A dangerous conflict of interest between Firefox and Google
Update: This blog post was edited after receiving complaints from a number of Mozilla employees. For a list of the edits, go to to the bottom of the post.
The Firefox browser may not be as independent as previously thought. Mozilla essentially owns Firefox, and it proved so when it flexed its muscles last year in forcing Debian to rename its browser IceWeasel.
However, the open secret in the tech sector is that at the end of the day, Google calls the shots. As this blog post will explain, when a pro-user security feature in the browser threatens Google's business model, it is the feature that is made to compromise--not the search engine.
Embrace Google Freedom (TM)
(Credit: Sgrah / flickr)First, a few highlights of the Firefox-Google relationship.
Fact: $56 million of the $66 million that Mozilla made in 2006 came from Google. The vast majority of this was due to the fact that Google is the default search engine for queries entered into the Firefox search bar.
While Apple also gets a nice chunk of change from Google for the search bar in its Safari browser, Apple has enough other sources of revenue that it can easily walk away from Google's cash.
Fact: Users who enter keywords or misspelled URLs into the Firefox 2.0 location bar will essentially be running a Google "I'm Feeling Lucky" search. That is, they will be taken to the first result for a Google search query for those terms.
Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser.
Fact: Two key features of the Google Toolbar for Firefox were rolled into the Firefox 2.0 browser and are turned on by default: Google Browse By Name and Google Safe Browsing for Firefox (now the Phishing Protection feature in Firefox 2.0). These two features, while useful, are more than just the application of a useful patch. They result in millions of Firefox browsers regularly polling Google servers for core information.
Fact: The Google Anti-Phishing relationship will be expanded in Firefox 3.0. While Google currently is the default provider of a blacklist of known phishing sites to the browser, this will be enhanced to include a blacklist of sites that serve up malicious software.
Fact: Google pays AdSense publishers (Web site owners) $1 for each new user who installs Firefox + Google Toolbar as a result of a referral link from one of their pages.
The fact that Google wants to encourage a standards-compliant alternative to Internet Explorer is logical, and it makes good business sense for the company. The company's very ability to make money depends upon users being able to access its various Web-based applications. If Microsoft controlled 90 percent of the browser market, and it could "accidentally" break Google's Web sites with a software update, the search giant would be in serious trouble.
Dear Mozilla - remember your priorities.
(Credit: lautreamax / flickr)Of course, from the perspective of limiting the chance of government regulation, antitrust actions and any controversy over the company's acquisitions (such as with DoubleClick), there are some serious strategic advantages to being able to say Firefox is controlled by a bunch of open-source developers--and that is not taking its orders from the Googleplex.
The close relationship between Google and Mozilla leads to a number of serious conflicts of interest. The end result is that users' online privacy and security take a backseat to the protection of Google's revenue streams. I will now explore two particularly chilling examples of this conflict of interest.
Ad blocking
The AdBlock Plus Firefox extension is getting to be extremely popular. It has been featured in The New York Times, and it is regularly included in various "top 10" lists of Firefox extensions on major blogs and other popular Web sites. For those of you who have not yet tried it out, AdBlock Plus (and its essential sidekick, the Filterset G Updater) completely revolutionizes the Web-browsing experience. After surfing without ads for the last few years, having to use a public computer without AdBlock Plus is a frustrating, distracting, and unpleasant experience.
While AdBlock Plus is fantastic at getting rid of most banner ads, it doesn't do the best job of targeting Google's text-based advertisements. This is where another immensely useful extension, CustomizeGoogle, comes in handy.
In addition to blocking Google's text ads (on all Web sites, including Google Web properties such as Gmail and Google Calendar), the extension also protects user privacy. With CustomizeGoogle installed, the search engine's tracking "cookies" are not accepted. This means that users cannot be tracked across multiple sessions. They can deny the search engine knowledge of which links a user clicks on from the results page of a search.
Given the cavalier attitude that the company has to user privacy (tracking users via cookies, unless the user leaves a two-year gap between visits to a Google Web property), CustomizeGoogle is one of the few ways that users can take proactive steps to protect their own privacy online.
