Trust but verify: Mozilla execs invite researchers to audit their code
The recent revelations about NSA surveillance efforts, and especially the claims that the agency has been persuading or forcing software developers to put in backdoors into their offerings and has prevented them from talking about it publicly, has left many users wondering how they can be sure that the software they plan to use will not be used against them.
According to Mozilla CTO Brendan Eich and VP of mobile and R&D Andreas Gal, the solution is to use open-source software whose source code can and has been audited by independent security experts.
“Every major browser today is distributed by an organization within reach of surveillance laws. As the Lavabit case suggests, the government may request that browser vendors secretly inject surveillance code into the browsers they distribute to users” they pointed out in a blog post, but added that they “have no information that any browser vendor has ever received such a directive.”
They, naturally, touted the company’s Firefox browser as the best option, given that IE is completely, and Safari and Chrome partially, based on closed-source code.
Also, anyone who knows how to do it can verify that Firefox’ source code has not been tampered with by building Firefox from source and comparing the built bits with the official distribution.
They have then invited and urged security researchers and organizations to audit Mozilla source and verified builds on a regular basis, and to develop automated systems that can verify official Mozilla builds from source, so that an alert can be raised as soon as possible if they don’t match.
The company will also create such a verification system, and will ask people from around the world to participate. But, as they themselves say, “software vendors — including browser vendors — must not be blindly trusted,” and they therefore ask independent security researchers to do it also.
Finally, they raised the possibility of audited browsers becoming “trust anchors” able to authenticate fully-audited open-source Internet services, and asked people who have attempted to do something similar to share their experience with them.