Mozilla warns not to trust browser vendors as it looks for verification

Mozilla warns not to trust browser vendors as it looks for verification

Summary: The organisation behind Firefox is looking to build a global auditing system to verify that Mozilla builds do not contain any code forced into the browser by court order.


In a world where companies are forced by court order to provide information to intelligence authorities, or potentially even leave backdoors open for surveillance, and then have the vendor forced to maintain silence about any action due to a gag order, how can IT users and purchasers be sure that the software they rely on is untainted?

Over the weekend, Brenchan Eich, Mozilla CTO, and Andreas Gal, Mozilla vice president of mobile and R&D, penned a blog post that detailed Mozilla's plans to establish a system that would allow users to verify that Mozilla's binary builds contain only the code found in Mozilla's source code repositories.

The system would be established at a global level, with a diverse set of people from a number of geographies and political persuasions involved, and would involve regular audits of Mozilla source and verified builds "by all effective means", setting up automated systems to verify official Mozilla binaries, and raising the alarm should any difference occur between the verified and official builds.

"Through international collaboration of independent entities, we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users' privacy expectations," the pair said.

Mozilla believes that it has a head start in the trust stakes, due to the instantly auditable, open-source nature of the source code found in the organisation's projects, the trust level of which is enhanced when built with open-source compilers in order to avoid compiler-level attacks.

"Mozilla has one critical advantage over all other browser vendors. Our products are truly open source," the pair said.

"Internet Explorer is fully closed source, and while the rendering engines WebKit and Blink (chromium) are open source, the Safari and Chrome browsers that use them are not fully open source. Both contain significant fractions of closed-source code."

As the world gains a much better idea of the reach of the NSA and the United States Foreign Intelligence Surveillance Court, Eich and Gal warned that every major browser vendor is within reach of surveillance laws, and the potential exists for the authorities to force vendors to secretly inject "surveillance code" into the software they distribute. The pair readily admitted that they have no evidence that any request of the sort has ever been requested.

"However, if that were to happen, the public would likely not find out due to gag orders," Eich and Gal said. "The unfortunate consequence is that software vendors — including browser vendors — must not be blindly trusted.

"Not because such vendors don't want to protect user privacy. Rather, because a law might force vendors to secretly violate their own principles and do things they don't want to do."

Topics: Security, Open Source, Privacy


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Before they do that...

    ... Maybe they should fix the first Google link about downloading Mozilla Firefox having adware?

    Seriously, the EZ-download link, the first one that pops up, contains a nasty virus.
    • So download feom Mozilla

      You know, that thing about only downloading only from trusted sources?
      • I did.

        Most of the people here are savvy enough to check links.

        Normal people, on the other hand, are a bit different.

        They'll choose the first link they see.

        By the way, did you flag me?
  • So what happens if...

    ...a company as large as Google, Microsoft or Apple discloses this information even with the gag order in place?

    People as individuals and massive companies need to stop bowing down to the Governments' every demand. If the government says you cant say something, and you go out there and tell the world, Honestly what is the worst they can do?

    I understand an individual may go to jail, But what about a huge company?
    • Individuals

      Huge companies are led by individuals who don't want to go to jail.
      Also, the government can invent all sorts of means to punish or hurt that company and its business prospects.
      • When's the last time ...

        ... you heard of any executive of a big company going to jail for a "crime" committed by the company? Maybe ... just maybe ... the Enron scandal comes to mind. I cannot think of any other case in the past several decades.

        All the troubles with the big banks & finance companies in the past 5 to 6 years comes up as a bright and shining example of absolutely NO individual person being held accountable for clear violations of law committed by their companies.

