Hacker News new | past | comments | ask | show | jobs | submit login

This reasoning just doesn't apply at all to open source software like Firefox.

I think the reason OP points this out is because the old Sync system that Firefox had was much more secure (but unusable by the general public). We know this because we could see how it worked!




> This reasoning just doesn't apply at all to open source software like Firefox.

If you're using the automatic updating functionality (which the majority of people are) then it absolutely applies. Firefox's source code is available, but if you aren't verifying the source upon each update then that fact is largely irrelevant.

The whole point of OSS is to allow YOU to verify the software, and only then to build it when you're comfortable. If you are skipping the verify step and definitely if you're skipping the build step then the fact that it is OSS adds little to nothing security wise (since the vendor can splice in anything they want).

So even with OSS you often either trust the vendor or you do not.

> I think the reason OP points this out is because the old Sync system that Firefox had was much more secure (but unusable by the general public). We know this because we could see how it worked!

I suspect we're having this discussion simply because people don't equate the automatic updater with JavaScript in their own mind. The reality is that if you trust Mozilla to provide software updates then you can trust them to provide Javascript, after all the software brought down by the updater has far greater system access and can do far greater damage than JS.


> If you're using the automatic updating functionality (which the majority of people are) then it absolutely applies.

Which is why I don't get my updates via an automatic Mozilla updater, but rather via my distribution.

> The reality is that if you trust Mozilla to provide software updates then you can trust them to provide Javascript

As I indicate above, I don't trust them that much. You're right that the update problem and the JavaScript problem are identical.

Allowing pushed updates makes individual targeting far too easy for an adversary.


I think Mozilla is trustable (not being biased since I worked briefly there).

But to be fair:

> This reasoning just doesn't apply at all to open source software like Firefox.

This is not true. You can't tell what is actually running on the server side, so the protocol must be able to handle the encryption on the client side and server never able to read the plaintext in the first place, and this is actually problematic for many products out there claiming "oh our code is open source so you can trust us."


For the record, note that Firefox itself -- code shipped by Mozilla -- still saw your Sync credentials in Sync 1.1. There's no way for it to not do so!

In theory we could ship a hotfix that steals those, and still could; we wouldn't need to do it via the FxA content JS, which would only get to see them during account creation.

There is no such thing as perfect security.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: