Mozilla Rebuffed in Effort to Get Code Vulnerability Disclosed to it First

All around the world, there continue to be many people who want to be able to use the web and messaging systems anonymously, despite the fact that some people want to end Internet anonymity altogether. Typically, the anonymous crowd turns to common tools that can keep their tracks private, and one of the most common tools of all is Tor, an open source tool used all around the world. Not everyone realizes that Tor shares code with Mozilla's Firefox.

That fact had to do with why Mozilla recently asked  the U.S. District Court for the Western District of Washington, in the interest of Firefox users, to disclose any findings of vulnerability in Tor to it first, before any other party learns of the vulnerability. I covered the request here. Now, a federal judge has rejected Mozilla's bid to have the government disclose any vulnerability related to its Firefox web browser. Here are details.

According to Reuters, U.S. District Judge Robert Bryan in Tacoma, Washington, has rejected Mozilla's request to intervene in a case against a school administrator charged in the investigation of a pornography case, Jay Michaud. :

"Bryan had previously ordered prosecutors to disclose to Michaud's lawyers a flaw in a browser used to view websites including the child porn one on the anonymous Tor network that is partly based on the code for Mozilla's Firefox browser."

Mozilla, seeking to fix the flaw, moved to intervene, asking Bryan to force the government to disclose to Mozilla the vulnerability before revealing it to Michaud."

The Reuters report adds: "After the Justice Department asked Bryan to reconsider, citing national security, he said on Thursday prosecutors did not need to make the disclosure to Michaud. Bryan on Monday said that made Mozilla's request moot, adding it "appears that Mozilla's concerns should be addressed to the United States."

Denelle Dixon-Thayer, chief legal and business officer at Mozilla, had written in a blog post:

"User security is paramount. Vulnerabilities can weaken security and ultimately harm users. We want people who identify security vulnerabilities in our products to disclose them to us so we can fix them as soon as possible."

"Today, we filed a brief in an ongoing criminal case asking the court to ensure that, if our code is implicated in a security vulnerability, that the government must disclose the vulnerability to us before it is disclosed to any other party. We aren’t taking sides in the case, but we are on the side of the hundreds of millions of users who could benefit from timely disclosure."

"The relevant issue in this case relates to a vulnerability allegedly exploited by the government in the Tor Browser. The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base. The judge in this case ordered the government to disclose the vulnerability to the defense team but not to any of the entities that could actually fix the vulnerability. We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed."

  Mozilla makes an important point here. A lot of people forget that open source code bases get replicated across different tools. For example, the Chrome browser is based on Chromium code, and Chrome OS is based on Linux code. Clearly, Mozilla is mindful of the fact that Firefox and Tor share code, so the request to hear first about any discovered vulnerability sounds reasonable.

"Court ordered disclosure of vulnerabilities should follow the best practice of advance disclosure that is standard in the security research community," stresses Mozilla. "In this instance, the judge should require the government to disclose the vulnerability to the affected technology companies first, so it can be patched quickly."