Mozilla CTO Eich: If your browser isn't open source (ahem, ahem, IE, Chrome, Safari), DON'T TRUST IT
Mozilla CTO Brendan Eich has cautioned netizens not to blindly trust software vendors, arguing that only open-source software can be assured to be free from government-mandated surveillance code. "Every major browser today is distributed by an organization within reach of surveillance laws," Eich wrote in a joint blog post with …
If I were in a happier mood I'd be drafting a news story about a Mozzy spokesperson telling the world how great it was that Firefox now included EME and a load of closed-source modules so it could be used to stream all the latest blockbusters, and never mind what we said about security because people love Netflix.
Mozilla used to be really credible and I don't want to detract from the importance of the points they're making here, but right now the taste is sour.
Re: Yeah, Whatever
Are you referring to W3C's decision to include EME DRM modules in the HTML5.1 standards? Because all I've seen is that Brandan Eich with Mozilla keeps saying that they are opposed to implementing the modules.
Re: Yeah, Whatever
@ Andy, yes, see for example:
Or in short: what's right for the users, and that includes Flash, so it must include DRM too.
Don't get me wrong, I appreciate Open Source and the principle that it's ideally more secure, I just think it needs to be taken with an appropriately-sized pinch of salt. EME is incompatible with his claims of security, and worse, claims to solve problems that it can't possibly solve without also being a complete contradiction in terms by requiring separate plug-ins, putting us back where we started and closing (some part of) the browsers again. Mozilla should, IMO, fight this.
Re: Yeah, Whatever
"and never mind what we said about security because people love Netflix."
Well those idiots can suffer then by using IE, can't they?
And even if it is open source, don't trust it.
Firefox health report (on by default, and telemetery - not on by default) submits so called anonymous data back to their servers but if their servers are compromised by government surveillance schemes, they could still be used in combination with other meta data to determine the status of individuals.
There is also the option to use Chromium, which IS open source, though I'm not sure if that also has phone home statistical collection "features".
I wish Firefox would at least ask for ANY collection permission when it's installed, last I checked they didn't.
If recent events and revelations hasn't prompted the open sourcers to rethink their stance of "collecting for statistical reasons is perfectly fine" and they seem to think they can trust their own servers then frankly they're being naive.
Re: And even if it is open source, don't trust it.
@02X7Cm - "Firefox health report (on by default, and telemetery - not on by default) submits so called anonymous data back to their servers but if their servers are compromised by government surveillance schemes, they could still be used in combination with other meta data to determine the status of individuals."
So? You're a big boy. Turn it off if you don't like it. Isn't that why they give you the warning up-front about it? So that you have a choice? I always turn that crap off, on every product.
People go on and on about open source as though it automatically makes everything more secure. Given the size of most open source projects it would most likely be fairly simple for the NSA to slip in a back door and thats not even considering slipping something into libraries. Additionally unless you've actually downloaded and compiled the source you cant be sure that the source code online is whats been used to compile the executable you're using.
Open source [...] makes everything more secure
The possibility that a back door can be found does act as a deterrent. This does no guarantee absolute security (you gotta smoke something heavy if you want to feel absolutely secure), but it is better than nothing.
Even the NSA will be careful when there is a risk of exposure.
Re: Open source [...] makes everything more secure
As with Schultz's comment, imagine if a backdoor was planted and discovered in a Open Source project? The commit would be traceable which would also raise questions on every commit that programmer ever did. Even if they were a false identity or it was found they themselves didn't commit the code (a fairly risky undertaking since commits you didn't make would surface rather rapidly) there would be a witch hunt to try and establish who and what was responsible and the political ramifications would be dire. Evidence of this kind of activity would also raise the barriers on a lot of projects which would encourage deep vetting of code, especially on high profile projects like OpenSSH.
Not to say it couldn't or hasn't happened, just that it is shortsighted among governments agencies. They would prefer the 'softly softly' approach as it plays to their hand.
I too was thinking, "how do we know Mozilla doesn't modify the source before compiling?"
A back door was allegedly planted in the OpenBSD source code, by a contractor who was working on a US government defence contract from what I remember. If true, then it shows it's possible to get a back door into a large open source project and have it there unnoticed. However, Eich quite rightly suggests ongoing audits, automated where possible, to catch this kind of thing. As Eich and another poster has said above, open source is not a silver bullet, but at least it gives you the possibility of auditing the code - something that's impossible with closed source. The best you can do with closed source stuff is sandbox it, and try to audit things like the network activity it performs, although this is something that should be done with binaries from open source code as well.
Re: Open source [...] makes everything more secure
"The commit would be traceable"
No one ever found the source of the Linux kernel back door though did they...
All that ought to go without saying!
Not just back doors
The risk with open source projects isn't so much back doors as insertion of deliberate bugs. Many modern vulnerabilities are buffer over runs and the like... Easily inserted, hard to find, and when found look like an accident rather than deliberate back door.
Open source is certainly better than closed source, but with the NSA with their tentacles everywhere, I imagine open source projects are probably riddled with their handiwork.
