A dangerous conflict of interest between Firefox and Google
Google's control over the browser is far more significant than many understand, writes Chris Soghoian. What happens when a browser feature threatens Google's business?
Update: This blog post was edited after receiving complaints from a number of Mozilla employees. For a list of the edits, go to to the bottom of the post.
The Firefox browser may not be as independent as previously thought. Mozilla essentially owns Firefox, and it proved so when it flexed its muscles last year in forcing Debian to rename its browser IceWeasel.
However, the open secret in the tech sector is that at the end of the day, Google calls the shots. As this blog post will explain, when a pro-user security feature in the browser threatens Google's business model, it is the feature that is made to compromise--not the search engine.
First, a few highlights of the Firefox-Google relationship.
Fact: $56 million of the $66 million that Mozilla made in 2006 came from Google. The vast majority of this was due to the fact that Google is the default search engine for queries entered into the Firefox search bar.
While Apple also gets a nice chunk of change from Google for the search bar in its Safari browser, Apple has enough other sources of revenue that it can easily walk away from Google's cash.
Fact: Users who enter keywords or misspelled URLs into the Firefox 2.0 location bar will essentially be running a Google "I'm Feeling Lucky" search. That is, they will be taken to the first result for a Google search query for those terms.
Fact: In addition to the Google cash flowing to Mozilla, a number of Google engineers spend significant amounts of time working on Firefox. This includes Ben Goodger, the former lead developer, and still a major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser.
Fact: Two key features of the Google Toolbar for Firefox were rolled into the Firefox 2.0 browser and are turned on by default: Google Browse By Name and Google Safe Browsing for Firefox (now the Phishing Protection feature in Firefox 2.0). These two features, while useful, are more than just the application of a useful patch. They result in millions of Firefox browsers regularly polling Google servers for core information.
Fact: The Google Anti-Phishing relationship will be expanded in Firefox 3.0. While Google currently is the default provider of a blacklist of known phishing sites to the browser, this will be enhanced to include a blacklist of sites that serve up malicious software.
Fact: Google pays AdSense publishers (Web site owners) $1 for each new user who installs Firefox + Google Toolbar as a result of a referral link from one of their pages.
The fact that Google wants to encourage a standards-compliant alternative to Internet Explorer is logical, and it makes good business sense for the company. The company's very ability to make money depends upon users being able to access its various Web-based applications. If Microsoft controlled 90 percent of the browser market, and it could "accidentally" break Google's Web sites with a software update, the search giant would be in serious trouble.
Of course, from the perspective of limiting the chance of government regulation, antitrust actions and any controversy over the company's acquisitions (such as with DoubleClick), there are some serious strategic advantages to being able to say Firefox is controlled by a bunch of open-source developers--and that is not taking its orders from the Googleplex.
The close relationship between Google and Mozilla leads to a number of serious conflicts of interest. The end result is that users' online privacy and security take a backseat to the protection of Google's revenue streams. I will now explore two particularly chilling examples of this conflict of interest.
Ad blocking
The AdBlock Plus Firefox extension is getting to be extremely popular. It has been featured in The New York Times, and it is regularly included in various "top 10" lists of Firefox extensions on major blogs and other popular Web sites. For those of you who have not yet tried it out, AdBlock Plus (and its essential sidekick, the Filterset G Updater) completely revolutionizes the Web-browsing experience. After surfing without ads for the last few years, having to use a public computer without AdBlock Plus is a frustrating, distracting, and unpleasant experience.
While AdBlock Plus is fantastic at getting rid of most banner ads, it doesn't do the best job of targeting Google's text-based advertisements. This is where another immensely useful extension, CustomizeGoogle, comes in handy.
In addition to blocking Google's text ads (on all Web sites, including Google Web properties such as Gmail and Google Calendar), the extension also protects user privacy. With CustomizeGoogle installed, the search engine's tracking "cookies" are not accepted. This means that users cannot be tracked across multiple sessions. They can deny the search engine knowledge of which links a user clicks on from the results page of a search.
