Linked by davidiwharper on Tue 14th Jan 2014 09:03 UTC
Mozilla & Gecko clones

Mozilla plans to establish an automated process which would verify that binaries contain only the code found in the official source repositories, and not spyware secretly added during the build process at the behest of government intelligence agencies. In a blog post entitled Trust but Verify, CTO Brendan Eich and R&D VP Andreas Gal note that governments "may force service operators [such as Mozilla] to enable surveillance (something that seems to have happened in the Lavabit case)" and pledge to develop systems which will make Firefox resistant to this form of tampering.

Thread beginning with comment 580659
To read all comments associated with this story, please click here.
Comment by Coxy
by Coxy on Tue 14th Jan 2014 14:38 UTC
Coxy
Member since:
2006-07-01

But how do you know nothing has happened to mozilla's tool?

Reply Score: 3

RE: Comment by Coxy
by Alfman on Tue 14th Jan 2014 16:28 in reply to "Comment by Coxy"
Alfman Member since:
2011-01-28

Coxy,

I'd also like more details, but from the sounds of it the intention is to preemptively reveal the existence of bugs planted at the source (ie mozilla) and kept secret via court mandated gag orders. It's not intended (as far as I can tell) to protect users who's systems have already been compromised.

So for example, they might have 1000 volunteers who independently compile binaries from public sources and publish the SHA1 hashes. A simple utility like sha1sum can then be used to verify the authenticity of the binaries. I suspect it will become incorporated directly into the downloader, perhaps even with automatic reporting that a "covert" modification was detected.

Note that this would not necessarily protect individual users from being targeted downstream. However it does protect Mozilla's from being forced to incorporate backdoors at the source and then being legally gagged from talking about it. The idea is that a backdoor in mozilla's official binaries would quickly get caught by a hash mismatch between the corrupted official source and the binaries compiled by the volunteers.

Reply Parent Score: 5

RE[2]: Comment by Coxy
by acobar on Tue 14th Jan 2014 18:14 in reply to "RE: Comment by Coxy"
acobar Member since:
2005-11-15

The problem with software is that you must trust/certify the whole stack to be reasonably sure there is no backdoor on it.

If you take Firefox from any Linux distribution, for example, it uses many system libraries to do its sub duties, and if a critical sub layer is compromised, so to dump goes your security. The same can be said about other platforms.

For people really worried about security, take a look on the links below.

http://istruecryptauditedyet.com/
https://madiba.encs.concordia.ca/~x_decarn/truecrypt-binaries-analys...

The last link means that binary auditing can be done, it is a hard work and we may need a better/specific tool set to be able to do it right even on open systems. I don't think it is possible on closed ones. For them network packets auditing seems to be the unique way. Of course, not from the computer you are using.

Once out of the box there is no way to put the trust back. Paranoid we became.

Reply Parent Score: 3