-04-secure-os-uk-government-gchq

    1. Paul Crawford Silver badge

      Re: Got it covered

      "I guess that means DON'T use Ubuntu 12.04"

      That is a very simplistic view, that whatever the spooks recommend HAS to be compromised because that is their job. It is not: their job is to act in the interest of the UK (in GCHQ's case) which means protecting us from hackers AND hacking into others.

      Given the endless stream of patches for every system out there, and the hacking budgets of hundreds of millions, finding holes can't be too hard for them no matter which system you chose or they recommend.

      Nothing is perfect, and complete security is an unattainable myth, but open source and some verification of binaries w.r.t. source by others (outside of the country of origin of the project) is a damn sight better than the alternatives.

  8. solo

    Big Billboards Are Needed

    I know everyone here is bored of hearing this, but we need big billboards on all the roads reading this.

    Also, we should weight on how much reduction in megabytes consumption we get on using a news paper's iPhone app that compels us away from using it in a browser.

  9. JDX Gold badge

    Excellent Bandwagon-jumping Mr. Eich

    Well done you.

  10. jai

    Every major browser today...

    So... he's admitting that Mozilla is no longer a "major browser" these days?

  11. Sean Timarco Baggaley

    What's the point of auditing the source code...

    ... when you have absolutely no way to audit the build process itself?

    A handful of deliberate bugs that make it easy to compromise is all you'd need. Those could be added to a low-level library anywhere – i.e. it would affect any application linked against it. When someone spots the bug and fixes it, you simply insert another bug somewhere else. It becomes a never-ending game of "Whack-a-Mole".

    This symptom is indistinguishable from ordinary bug-testing, so not an easy problem to identify.

    Remember, the NSA, GCHQ, the CIA, etc. are all intelligence agencies. That basically boils down to spying, and intelligence operatives have been doing undercover work for decades. Find the right person with the right leverage and nobody would ever know your organisation had even been compromised – not even the managers.

  12. Wize

    Open source is safe...

    ...if you know for certain that your compiler is not compromised and injecting code in to the final executable.

    And how do you know that open source compiler is safe as you have to compile it on something to start with.

    1. John Hughes

      Re: Open source is safe...

      "And how do you know that open source compiler is safe as you have to compile it on something to start with."

      Do what people did originaly - compile it with your brain.

      (Demonstration that your brain hasn't been hacked by the NSA left as an exercise for the reader).

    2. Joe Montana

      Re: Open source is safe...

      Nothing is safe...

      Open source has a better change of being safer than closed source.

      Nothing is perfect, but i'll take the best available option.

  13. FordPrefect

    What nobody else has mentioned as well is what use is a secure browser if its running on an OS with backdoors, running on hardware with potential back doors is transmitting unencrypted information or is relying on trusted certificates from companies that would probably provide any certificate requested by the government which incidentally has a whole number of side channel attacks. Just mearly saying "OMG open source will fix it" which seems to be a common reaction in these parts just luls people with a false sense of security. If the NSA/GCHQ wanted to implant back doors do you think they couldn't create people with a history to do that? Don't you think they could hide the back doors in such a way that it looks like a bug rather than simply adding something that looks like a backdoor? Do you think the NSA cant find ways to intercept passwords and code being passed to and from a CVS system, or can't find a way to have the CVS code repositories including but not limited to sending someone into the physical location of the server?

    1. Anonymous Coward
      Anonymous Coward

      You are absolutely right

      but the one thousand mile road starts with the first step.

  14. Pete Spicer

    This puff piece is nonsense.

    Open source, theoretically, should be more provable as secure than not. Which is fine, if you have the time, resources etc. to actually audit such code.

    Real users do not, they do not download and compile from source (Linux on the desktop is increasing, sure, but it's still a rounding error compared to the Win/OS X userbase, and even then most of the time they're not building from source either), they download a 'trusted binary'.

    And of course then there is the argument about compilers - I seem to recall a fantastic piece about compromising compilers from Ken Thompson. It was written 30 years ago, but here's the thing... when the Mozilla folks build the binaries for Windows, what do they use? I see from their Windows build requirements page that they use Visual Studio and cygwin in concert (VS for the compilation, cygwin for the linking, presumably? Not clear.) But you're still relying on those tools to be uncompromised. That means trusting VS and cygwin (and possibly gcc) - and you can't audit VS.

    http://c2.com/cgi/wiki?TheKenThompsonHack is mildly scary reading. Not totally scary, but mildly scary.

    1. Charles 9

      But you can beat the Ken Thompson by cross-compiling and comparing results. All you need is one known-good compiler (which can be hand-assembled) to check all the rest.

This topic is closed for new posts.

Other stories you might like