This begs the question: why doesn't Firefox adopt the features of AdBlock Plus and CustomizeGoogle? While the terms of Google's contract with Mozilla are not public, even if Mozilla were contractually free to include anti-Google-tracking features, it would not be a wise move, business-wise. After all, it is not too smart to anger the company that provides more than 85 percent of your financing.
This is all conjecture, of course, but why else would the Firefox team not roll in the features of two extensions that are widely popular and that do so much to protect users from annoying advertisements and creepy privacy intrusions online?
Firefox Phishing Protection
(Credit: Firefox/Mozilla)Phishing Toolbars
There is a normal cycle when a new phishing site is created. It works something like this:
- A new phishing site is created and is e-mailed about to thousands of people.
- Someone tips off Google, which adds it to the phishing blacklist.
- Millions of Firefox browsers download the latest blacklist from Google.
- Users who click on e-mails, taking them to the phishing site, receive a clear warning from Firefox, telling them that the site is malicious.
However, what happens when the phishing site is hosted by Google?
This very issue was discussed by noted Web application security expert Robert "RSnake" Hansen in August. RSnake discovered a cross-site scripting (XSS) flaw in Google's gmodules.com Web site. The security flaw, which has yet to be fixed, was dismissed by the Google security team, which claimed that it was, in fact, an intended design feature.
RSnake described the significance of the vulnerability, stating that the exploit would allow someone "to take over other people's Web sites when they embedded the erroneous third-party code. Kinda nasty. Unlikely, but nasty. More likely, it would simply be in phishing sites that didn't want their sites taken down, but wanted Google's to be taken down instead."
This brings us to a really interesting dilemma. Google has a well-known flaw in one of its Web sites that can be (ab)used by phishers and malicious hackers. Google refuses to fix the flaw, as it believes that it is not a problem. Google also operates the Firefox phishing blacklist. Will Google add one of its own domains to the phishing blacklist? Of course not!
RSnake, who worked in the antiphishing blacklist area for some time, makes several claims. On his blog, he wrote that "the browser companies have to maintain a list of sites that aren't phishing sites but often get flagged as phishing sites. Google happens to host a lot of those.
In reality, Google is being used to phish consumers or redirect to them to phishing sites, but Google doesn't really fix this problem. Instead, it tells the browser companies to whitelist its sites, regardless of the fact that consumers are losing their identities as a direct result of Google's actions in two ways: 1) because it has not ended the vulnerability and 2) because of its insistence in being marked as a 'good' site."
Essentially, what he claims is that with Google's rather menacing legal department, no other competing antiphishing company will dare to include a Google-owned domain on a blacklist. In addition, Google's domains get included on a whitelist shipped with antiphishing software, which is a list of domains that will never cause warnings.
RSnake further claims that in addition to intimidating the other firms in the market, Google refuses to include its own Web properties in the Firefox phishing blacklist, which it maintains.
While RSnake does nothing to hide his lack of love for the big G, his reputation in the Web application security arena is top-notch. Furthermore, in the two months since RSnake first made his concerns public, no one from Google has publicly disputed anything he has said.
With Google providing the blacklists for the new antimalware features in Firefox 3.0, we should all be asking: Can we trust Google? To paraphrase the old phrase, who will blacklist the blacklisters? With control of hundreds of millions of Firefox browsers, what incentive does Google have to keep its own Web properties free of phishing sites?
A number of edits were made to this blog post on the evening of November 1 2007, to reflect feedback received from Mozilla Corp employees.
The following edits were made:
Original: "This includes Ben Goodger, the lead developer for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many resources at the browser."
Now: "This includes Ben Goodger, the former lead developer, and still major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
The following text was removed from the introductory paragraph: "When the Big G wants some technology in Firefox, a patch gets applied." - Several Google developed features (including Safe Browsing/Phishing Protection) are now in the mainstream browser, however, this sentence could be read in many ways, and so it seemed best to remove it.