Given the cavalier attitude that the company has to user privacy (tracking users via cookies, unless the user leaves a two-year gap between visits to a Google Web property), CustomizeGoogle is one of the few ways that users can take proactive steps to protect their own privacy online.
This begs the question: why doesn't Firefox adopt the features of AdBlock Plus and CustomizeGoogle? While the terms of Google's contract with Mozilla are not public, even if Mozilla were contractually free to include anti-Google-tracking features, it would not be a wise move, business-wise. After all, it is not too smart to anger the company that provides more than 85 percent of your financing.
This is all conjecture, of course, but why else would the Firefox team not roll in the features of two extensions that are widely popular and that do so much to protect users from annoying advertisements and creepy privacy intrusions online?
Phishing Toolbars
There is a normal cycle when a new phishing site is created. It works something like this:
- A new phishing site is created and is e-mailed about to thousands of people.
- Someone tips off Google, which adds it to the phishing blacklist.
- Millions of Firefox browsers download the latest blacklist from Google.
- Users who click on e-mails, taking them to the phishing site, receive a clear warning from Firefox, telling them that the site is malicious.
However, what happens when the phishing site is hosted by Google?
This very issue was discussed by noted Web application security expert Robert "RSnake" Hansen in August. RSnake discovered a cross-site scripting (XSS) flaw in Google's gmodules.com Web site. The security flaw, which has yet to be fixed, was dismissed by the Google security team, which claimed that it was, in fact, an intended design feature.
RSnake described the significance of the vulnerability, stating that the exploit would allow someone "to take over other people's Web sites when they embedded the erroneous third-party code. Kinda nasty. Unlikely, but nasty. More likely, it would simply be in phishing sites that didn't want their sites taken down, but wanted Google's to be taken down instead."
This brings us to a really interesting dilemma. Google has a well-known flaw in one of its Web sites that can be (ab)used by phishers and malicious hackers. Google refuses to fix the flaw, as it believes that it is not a problem. Google also operates the Firefox phishing blacklist. Will Google add one of its own domains to the phishing blacklist? Of course not!
RSnake, who worked in the antiphishing blacklist area for some time, makes several claims. On his blog, he wrote that "the browser companies have to maintain a list of sites that aren't phishing sites but often get flagged as phishing sites. Google happens to host a lot of those.
In reality, Google is being used to phish consumers or redirect to them to phishing sites, but Google doesn't really fix this problem. Instead, it tells the browser companies to whitelist its sites, regardless of the fact that consumers are losing their identities as a direct result of Google's actions in two ways: 1) because it has not ended the vulnerability and 2) because of its insistence in being marked as a 'good' site."
Essentially, what he claims is that with Google's rather menacing legal department, no other competing antiphishing company will dare to include a Google-owned domain on a blacklist. In addition, Google's domains get included on a whitelist shipped with antiphishing software, which is a list of domains that will never cause warnings.
RSnake further claims that in addition to intimidating the other firms in the market, Google refuses to include its own Web properties in the Firefox phishing blacklist, which it maintains.
While RSnake does nothing to hide his lack of love for the big G, his reputation in the Web application security arena is top-notch. Furthermore, in the two months since RSnake first made his concerns public, no one from Google has publicly disputed anything he has said.With Google providing the blacklists for the new antimalware features in Firefox 3.0, we should all be asking: Can we trust Google? To paraphrase the old phrase, who will blacklist the blacklisters? With control of hundreds of millions of Firefox browsers, what incentive does Google have to keep its own Web properties free of phishing sites?
A number of edits were made to this blog post on the evening of November 1 2007, to reflect feedback received from Mozilla Corp employees.
The following edits were made:
Original: "This includes Ben Goodger, the lead developer for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many resources at the browser."
Now: "This includes Ben Goodger, the former lead developer, and still major contributor for the browser. Yes, other companies pay developers to work on Firefox, but none throw as many overall corporate resources at the browser."
The following text was removed from the introductory paragraph: "When the Big G wants some technology in Firefox, a patch gets applied." - Several Google developed features (including Safe Browsing/Phishing Protection) are now in the mainstream browser, however, this sentence could be read in many ways, and so it seemed best to remove it.
This paragraph was removed "Fact: While Mozilla's