Open-source organization Mozilla wants the FBI to reveal details about software flaws that might impact its Firefox Web browser. Denelle Dixon-Thayer, Mozilla’s chief legal and business officer, is optimistic that a legal challenge will be successful and help Mozilla protect its own users.
Security experts contacted by eWEEK, however, had mixed opinions on Mozilla’s legal efforts.
At issue is the FBI’s alleged use of an undisclosed vulnerability in the Tor Web browser to help take over a criminal child pornography Website. The alleged operator of the Website, Jay Michaud, is currently on trial, and as part of the case the FBI has been asked to reveal the vulnerability it used to hack Tor. The Tor Web browser is built on top of Firefox, providing built-in extensions to access the Tor onion router network that aims to provide users with a degree of anonymity and privacy. On May 11, Mozilla filed a legal motion to get access to whatever disclosure the FBI makes about the software vulnerability.
“Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor browser,” Dixon-Thayer told eWEEK. “At this point, no one—including us—outside the government knows what vulnerability was exploited and whether it resides in any of our code base.”
Dixon-Thayer is optimistic that the government will disclose the vulnerability to Mozilla. The government cannot use the evidence collected through the exploit in the proceeding without turning the exploit over to the defense, and then the exploit has less value to the government, she said.
“The diminished utility of the exploit means that the argument for not disclosing it to us becomes weaker,” Dixon-Thayer said. “Even if this court does not order disclosure, we will keep pressing the point that the safest thing to do for user security is to disclose the vulnerability and allow us to fix it.”
The real issue for Mozilla is responsible disclosure of vulnerabilities, which could have broad impact. The basic promise of responsible disclosure is that flaws are reported to impacted vendors so they can be fixed before they are actively exploited. Dixon-Thayer said Mozilla will continue to encourage the government to support the security of hundreds of millions of Internet users and to disclose vulnerabilities responsibly.
“We want people who identify security vulnerabilities in our products to disclose them to us, and we believe the default position for any government agency should be that vulnerabilities will be disclosed to the entity that can fix the vulnerability,” she said.
While Mozilla is optimistic about its chances of getting information on the alleged vulnerabilities, others are not so sure.
“It’s surprising that anyone would think that the FBI would disclose this vulnerability to anyone—much less to a third party unrelated to the criminal case at hand,” John Bambenek, threat intelligence analyst at Fidelis Cybersecurity, told eWEEK. “Mozilla suspects that this flaw may affect them, and perhaps they should be aware of it before it is made public to the world. But it’s academic, as the FBI has said they would likely drop the case if forced to disclose.”
When having to choose between a broad public interest such as safer software and a useful intelligence tool—a zero-day vulnerability, for example—almost every government would choose the latter, Bambenek said.
JP Bourget, CEO of Syncurity, said it would be surprising if the government agrees with Mozilla’s motion. Requiring disclosure to the source code author is the right thing to do, but the FBI will want to have the vulnerability in its pocket for its use.
“I can understand the argument that this makes sense to the FBI because it helps catch criminals, but we need to note the potential collateral damages to other users who could become compromised by this,” Bourget told eWEEK.
The FBI and Mozilla have very different concerns and objectives. Mozilla’s concern is privacy, and the FBI and other government agencies are concerned with protecting the United States and its citizens’ lives, according to Marcus Carey, founder and CTO of vThreat.
“Law enforcement and intelligence agencies shouldn’t have to divulge intelligence sources and exploit techniques unless it’s an issue of public safety,” Carey told eWEEK. “Are American lives at stake if the sources aren’t released? is the bar.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.