This paragraph was removed "Fact: While Mozilla's contract with Google ends next year, it is highly unlikely that Mozilla will shift to another search engine, even if paid more. The simple reason for this is that lots of users like the Google search experience. If Firefox switched, say, for example, to MSN Live Search, many users would be up in arms. Thus, while Mozilla can keep taking Google's money, it can't realistically switch the default search engine to any other Web site." - I erred in placing this in the "Fact" section, when in fact it should have been noted as a conjecture. In any case, it has been removed completely.
Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network, and is not an employee of CNET. Disclosure.
"However, the open secret in the tech sector is that at the end of the day, Google calls the shots. When the Big G wants some technology in Firefox, a patch gets applied."
Please give a specific example (heck, more than one would be even better) where this has happened. When did "Big G" desire a technology in Firefox and get a patch through? Since Bugzilla (bugzilla.mozilla.org) is an open database of bugs outside of currently open security issues, you should be able to point to the actual bug linked to the check-in, right?
Also, your linked article about Google people being paid to work on Fireox is from January, 2005. This is in the Firefox 1.0 timeframe. Firefox 1.5 and 2.0 have shipped since then and 3.0 is going into beta soon. Can you point to a current article or information that shows that anyone from Google is currently being paid to work on Firefox or has in, oh, the last year or two?
The fact checking seems a bit weak here.
Normal blogging etiquette is to note at the bottom of a post with an "Update:" plus the details of your update when you go back and edit a post. Otherwise, it looks like your are trying to go back in time and change your words after people have commented on them. It damages credibility not to note the changes.
Your NEW edits state:
"Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the lead developer for the browser. "
Ben Goodger is not the lead developer for Firefox. He isn't even the module owner for the Mozilla module. If you look at http://www.mozilla.org/owners.html, he isn't listed anywhere. Looking at the history link at the bottom of the page, it looks like his name was removed on September 6, 2006, more than a year ago.
few million dollars qualify as "cutting loose"? If so, I can use someone cutting me
loose as well. :-)
His personal site (http://www.bengoodger.com/about/ben.shtml) says that "In the Firefox 2.x cycle, I worked with a team of engineers at Google to prototype an ambitious new Bookmarks and History system which was ultimately delayed until Firefox 3. I also implemented the user interface for Firefox 2's feed handling feature. At Google, I wrote the Suggest Extension for Firefox, which has made its way into Firefox proper for Firefox 2."
This would seem to suggest my statement that a number of Google engineers are working on Firefox projects, some of which have already made their way into the browser, and others which will be in soon.
Also - from a 2006 interview with Darin Fisher, another Firefox developer turned Google Employee ->
http://mozillamemory.org/details.php?id=946&p=1
"I work on Firefox primarily. I work on other things related to Firefox and I help other teams who are trying to work with Firefox. There?s various things that Google?s done to extend Firefox. We?ve published about five extensions I believe from the Google toolbar to an anti-phishing extension to various other things that are meant to sort of make Firefox more attractive to users so with my experience having worked on Mozilla, I try to help other folks here who are trying to build extensions to Firefox, in addition to just contributing directly to Firefox."
neither Ben nor Darin have really been involved in a year or more. In day to
day life, I have never encountered a Google employee whose job it is to work
on Firefox. The only people that I know who have actual jobs working on
Firefox for pay are employees of MoCo.
The people doing much of the work of the Places feature that you mention
are MoCo employees. I know this since I'm one of the two primary MoCo QA
people who own the testing of Places for Firefox 3. I have a pretty good idea
of who I work with every day.
You can cite all of the pages about Ben you want but he is not in charge of
anything to do with Mozilla and hasn't been for a quite a while. Your time
might be better spent by e-mailing him and discussing it with him (and
asking him to get those pages updated) rather than defending mistakes by
saying "But I read it on a web page."
I find your post, in general, to be so ridden with errors and FUD that I wonder
what your motivation was in creating it.
which is the huge community around each that downloads builds, tests them,
writes up bugs, and codes fixes for them. It is a cooperative effort, not a Google
one, as much as they are a partner of the Mozilla Corporation.
