Linked by davidiwharper on Tue 14th Jan 2014 09:03 UTC
Mozilla & Gecko clones

Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

Permalink for comment 580674
To read all comments associated with this story, please click here.
flypig
Member since:
2005-07-13

Well, for most it's probably even more secure than compiling the code ourselves because most of us don't even conduct a cursory inspection of the code first. There's a very good chance that a source code based back door can be installed undetected even if it's not concealed. If no one looks at it, it might as well be commented in all caps "HERE BE A BACKDOOR".

I see your point: the equivalence would be to installing from source, where I have some certainty that the source I'm using is the same as the source other people are using (and presumably auditing).

If ANYONE on the network is doing a good job monitoring the code for backdoors, then a hash verified binary copy is probably more secure than a copy compiled from source by an end user.

Yes, but it does still rely on this happening. Whether I compile from integrity-checked source, or use a binary that has been verifiably generated from a given source tree, I still have to rely on the assumption that someone else audited it, the libraries it relies on, and all previous versions of the compiler (since there's no way I'm doing that myself!).

It's a good initiative and reducing the requirement to trust a single organisation makes a lot of sense. If only I could apply the same technique to all of the other technologies I use regularly.

Reply Parent Score: 4