Protect Firefox Browser From the NSA

Mozilla Calls on World to Protect Firefox Browser From the NSA

• BY KLINT FINLEY
• Brendan Eich is the chief technology officer of the Mozilla Foundation, the non-profit behind the Firefox web browser. Among many other things, he oversees the Firefox security team — the software engineers who work to steel the browser against online attacks from hackers, phishers, and other miscreants — and that team is about to get bigger. Much, much bigger.
  In a recent blog post, Eich calls for security researchers across the globe to regularly audit the Firefox source code and create automated systems that can ensure the same code is used to update 18 million machines that run the browser. That’s not an option for other browsers, but it is for Firefox. The code behind the browser is completely open source, meaning anyone can look at it, at any time.
  ‘As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users’
  — Brendan Eich
  The move is one more way that the giants of the web are responding to revelations that the National Security Agency is snooping on web traffic via popular services and software. After NSA whistleblower Edward Snowden revealed that the U.S. government is tapping into data collected by private companies like Google and Facebook and then private email outfit Lavabit revealed a gag order that forbade the company from the telling customers the government was requesting information about them, Eich is worried that the feds could force Mozilla into adding a backdoor into its browser.
  “As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users,” Eich says. “We have no information that any browser vendor has ever received such a directive. However, if that were to happen, the public would likely not find out due to gag orders.”
  Because Firefox is open source, outsiders can not only audit the code, they patch holes in the software and distribute such changes independently of Mozilla. In other words, if there’s a problem with Mozilla or Firefox, someone else can fix it and publish a new version online. “Through international collaboration of independent entities, we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users’ privacy expectations,” Eich explains.
  That isn’t necessarily the case with Firefox’s competitors. Microsoft’s Internet Explorer isn’t open source at all, and although Apple Safari, Google Chrome and Opera are based on open source software, all contain at least some proprietary code. Pure open source implementations of Chrome exist — such as Chromium and Iron — but Firefox is the only major browser that is completely open source.
  Security audits have long played a major role with open source software. In 2010, allegations that a developer working for the FBI had placed backdoors in OpenBSD, an open source operating system, led to a full code audit, and this revealed no issues. Today, an independent team is working to audit TrueCrypt, an open source encryption system.
  An audit can certainly improve confidence in our software, but there are always limitations. A well-funded government operations like the NSA may actually be better at finding and exploiting problems than a world of independent auditors is at finding and fixing them.
  Last summer, the Electronic Freedom Frontier sponsored an audit of Off the Record, an encryption plugin for the Pidgen and Adium instant message clients, but it wasn’t completely confident int he process. “But we only did it for a summer,” EFF activism director Rainey Reitman told us last year. “Presumably, if you’re a government agency with a multimillion dollar budget, you might be able to spend more than a summer looking for vulnerabilities.”
  But certainly, when it comes to audits, open source software has an advantage over close source tools. If a closed source operating system is accused of planting an FBI backdoor, it would be much more difficult for independent researchers to evaluate. But open sourcing your code doesn’t guarantee that more people will look it. Like Eich, you must work to encourage audits from outsiders, and these audit must happen constantly.
  “Security is never ‘done,’” Eich says. “It is a process, not a final rest-state.”
  http://www.wired.com/wiredenterprise/2014/01/mozilla/