Mozilla warns not to trust browser vendors as it looks for verification

The organisation behind Firefox is looking to build a global auditing system to verify that Mozilla builds do not contain any code forced into the browser by court order.

In a world where companies are forced by court order to provide information to intelligence authorities , or potentially even leave backdoors open for surveillance, and then have the vendor forced to maintain silence about any action due to a gag order, how can IT users and purchasers be sure that the software they rely on is untainted?

Over the weekend, Brenchan Eich, Mozilla CTO, and Andreas Gal, Mozilla vice president of mobile and R&D, penned a blog post that detailed Mozilla's plans to establish a system that would allow users to verify that Mozilla's binary builds contain only the code found in Mozilla's source code repositories.

The system would be established at a global level, with a diverse set of people from a number of geographies and political persuasions involved, and would involve regular audits of Mozilla source and verified builds "by all effective means", setting up automated systems to verify official Mozilla binaries, and raising the alarm should any difference occur between the verified and official builds.

"Through international collaboration of independent entities, we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users' privacy expectations," the pair said.

Mozilla believes that it has a head start in the trust stakes, due to the instantly auditable, open-source nature of the source code found in the organisation's projects, the trust level of which is enhanced when built with open-source compilers in order to avoid compiler-level attacks.

"Mozilla has one critical advantage over all other browser vendors. Our products are truly open source," the pair said.

"Internet Explorer is fully closed source, and while the rendering engines WebKit and Blink (chromium) are open source, the Safari and Chrome browsers that use them are not fully open source. Both contain significant fractions of closed-source code."

As the world gains a much better idea of the reach of the NSA and the United States Foreign Intelligence Surveillance Court , Eich and Gal warned that every major browser vendor is within reach of surveillance laws, and the potential exists for the authorities to force vendors to secretly inject "surveillance code" into the software they distribute. The pair readily admitted that they have no evidence that any request of the sort has ever been requested.

"However, if that were to happen, the public would likely not find out due to gag orders," Eich and Gal said. "The unfortunate consequence is that software vendors — including browser vendors — must not be blindly trusted.

"Not because such vendors don't want to protect user privacy. Rather, because a law might force vendors to secretly violate their own principles and do things they don't want to do."