The man has a point
He has a point, but as has already been mentioned, Firefox does collect "anonymous" usage data, and the project is so big there is really no way of being highly confident there isn't some backdoor in the millions of lines of code, multiple libraries and versions etc.
I used to really respect Mozilla/Firefox, but my recent experience has been that, like a lot of big projects, it's getting bloated with unnecessary features which ultimately have impacted performance in a big way.
It would be great to have an alternative, but the WebKit/Blink based browsers, and Chrome in particular, clearly have the edge at the moment. They are faster, lighter and given their penetration increasingly better supported by sites.
@Adus - Re: The man has a point
You're (not so) subtly switching the topic here.
The man did not say FF is faster, lighter etc. He just said FF is easier to audit and can be compiled into a trusted binary. If you're not interested in this then pick up any browser you feel like and let's all be friends, OK?
Got it covered
Slightly off topic but we could all follow GCHQ's information security arm CESG's advice :-)
There new report is out if anyone is interested, have not read the whole document yet but Ubuntu 12.04 comes out well, I guess that means DON'T use Ubuntu 12.04.
Re: Got it covered
"I guess that means DON'T use Ubuntu 12.04"
That is a very simplistic view, that whatever the spooks recommend HAS to be compromised because that is their job. It is not: their job is to act in the interest of the UK (in GCHQ's case) which means protecting us from hackers AND hacking into others.
Given the endless stream of patches for every system out there, and the hacking budgets of hundreds of millions, finding holes can't be too hard for them no matter which system you chose or they recommend.
Nothing is perfect, and complete security is an unattainable myth, but open source and some verification of binaries w.r.t. source by others (outside of the country of origin of the project) is a damn sight better than the alternatives.
Big Billboards Are Needed
I know everyone here is bored of hearing this, but we need big billboards on all the roads reading this.
Also, we should weight on how much reduction in megabytes consumption we get on using a news paper's iPhone app that compels us away from using it in a browser.
Excellent Bandwagon-jumping Mr. Eich
Well done you.
Every major browser today...
So... he's admitting that Mozilla is no longer a "major browser" these days?
What's the point of auditing the source code...
... when you have absolutely no way to audit the build process itself?
A handful of deliberate bugs that make it easy to compromise is all you'd need. Those could be added to a low-level library anywhere – i.e. it would affect any application linked against it. When someone spots the bug and fixes it, you simply insert another bug somewhere else. It becomes a never-ending game of "Whack-a-Mole".
This symptom is indistinguishable from ordinary bug-testing, so not an easy problem to identify.
Remember, the NSA, GCHQ, the CIA, etc. are all intelligence agencies. That basically boils down to spying, and intelligence operatives have been doing undercover work for decades. Find the right person with the right leverage and nobody would ever know your organisation had even been compromised – not even the managers.
Open source is safe...
...if you know for certain that your compiler is not compromised and injecting code in to the final executable.
And how do you know that open source compiler is safe as you have to compile it on something to start with.
Re: Open source is safe...
"And how do you know that open source compiler is safe as you have to compile it on something to start with."
Do what people did originaly - compile it with your brain.
(Demonstration that your brain hasn't been hacked by the NSA left as an exercise for the reader).
Re: Open source is safe...
Nothing is safe...
Open source has a better change of being safer than closed source.
Nothing is perfect, but i'll take the best available option.
What nobody else has mentioned as well is what use is a secure browser if its running on an OS with backdoors, running on hardware with potential back doors is transmitting unencrypted information or is relying on trusted certificates from companies that would probably provide any certificate requested by the government which incidentally has a whole number of side channel attacks. Just mearly saying "OMG open source will fix it" which seems to be a common reaction in these parts just luls people with a false sense of security. If the NSA/GCHQ wanted to implant back doors do you think they couldn't create people with a history to do that? Don't you think they could hide the back doors in such a way that it looks like a bug rather than simply adding something that looks like a backdoor? Do you think the NSA cant find ways to intercept passwords and code being passed to and from a CVS system, or can't find a way to have the CVS code repositories including but not limited to sending someone into the physical location of the server?
You are absolutely right
but the one thousand mile road starts with the first step.
This puff piece is nonsense.
Open source, theoretically, should be more provable as secure than not. Which is fine, if you have the time, resources etc. to actually audit such code.
Real users do not, they do not download and compile from source (Linux on the desktop is increasing, sure, but it's still a rounding error compared to the Win/OS X userbase, and even then most of the time they're not building from source either), they download a 'trusted binary'.
And of course then there is the argument about compilers - I seem to recall a fantastic piece about compromising compilers from Ken Thompson. It was written 30 years ago, but here's the thing... when the Mozilla folks build the binaries for Windows, what do they use? I see from their Windows build requirements page that they use Visual Studio and cygwin in concert (VS for the compilation, cygwin for the linking, presumably? Not clear.) But you're still relying on those tools to be uncompromised. That means trusting VS and cygwin (and possibly gcc) - and you can't audit VS.
http://c2.com/cgi/wiki?TheKenThompsonHack is mildly scary reading. Not totally scary, but mildly scary.
But you can beat the Ken Thompson by cross-compiling and comparing results. All you need is one known-good compiler (which can be hand-assembled) to check all the rest.