        I think Bioxide has a valid question, and I think the answer is that the likelihood of any individual actually having to face the criminal justice system is as near to zero as makes no difference. Rich bankers commit flagrant crimes and walk away laughing all the way to their secret Cayman Islands bank accounts. The tech company bigwigs, while on the surface seem to be expressing just a tad bit more deference or respect for the law, are showing quite the cowardly streak in the face of this police-state bullying.
        Gravyboat McGee
        • People vs. "The People"

          It's one thing for a corporation to make off with billions of dollars of our investments and retirement funds. It's another overtly defy a federal government law enforcement agency. People get screwed all the time, but you don't mess with "The People."
        • See: Three Felonies a Day

          For more on how the federal government can punish individual executives if they defy them, see the book "Three Felonies a Day" -

          There's a huge difference between financial crimes and openly defying any order containing the phrase "National Security".
    • The only things that company can do

      Is to first relocate to a country that doesn't have an extradition treaty with the US, and can't be bribed/coerced into one.

      Second, all the directors, officials, and top managers have to relocate as well.

      Third, it must relocate all its servers the same way...

      In other words, relocate all assets out of the US, and likely the only place they can go is China, or maybe Russia.
      • Russia and China?

        If you think the U.S. Government is bad, you need to go spend some time talking to the ladies of a band called "Pussy Riot." While you're at it, I'd suggest you talk to the family of journalist Anna Politkovskaya. I'd recommend you talk to her, as she had some damn fine reporting on the "open" Russian government, but since she was assassinated by the Russians for speaking out against their campaigns in the Caucuses - you really can't ask her any questions.
        • I'm not a mind reader but

          I would guess that's jessepollard's point.
    • I suspect the "too big to fail" argument would fail!

      When the largest banks in the US were guilty of borderline (and actual) criminal acts to defraud American consumers and homeowners of Trillions of dollars, creating the Great Recession, they were bailed out rather than being allowed to go under, and their charters were not revoked, and nobody (yet; stand by) went to jail for allowing or ordering these illegal actions, because of the concern that the sudden loss of these corporations would turn the Great Recession into an even Greater Depression.

      But I have a feeling that the corporate charters, licenses to use the airwaves, and even the CEOs of telecom or net companies that violated a gag order on surveillance would be considered "fair game" by the NSA, FBI, CIA, etc. REGARDLESS of the catastrophic effects on the US economy. But they would not be taken to court, because that would openly reveal that what they "illegally" revealed was in fact the truth; top officials would die in air crashes (even if it required killing all the innocent passengers and people on the ground; maybe the NSA could even get extra mileage out of it by making it look like a terrorist hijacking!); networks would crash inexplicably; bank accounts of the offending companies would be hacked and their funds would disappear; and only the "surviving" officials, if any, of the offending companies and their competitors, would know the true reason, being told privately, but not in writing, with an oral gag order on THAT.

      Then FEMA or some other organization would HAVE to step in to control the retail-level chaos (regardless of the current party in power). If there were a conservative President at the time, he/she would take advantage of this Second Depression to institute Christian-American Fascism as described in "The Handmaid's Tale;" if a liberal President, he/she would try to help as many Americans as possible with a Second New Deal, which the very people being helped would condemn as "communism" even while accepting the help. Guess which one would TRY to guide us back to a real democracy, if the people would help to make it happen?

      So to summarize, a huge company would not be punished for REAL crimes such as stealing from the American people (individually OR through government), for fear of a DEPRESSION; but no problem punishing them (not by legal procedures) if they violate a gag order from the spooks.
  • Tin Foil in your hat is wearing out.

    @ jallan32

    Get a new one. :-D
  • The Elephant In The Room

    "In a world where companies are forced by court order to provide information to intelligence authorities . . . detailed Mozilla's plans to establish a system that would allow users to verify that Mozilla's binary builds contain only the code found in Mozilla's source code repositories."

    Are all these CEO's and CIO/CSO's afraid to mention th elephant in the room?

    Given the Snowden disclosures - and what we knew before that - it is apparent that "intelligence" agencies have surveiled members of the courts just as they have all us other "potential terrorists". That being the case, any decision by any court which asserts that the agencies' have a legal authority to violate guaranteed Rights and business contracts is criminal.

    Yet how many of those aforementioned C-level employees-owners-stockholders have stood up and said no?

    Perhaps because they too are being blackmailed?

    So what makes anyone think that an international standards body would also not be subject to the same extortion? Or that any "certified clean browsers" would actually be so?