Mozilla’s CTO Calls for Organized, Global Firefox Audits
Brendan Eich, Mozilla’s often quoted CTO, is usually worth listening to on open source topics. The latest case in point is a new blog post titled "Trust but Verify," in which Eich discusses how hard it has become to trust the privacy guarantees in our software applications and services because of NSA-style snooping from governments, corporations and others. Eich is also calling for people around the world to help keep the Firefox browser secure from snooping and free from backdoors.
Eich writes that this is well within reach for Firefox, because it is the only major browser that is truly open:
"Software vendors — including browser vendors — must not be blindly trusted. Not because such vendors don’t want to protect user privacy. Rather, because a law might force vendors to secretly violate their own principles and do things they don’t want to do"
"Mozilla has one critical advantage over all other browser vendors. Our products are truly open source. Internet Explorer is fully closed-source, and while the rendering engines WebKit and Blink (chromium) are open-source, the Safari and Chrome browsers that use them are not fully open-source. Both contain significant fractions of closed-source code."
Eich says that security researchers worldwide should "verify the executable bits contained in the browsers Mozilla is distributing, by building Firefox from source and comparing the built bits with our official distribution."
Firefox’s market share has been dropping recently, but it remains a very popular browser, and it’s almost 10 years old now. I happen to use it and Chrome, and I still have a number of favorite Firefox extensions. One of the things to like about Firefox is that Mozilla does work to keep it truly open. Eich’s call for worldwide browser code auditing by security researchers is an ambitious one, but it’s also doable.
You can find his specific prescription for an organized browser auditing effort here.
Related Blog Posts