Brendan Eich is the chief technology officer of the Mozilla Foundation, the non-profit behind the Firefox web browser.
Among many other things, he oversees the Firefox security team — the software engineers who work to steel the browser against online attacks from hackers, phishers, and other miscreants — and that team is about to get bigger. Much, much bigger.
In a recent blog post, Eich calls for security researchers across the globe to regularly audit the Firefox source code and create automated systems that can ensure the same code is used to update 18 million machines that run the browser. That’s not an option for other browsers, but it is for Firefox. The code behind the browser is completely open source, meaning anyone can look at it, at any time.
Because Firefox is open source, outsiders can not only audit the code, they patch holes in the software and distribute such changes independently of Mozilla. In other words, if there’s a problem with Mozilla or Firefox, someone else can fix it and publish a new version online. “Through international collaboration of independent entities, we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users’ privacy expectations,” Eich explains.
That isn’t necessarily the case with Firefox’s competitors. Microsoft’s Internet Explorer isn’t open source at all, and although Apple Safari, Google Chrome and Opera are based on open source software, all contain at least some proprietary code. Pure open source implementations of Chrome exist — such as Chromium and Iron — but Firefox is the only major browser that is completely open source.
Security audits have long played a major role with open source software. In 2010, allegations that a developer working for the FBI had placed backdoors in OpenBSD, an open source operating system, led to a full code audit, and this revealed no issues. Today, an independent team is working to audit TrueCrypt, an open source encryption system.