FBI agents somehow broke into the browser of Jay Michaud in an effort to catch him in the alleged act of downloading child pornography. While Mozilla is obviously not taking Michaud’s side in the case, the organization felt it important to know how exactly agents got into Tor in the first place.
“At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base,” Mozilla’s chief legal and business officer Denelle Dixon-Thayer said in a Wednesday blog post.
What makes this case interesting is the judge’s ruling surrounding the disclosure of how the hack was done. U.S. District Court Judge Robert Bryan ordered the FBI to disclose the nature of the vulnerability to Michaud’s defense team, but also forbid the groups from disclosing the vulnerability to either Tor or Mozilla, whose browsers may be somehow vulnerable.
“We don’t believe that this makes sense because it doesn’t allow the vulnerability to be fixed before it is more widely disclosed,” Dixon-Thayer argued.
Judge Bryan’s decision is curious, and could show a lack of understanding of how security flaws are disclosed. While the courts have a valid reason for protecting the right of the FBI to perform its investigation the best way it sees fit, innocent Tor and Firefox users might be at risk. The security community has long had a policy of alerting software developers to any discovered flaw to the software makers themselves first.
The thought is, if the developers get wind of the vulnerability first — any potential effects from malicious use would be minimized. Here, Mozilla has no idea what is wrong with its browser, so there’s no way to fix it.
“We are on the side of the hundreds of millions of users who could benefit from timely disclosure,” Dixon-Thayer said. A full copy of Mozilla’s amicus curiae brief is available from the organization’s website.
