Mozilla bets its Rust language will make your internet safer
JavaScript, a smash hit among programmers, made the web powerful. Now Mozilla's Rust could protect the web from hack attacks.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Mozilla's Rust programming language is designed to be more secure.
Twenty-two years ago, Mozilla co-founder Brendan Eich whipped up JavaScript in 10 days of manic activity in 1995. It's since become the world's most popular programming language.
Now Mozilla hopes lightning will strike twice with a sequel called Rust. If successful, the new programming language could be as important as JavaScript to Mozilla's mission of making the internet better for us all -- and it could be just as helpful to the nonprofit organization's reputation, too. JavaScript let web developers make websites interactive, triggering an explosion of innovation like online photo editing, scrolling and zooming maps, and word processing with Google Docs. Rust is a lower-level tool, though, that could make Mozilla's Firefox web browser faster and more secure.
And if its enthusiastic reception in programming circles continues, Rust could help protect a lot of other software from attacks that today are the bane of online existence. Attackers who have learned to exploit vulnerabilities in internet-linked software are responsible for stolen identities, drained bank accounts, leaked confidential documents and political persecution.
Rust, the "most loved" language in a 2017 survey by programming advice site Stack Overflow, won allies like online storage service Dropbox. Programmers have contributed tens of thousands of packages of pre-written code to help others get their projects moving faster, too. Need to decode a web address, check the time, or handle some video? Somebody's probably already written the basics for you.
In a sign of growing interest, programmers are steadily increasing the number of pre-written Rust packages. That makes it faster to get started with a Rust software project.
"Rust is growing," says Redmonk analyst Stephen O'Grady, who tracks language popularity. "It made a substantial jump and is now solidly in second-tier language territory -- which is good company to be in."
It's really hard to create a major language like C, C++ or Java used by millions of programmers. Mozilla succeeded with JavaScript, with countless others helping to refine it over the years.
Looking good in programmers' eyes improves Mozilla's reputation as an innovator, not a laggard to be left behind. "The language is exciting," says Jonathan "Duke" Leto, the founder of programming firm Leto Labs. Restoring that reputation is important for Mozilla's attempt to ignite enthusiasm for its Firefox browser and use it for goals like protecting your privacy or making sure Google's websites don't require you to use Google's browser.
The biggest reason to like Rust is that it can wipe out a huge class of software security holes -- a major problem with browsers that today handle everything from our most personal communications to our biggest financial transactions. Even if you're not a programmer, you'll like a more secure internet.
"Every big piece of Rust code we get in there decreases the attack surface for security holes in the browser," says Dave Herman, former director of strategy and research at Mozilla.
Rust's safety lets Mozilla free up Firefox memory, too, a key computing resource these days as we keep so many browser tabs open. Rust is also designed to better handle the thorny computing challenge of doing many tasks in parallel -- that's key to unlocking the power of modern chips that have many processing engines.
Sean White, Mozilla's vice president of technology strategy
Even if nobody outside Mozilla ever touches Rust, it will directly help Firefox. Mozilla moves Rust-written components into Firefox through a project fittingly called Oxidation. Indeed, Rust and Oxidation are key to a project called Quantum to speed up Firefox with the release of Firefox 57 this November.
"You can try a lot of different experiments," says Sean White, Mozilla's senior vice president leading the emerging technologies. "We have ways we can very quickly try and fail on things without touching the hundreds of millions of people using Firefox."
The source for these Rust components is new core browser software called Servo, a Mozilla research project that's written mostly in Rust.
Going whole hog and building a new browser entirely on Servo would be risky, though. Instead, Mozilla is cherry-picking the best parts and adding them to Firefox's core, called Gecko. "The future is intelligently managing the combination of the two," says David Bryant, Mozilla's vice president of platform engineering.
In the longer run, Mozilla wants Servo to be useful on its own. It struggles today even with basic web documents like Wikipedia. Mozilla's goal of getting it to work with the much more complicated Google Docs site is actually very ambitious. If successful, though, it would signal a major step forward in overall practical readiness.
David Bryant, Mozilla's VP of platform engineering
And Mozilla is considering making a version of Servo that can be embedded into smaller computing devices, White says. One possible example: a VR headset that displays virtual reality worlds constructed with the WebVR technology Mozilla helped create. Servo is designed to take advantage of modern computer chips that can run lots of tasks in parallel, and success there could make Servo very efficient on inexpensive hardware.
Robert O'Callahan, a former Mozilla programmer now working on developer tools at his startup, Pernosco, also lauds Rust. Most languages either give programmers low-level control or protection against memory-induced security problems, but not both. "Rust is the first mainstream language to escape that tradeoff," O'Callahan says.
Even if you don't care much about programmers toiling over their keyboards, you should care about that Rust advantage. With governments and identity thieves paying top dollar for computer attack software, everyone on the internet can be a potential victim.
Correction, 1:56 p.m.: This story earlier misstated the programming language that Pernosco works with. It's working on developer tools initially targeted at programmers using the C and C++ languages.
Correction, Aug. 8 at 11:49 a.m.: A chart in this story misstated the number of Rust packages available to programmers. It was just short of 10,000 at the beginning of June 2017.
Intolerance on the Internet: Online abuse is as old as the internet and it's only getting worse. It exacts a very real toll.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.