Today I came across a report in Trisquel GNU/Linux’s issue tracker describing a new bug in Mozilla Firefox which, Trisquel developer Rubén Rodríguez Pérez says “allows Mozilla to install any binary into the browser, through a dedicated system of updates”.
This situation is a clear indication of how Free Software underscores one’s security and how nonfree (or proprietary) software undermines one’s security.
Trisquel is a fully-free GNU/Linux operating system. The software in this system is entirely free for users to run, share, and modify at any time for any reason. Mozilla Firefox is a web browser developed by the Mozilla organization, a proponent of the Open Source development methodology which distributes Firefox as Free Software. The Free Software Foundation is a non-profit organization dedicated to informing computer users about software freedom (the freedom to use, study, copy, modify, and redistribute computer programs).
One week after the International Day Against DRM, Mozilla announced a partnership with proprietary software company Adobe to implement support for Web-based Digital Restrictions Management (DRM) in its Firefox browser. Mozilla changed Firefox so Firefox would prompt the user to install a proprietary program to decode a certain kind of video, the kind of video some video distributors such as Netflix, wish to use. Firefox will do this by looking at a list of repositories from which Firefox can download the program, download a program to do this job, and then run the program from the user’s system.
Firefox’s current implementation
We now know that this alleged “feature” is implemented in such a way that it could allow Mozilla to get the user to run any program Mozilla wants to publish (as Pérez describes). This is troubling because if the repository ever comes under the control of someone untrustworthy, the repository could be used as a distribution point for malware.
Mozilla could have chosen not to implement this at all; they could have chosen to point out the unethical underpinnings of nonfree software. The Free Software Foundation condemned Mozilla’s decision partly on this basis. But because of Mozilla’s allegiance to the Open Source development methodology which aims to not bring a user’s software freedoms or the ethics of software freedom to anyone’s attention and because of a fear of losing popularity with users for which there is no evidence, Mozilla instead praised their relationship with Adobe, a known enemy of software freedom.
But couldn’t any browser do the same? Why is Firefox uniquely worthy of mention here?
Any browser could implement the same mechanism in the same way (and for all we know other nonfree browsers already do this). But since Firefox is Free Software users have the freedom to:
- modify the browser to not load the externally-provided binaries in the first place thus avoiding the entire issue,
- distribute the improved freedom-respecting variant to others to help one’s community avoid the nonfree software,
- run the improved browser whenever they want and make it a part of a wholly Free Software operating system as Trisquel is doing. The power of a better example is compelling.
These freedoms allow programmers to deliver derivatives of Firefox such as “Abrowser” which respect a user’s software freedom by effectively disabling the malware-loading code and changing the browser so it won’t introduce users to nonfree add-ons by default.
Fortunately Firefox is not the only Free Software browser out there and users of other Free Software browsers have the same freedoms. Users of nonfree browsers don’t have these freedoms and are thus at the mercy of whatever the browser developers want to allow (and whatever the programs those browsers install allow).
So the big deal is freedom of choice, right?
No. Software freedom is not freedom of choice because freedom of choice is easily turned against the user. Imagine if all the browsers a user had to choose from were nonfree. That user would have to choose amongst a variety of browsers where none of the choices were safe from this malware distribution mechanism. If a user didn’t want malware they’d have no freedom to prevent malware from being distributed to them, posing as a program purporting to offer some benefit, and running that malware without having any opportunity to vet the software or reject it.
But I’m not a programmer! I can’t vet any software. Whether the browser is Free Software or not doesn’t matter to me, right?
Software freedom should matter to all computer users because we all need to make sure our computers are safe for us to use. There’s too much Free Software out there to vet all of it ourselves, we have to rely on someone to do some vetting for us. But if we don’t support software freedom for its own sake we can’t trust anyone to review software with our interests in mind. This leaves us at the mercy of those who will do us harm by getting our computers to run malware.
How bad can this get?
In 2008 Argentinian security researcher Francisco Amato notified Apple of a remotely-exploitable hole in iTunes. Apple iTunes users had no way to know that a bogus update wasn’t coming from Apple but was instead “FinFisher”, a trojan horse program designed “to permit surreptitious PC and mobile phone surveillance” according to Brian Krebs. Apple took over 3 years to distribute a patch fixing the security update mechanism.
We can’t know what other problems await iTunes users because iTunes was and is nonfree software. Users aren’t allowed to inspect, share, or modify the program. So even if users find another problem with iTunes they can’t legally prepare and distribute an improved version of iTunes that doesn’t have the flaw. The same problem applies to all nonfree programs.
What can Mozilla do instead?
Mozilla can’t and shouldn’t control which websites one visits. But Mozilla can control what Firefox presents to the user as a reasonable addition to enable some desired functionality. And this situation gives Mozilla an opportunity to educate users about the problems with DRM and the tough choice they face in delivering a browser that respects user’s software freedom even when those freedoms mean doing without Netflix. Mozilla should not make it easier for users to run nonfree software.