In this interview, Mozilla's technology strategist Mike Shaver responds to and rejects recent claims that Firefox and Google are getting a bit too close for comfort. Mozilla is independent, he says, with or without Google's $56 million.
I received a fair bit of criticism for a blog post that I wrote last week describing what I believe is the extremely close relationship between Google and Mozilla. Mozilla's PR people complained, Firefox developers left critical comments in the blog post itself, and I received a number of e-mails from upset individuals. All had concerns with the claims and the general tone of my blog post. In order to try and clear things up, I had a chat with Mike Shaver, the technology strategist for Mozilla (the for-profit company holding the rights and purse strings for Firefox).
In my blog post last week, I stated that "in addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
Mike disagreed, stating that "absent a surprising error on my part, there are no Google employees paid to work on Firefox at this time." Clarifying further, he said that "we don't see significant code contributions at this time from Google." He did, however, acknowledge that Google engineers had contributed significant contribution to the browser in the past, stating that "there was a time when a large number of Google developers were working on Firefox." As examples of this, he cited the built-in spell-check system, the crash reporting system, and database code.
Another Mozilla employee and Firefox developer, Stephen Donner, further clarified the situation in an e-mail by stating, "the only Google employees who currently work on anything related to Firefox would be Tony Chang, an employee on their security application team, who works on the anti-phishing stuff, but mostly in the form of reviewing our employees' code."
On the issue of Google developers and the Firefox code base, I stand corrected.
"Making a perfectly secure browser is trivial," Mike joked. This could be done, he said, by "stopping [the browser] from showing anything on the Web." The difficulty, he argued, was in creating a browser that is both usable and secure. "If [the browser] is not usable, and users have to sacrifice productivity, they won't use it at all." Finding the balance between something that millions of people will use, yet which is secure, is a constant struggle, he said.
In my recent article, I cited complaints by security researcher Robert Hansen into Google's unwillingness to fix its own vulnerabilities, and the interesting situation this created, given that Google also creates, maintains, and distributes the antiphishing blacklists used by Firefox.
Speaking on the subject of the phishing blacklist, Mike stressed that "the quality of that list is of paramount importance." He also said that it was vital, both for users and for the strategic health of Firefox, that the source of the blacklist could be easily changed. On this subject, he said that "it is important that people can switch the provider. We (Mozilla) maintain the flexibility to switch if we discover that there are problems with a blacklist. We evaluate this all the time." He was careful to add that "none of the financial ties (between Google and Firefox) relate to the "antiphishing blacklist" or Mozilla's choice in the provider of the blacklist data.
On the subject of the browser using multiple blacklists at once (in order to stop any one company having too much power), Mike said that "we would be open to the idea." He was careful to note, however, that "blacklists are expensive" and that most high-quality sources of phishing data cost money, due to the manpower required to keep them updated. One of the key factors in Mozilla's decision to use Google's blacklist, he said, was the fact that Google is not charging for it.
Mike also revealed that unlike the phishing blacklist, which Google maintains and updates, the new antimalware blacklist that the upcoming Firefox 3.0 will be using will come from stopbadware.org, a project lead by Harvard University and Oxford University. Google will still provide the infrastructure for distributing this list to the 120 million-plus Firefox users, but the company will not have editorial control over this blacklist.
Update: Mike later informed me that he was wrong, and that the anti-malware list will come from Google. The search giant will maintain editorial control over the list, just as it currently does for the anti-phishing blacklist. For more on this, see recent blogposts by Mike, and one by the folks at stopbadware.org.
Regarding the specifics of Robert Hansen's claims, Mike drew a careful line between hosted phishing Web sites and "legitimate" Web sites that were vulnerable to Cross Site Scripting (XSS) attacks. "We do not expect to put XSS sites in the phishing database," he stated. The main reason for this, he argued, was the risk of confusion to users attempting to initiate a legitimate session to vulnerable Web sites, as compared with users following a XSS link to the same site. "False positives lead to user loss of trust in the feature," he was careful to say. Once users lose trust in the antiphishing blacklist, they either start ignoring the warnings, or turn off the features. At least for now, Mike said, it is "premature to block XSS domains, regardless of where the content is hosted."
Firefox is currently vulnerable to a number of history sniffing attacks, which can allow an attacker to learn which Web sites a user has visited in the past. This can be used by criminals to build phishing sites tailored to the bank that a victim uses. An example of this attack can be seen by viewing the Browser Recon project, created by my colleagues at Indiana University. The vulnerability that these attacks take advantage of has been known to the Firefox developers for some time. A bug report and accompanying lengthy conversation between developers and security researchers in the Mozilla bug database goes back to 2002. A partial fix to some of these attacks has been available in the form of two Firefox extensions, made by Stanford University security researchers in 2005.
Speaking on the subject of history sniffing attacks, and the need for a fix, Mike said that "it is certainly something that we want to remedy." He cited the difficulty of finding a fix that closed off all methods of attack, yet while providing users with the ability to utilize key features of browser history tracking. The main reason the attacks were still possible, he said, was that there were simply higher priority attacks that developers had to spend their time on.
On the subject of Firefox extensions, Mike had good news on the security front for the upcoming 3.0 version of the browser. In June of this year, I announced a vulnerability in the upgrade process used by many big name (Google, Yahoo, Facebook) browser extensions. Starting in Firefox 3.0, the browser will refuse to install extensions that are not served via a secure upgrade path. This can either be via a secure Web server (https://), or using digital signatures. This only really affects commercial extension authors, as the vast majority of open-source extensions are hosted by Mozilla, and have been secure out-of-the-box for quite some time.
Finally, Mike spoke on the subject of the widely popular AdBlock Plus extension, and the reason it had not been merged into the mainline Firefox browser. "Rolling something into the mainstream trunk means that it needs to be suitable for all of our users." Citing past experiences, he said that "When we have integrated extensions in the past, it has taken a lot of work to get it to the point where it was appropriate for the kind of people who do not install extensions." One of the key factors for AdBlock plus, he said, was the extension's heavy use of resources. The oft-repeated claim of " 'too much memory use' is a big concern for us, and so we are hesitant to pull in a huge piece of functionality. Especially for 120 million users."
He was also careful to contrast between AdBlock Plus and the pop-up blocker already included with the browser. The pop-up blocker is content neutral, in that it neutralizes all pop-ups, be they from commercial entities, or an individual home page. He is very wary, he said, of any technology that targets the specific content of Web sites (such as commercial images), as opposed to merely an annoying delivery mechanism. He summed up Mozilla's position on the issue by stating, "neutrality and being agnostic to the field of use are tenets of open-source values. It is Important, as we (Firefox) have a tremendously powerful position. We take that very seriously, to protect integrity of the user experience and of the Web."