"It is becoming increasingly difficult to trust the privacy properties of software and services we rely on to use the Internet," starts Brendan Eich, CTO at Mozilla, in his most recent blog post.
The problem Eich, and indeed most other privacy-concerned citizens have, is that the National Security Agency is snooping on web traffic all through very common and popular services and software.
Snowden's initial revelations may have not been so surprising, as what else did people think a spying agency did? But the extent of the infiltration the NSA has carried out is so behemoth and unprecedented that open-web will never be the same again.
"Every major browser today is distributed by an organization within reach of surveillance laws," writes Eich.
In Eich we trust?
The truth is, the US Government is in a position where it can request browser vendors to input surveillance code into the browsers they distribute, and the public would never ever find out due to gag orders.
This leads to one conclusion, says Eich.
"Software vendors - including browser vendors -must not be blindly trusted."
So why is Mozilla, with its Firefox browser, any different?
Well, for starters, Mozilla has one advantage over other traditional browser vendors. Firefox is an open-source product, through and through.
"Our products are truly open source. Internet Explorer is fully closed-source, and while the rendering engines WebKit and Blink (chromium) are open-source, the Safari and Chrome browsers that use them are not fully open-source. Both contain significant fractions of closed-source code."
Eich is calling for action. He is rallying the open-source troops into taking the responsibility, and dare I say it right, of web privacy into their own hands.
Security researchers and organisations should, according to Eich, regularly audit Mozilla source and verified builds by "all effective means', establish automated systems to verify official Mozilla builds from source, and issue an alert if "the verified bits differ from official bits".
"In the best case, we will establish such a verification system at a global scale, with participants from many different geographic regions and political and strategic interests and affiliations."
This rather romantic and ideal call to arms indicates Eich's belief that "security is never done". It's true, setting stationary goals cultivates complacency. The goal of privacy via security should always be a moving goalpost, and it's easy to see how an international union of open-source soldiers.
"Through international collaboration of independent entities we can give users the confidence that Firefox cannot be subverted without the world noticing, and offer a browser that verifiably meets users' privacy expectations."
What's so encouraging about Eich's blog post is that we have a major US technology firm actively seeking crowd participation in defending itself from a power it sees as unethical; the US government. If a company is not openly doing this, not openly allowing verification to confirm its products are not already compromised, then we can deduce that said company is already compromised.
One concern is, however, is that can the public even trust 'independent' auditors? They could be just there to install backdoors into software. It's a game of trust, with the only sure way of solving the problem to remove the root offenders, but seeing as that isn't an option, Mozilla has certainly made the first step in a very right direction.
Qualys is the leading provider of on demand IT security risk and compliance solutions - delivered as a service. Qualys solutions enable...