Mozilla is finally taking part in the fight against the FBI, asking that they be the first provided with any and all information about the Tor vulnerability; even before it is provided to the defendant in the lawsuit.
“At this point, no one (including us) outside the government knowns what vulnerability was exploited and whether it resides in any of our code base,” Chief Legal and Business Officer for Mozilla, Denelle Dixon-Thayer wrote in a blog post.
Mozilla had asked the U.S. District Court in Western Washington that it be supplied with any information about the Tor vulnerability before it is released to anyone else in the interest of all Firefox users. Mozilla explained why the request is being made by saying that they need to be aware first so they can fix any exploit before it is made public. Since the Tor browser is comprised of a version of Firefox with some alterations that provide extra privacy features, Mozilla’s request is legitimized even further.
The FBI used the NIT in 2015 to monitor, track and trace visitors of the largest Dark Net child porn site named Playpen. The NIT the FBI used delivered malware through a Tor flash exploitation. Once one of the over 150,000 members unknowingly infected they’re own computer with the FBI’s malware the FBI was able to see the users real IP address.
The District Court of Western Washington State asked that the government to show information related to this particular Tor security vulnerability. The defense is requesting this to see if the government went beyond the limitations of the conditions of the warrants used in the investigation.
According to the filing on Wednesday, Mozilla has warned: “absent great care, the security of millions of individuals using Mozilla’s Firefox internet browser could be put at risk by a premature disclosure of this vulnerability.”
So far, the government refuses to produce any information related to the vulnerability. Mozilla has said in it’s filing that” we have reason to believe that the exploit used by the government is an active vulnerability in our Firefox code base that could be used to compromise users and systems running the browser.”
Even Mozilla’s question as to whether or not the exploit went through VEP, Vulnerabilities Equities Process; a government procedure for whether to share information or not on the security vulnerabilities. According to Mozilla’s filing, “ If Mozilla is not allowed to intervene in the case to protect our interests, the court should certainly allow us to appear as a friend of the court or amicus curiae.”