And your second point is rubbish. If one of CNet's features "could possibly be abused by phishers" despite the legitimate use of the feature being staggeringly overwhelming, would you think it was fair if your site was blacklisted? Of course not. Don't forget that other phishing sites can easily contact Mozilla or write an extension to provide their own service as an option for this feature. But I forgot, this is CNet, it must do all it can to make Lord Ballmer look good and his competitors look evil. Jesus Christ...
"The only people that I know who have actual jobs working on Firefox for pay
are employees of MoCo."
Well, it isn't an error in that I, personally, don't know people outside of MoCo
working on Firefox as part of their jobs but it was pointed out to me that
there are a number, such as the people at IBM working on SVG.
I wanted to correct that since my implications there are not correct. Since I'm
relatively new to Mozill, I should probably not be surprised at all that I am
ignorant of everyone involved.
> features of AdBlock Plus
This question is easy to answer - because this requires lots of time that I don't have at the moment. Adblock Plus is not designed as a built-in feature but as an addition. The requirements on built-in features are very different - in terms of performance, UI complexity and usability. This would require a major rewrite that I cannot do right now. Mozilla offered me to write down some specs so that some intern might try to work on this - but so far I didn't manage to do this either.
As to CustomizeGoogle: any extension targeting a single site (even if it is a large site) is not a candidate to become a built-in feature. Also, such a feature would require an update every time Google's sites change - probably acceptable for a (not very common) extension but definitely not for Firefox.
Btw, Adblock Plus can take care of all Google's ads just fine. But for that you have to get rid of the relict that is Filterset.G Updater (http://adblockplus.org/en/faq_project#filterset.g) and use subscriptions like EasyElement+EasyList (http://adblockplus.org/en/subscriptions).
problems with internet explorer. I ended up with virusus, spyware,adware you
name it. Not counting pop-ups that kept coming no matter how many
blockers I had. Well now I no longer have these problems. And I will continue
to use it. As far as google it would not surprise me what they do after all they
are a big corporation and most corporations only care about making money.
but they must someday realize these practices will drive customers away. and
once a consumer distrusts a company they will always remember what the
company did and they will stop using thier products, and word of mouth will
hurt a company more than anything. So google will get thier justs sooner or
later.
> AdBlock Plus and CustomizeGoogle?
Because those features are not core features of the browser and would just distract the developers from doing their main jobs. If you start adding in all the extensions poeple deem popular you'd end up with a program that is too cluttered, bloated, slow, and no one wants to use (old ICQ versions come to mind (well current messenger versions come to mind), ICQ even admitted their product (which even included a lite web server at one stage) was too bloated when they released ICQ-Lite).
Firefox came from Mozilla which emulated Netscape Navigator and wanted to do browser, mail, html editor and calendar all in one. They've abandoned that approach, so I don't think they want to return to it by piling in the extensions.
Plainly, you were just trying to find an argument to support your theory that Google is influenceing Microsoft. Too bad that one is not one of the valid ones...
Plainly, you were just trying to find an argument to support your theory that Google is influencing Firfox. Too bad that one is not one of the valid ones...
For any executive, when one company provides that high level of funding, it's going to be on their mind. That's why when companies get a financial statement audit they often have to disclose relationships of such magnitude.
1. He likes the ad blocker extension
2. He read about his favorite extension on a blog and in the New York Times
3. Because he has read about the extension, and likes it, it must be popular
4. Google probably doesn't like the extension because it blocks ads (though he contradicts himself on this supposition because he mentions that it does a poor job of blocking Google's text ads)
5. Therefore Mozilla must be in Google's back pocket because they don't include this extension by default as part of Firefox.
Real weak sauce. This author should be embarrassed by the low quality of this article and his lack of journalistic integrity.
-
by mvario
September 24, 2008 6:06 AM PDT
- Good article, thanks. One that you forgot was the <a ping> tag which Darin Fisher (Google employee and now one of the leads on the Chrome browser) pushed through which makes link tracking more transparent.
-
Reply to this comment
-
(20 Comments)