Co-founder and chief technology officer at the Mozilla Foundation, Brendan Erich, has written a blog post encouraging security researchers around the world to regularly audit the code Mozilla’s Firefox browser, to ensure that it has not been tampered with by government agencies such as the NSA.
Referencing the Lavabit case, where owner Ladar Levinson shut the company down rather than submit to US government pressure to hand over all its customers’ encryption keys, Erich talks about how all browser companies reside inside the jurisdiction of government that have can compel them ‘secretly inject surveillance code into the browsers they distribute to users,’ that where ‘the public would likely not find out due to gag orders.’
Insisting (quite rightly in our view) that as a consequence, ‘software vendors — including browser vendors — must not be blindly trusted,’ Erich goes on the explain why Firefox is in an advantageous position in this regard thanks to it being 100 percent open source, unlike Internet Explorer (completely closed), Safari, and Chrome (and also Opera, which Erich didn’t mention, but which all contain ‘contain significant fractions of closed-source code’).
This means that anyone qualified to do so can examine and audit the code, so Erich issued a ‘call to action’ for security researchers to,
- regularly audit Mozilla source and verified builds by all effective means;
- establish automated systems to verify official Mozilla builds from source; and
- raise an alert if the verified bits differ from official bits
Although this is s a nice idea however, in practice it is likely unworkable (which a problem that applies to most open source software). The biggest challenge is that programs such as Firefox are large, and contain an awful lot of code. Not only is it very time consuming to audit, but it quite easy to hide malicious elements within it that are easily missed by even the most careful and experienced auditor.
The EFF’s ongoing crowdsourced effort to audit TrueCrypt demonstrates how difficult, expensive and time consuming such a project is, as does last summer’s sponsored an audit of Off the Record, an encryption plugin for the Pidgen and Adium instant message clients. This last however also demonstrates the limitations even when software is audited, as the EFF expressed a lack of complete confidence in the process,
‘But we only did it for a summer. Presumably, if you’re a government agency with a multimillion dollar budget, you might be able to spend more than a summer looking for vulnerabilities.’
That programs are open source if great, and it remains the best protection and guarantee against malicious government interference. Audits of open source software are also a great idea and to be encouraged, but Erich’s wish to see Firefox undergoing a continual process of such auditing does seems bit over-optimistic.