Mozilla has one critical advantage over all other browser vendors.
Our products are truly open source . . . As Anthony Jones from our New Zealand office pointed out the other month, security researchers can use this fact to verify the executable bits
contained in the browsers Mozilla is distributing, by building Firefox
from source and comparing the built bits with our official distribution . . .
To ensure that no one can inject undetected surveillance code into Firefox, security researchers and organizations should:
regularly audit Mozilla source and verified builds by all effective means;
establish automated systems to verify official Mozilla builds from source;
raise an alert if the verified bits differ from official bits.
In the best case, we will establish such a verification system at a
global scale, with participants from many different geographic regions
and political and strategic interests and affiliations.
Security is never “done” — it is a process, not a final rest-state. No silver bullets. All methods have limits. However, open-source auditability cleanly beats the lack of ability to audit source vs. binary.
Through international collaboration of independent entities we can give
users the confidence that Firefox cannot be subverted without the world
noticing, and offer a browser that verifiably meets users’ privacy
expectations.
No comments:
Post a Comment