Judge says FBI can Keep Firefox Bug a Secret

John Lister's picture

A judge has refused Mozilla's request that the FBI be forced to hand over details of a potential security bug in its Firefox browser. Mozilla argued there was a risk of the bug becoming public, which would then put anyone using its browser(s) at risk of an online attack.

The request follows a separate criminal case involving a website engaged in indecent content depicting children. The site isn't available through ordinary web browsers such as Firefox, but instead runs through the Tor network.

The Tor network works using the world wide web, but data is sent on a different channel (so to speak). The idea behind the Tor network is to make it extremely difficult to trace the origin of somebody visiting a site. In this case, however, the FBI was able to track down the alleged offenders through a security bug in the Tor network software.

Tor Bug May Affect Firefox

The problem is that some of the code used to operate the Tor network was taken from the same open source library as Mozilla's Firefox web browser. That means there's a very good chance the security bug used by the FBI could also be present in Firefox, in turn compromising privacy and security for Firefox users.

Originally, the court agreed that the accused man's defense lawyers had the right to know the details of the bug in order to make their case and question the validity of the resulting evidence.

Mozilla then stepped in and argued that it should be allowed to see the bug details first, so that it could issue any necessary patches before the lawyers got their hands on the information and it effectively entered the public domain.

Judge Says Issue No Longer Relevant

However, the judge has now ruled that for national security reasons, the FBI doesn't have to hand over the details of the bug to the lawyers. As a result, the judge says Mozilla's demand is now irrelevant as the details will remain known only to the FBI. (Source: ibtimes.co.uk)

Mozilla disagrees and says it will now lobby the government directly to argue that no matter how securely it intends to keep the details of the bug, the responsible thing to do is let Mozilla know so that it can work on a fix if necessary. (Source: reuters.com)

What's Your Opinion?

Should the court have forced the FBI to tell Mozilla the details of the bug? If not, do you think the FBI should do so voluntarily? Does the benefit to society of investigators being able to exploit secret bugs to track suspects outweigh the risks of the bug going public before the software is patched?

Rate this article: 
Average: 5 (7 votes)


Dennis Faas's picture

This is a fine line between national security (as it's been suggested), and the need-to-know in order to do the responsible thing. I am however siding with Mozilla on this issue. If a serious bug was to be discovered that could put all Firefox browsers at risk, then I believe Mozilla has the right to fix their own software before it becomes exploited and potentially infects hundreds of thousands of people with malware, for example.

Navy vet's picture

The government can't keep anything secure. The details of the bug will be public soon enough.

Doccus's picture

Ah yes Dennis.. but you're thinking like a geek, not like a spook ;-) The FBI is thinking "we want to use it to catch more of those online baddies.. and not worrying about a bit o' that old "spilt milk" consequenses.
However, you're thinking "but hey.. it's THEIR software, (Moziilla's) not the FBIs..
Since the cat's now out of the bag, however, the tally appears to be Geeks =1 , Spooks=0 since they're not going to catch anybody now.. as they baddies are on guard against it..
Just my 2 cents, anyways....

Time's picture

Who doesn't think now that everyone knows there is a bug that the hackers are not going to look for it, raise your hand!

Boots66's picture

Time for Moxilla to do it's own homework - they more then likely can determine what code parts are similar in TOR and then determine what of their code is at fault - They should be open and ready for this anytime - The fact that they are crying out is that they have not done said homework as they should have and it has been publically pointed out!

tmcd's picture

I think the FBI should share the details of the bug with Mozilla. You know darn well if the bug were in a piece of software that made the FBI operations vulnerable they'd want it fixed.