In an effort to ensure the security of its Firefox browser, Mozilla has filed a brief with a US district court in Washington to request that the government reveal details about a vulnerability the FBI discovered in the Tor browser.
Back in 2015, the the agency launched ‘Operation Pacifier’ to track down pedophiles frequenting Playpen, an infamous destination on the Dark Web for images of child sexual abuse.
Ever been to a tech festival?
TNW Conference won best European Event 2016 for our festival vibe. See what's in store for 2017.
Instead of shutting Playpen down completely when it seized control of the site, the FBI chose to move it to their own servers and continue running it clandestinely in order to identify and pursue legal action against potential predators.
However, there were other complications with the agency’s plans. Since Playpen was hosted on the Dark Web, it could only be accessed through the Tor browser that readily makes the identity of its users anonymous (or, at least, a lot more secure).
To bypass Tor’s enhanced security measures, the FBI exploited a vulnerability in the browser and developed its own hack that allowed agents to infect computers with malware and collect unique IP and MAC addresses that could help accurately identify predators.
While the aforementioned vulnerability was found in Tor, Mozilla’s Danielle Dixon-Thayer explained in a blog post it is paramount that the government discloses the security flaw as millions of Firefox users might be susceptible to the vulnerability too.
The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base.
The judge in the Playpen case previously ordered the government to disclose the vulnerability to the defense team, but not to any other entities or third-parties that actually have the capacity to resolve the security issue.
Given that the vulnerability puts the privacy of more than 10 percent of all Internet users in danger, it’s easy to side with Mozilla on this one.