Interview : François Marier, Mozilla.

Hi François,

Would you mind introducing yourself for those readers who don’t know you?

Sure, I’m from Québec and I currently live in New Zealand. I’ve been interested in and contributing to free software for a few years. I find it’s an incredibly welcoming and rewarding community so I’m probably going to be involved for a few more years :) My day job consists of improving the security and privacy protection in Firefox. I also volunteer as a Debian developer and as part of the licensing team for the Free Software Foundation.

Mozilla has recently announced [1] that it would no longer develope features for sites using the HTTP protocol and instead would make these features only available to HTTPS sites. Can you clarify this matter for the webmasters who might be wondering why this is happening?

Our goal is to work with our community to come up with a plan that will speed up the migration towards HTTPS. Despite the Snowden leaks, there is still far too much content within the reach of surveillance states and companies. We need to do better than this. Now, it’s important to point out that we have yet to define the criteria for deciding whether a new feature will be covered by this policy. The Web Application Security working group at the W3C is currently drafting a document [4] that will help. Restricting features to HTTPS will aim to protect users’ privacy (in the case of features like geolocation which disclose personal information to sites) but also to give sites incentives to migrate to HTTPS if they want to take advantage of the latest features. We’re also working to simplify the configuration and management of certificates by webmasters [2] and are exploring mechanismes [5] to ease HTTP to HTTPS migrations. This is the start of a long process.

The state of the certificate authority system is far from ideal from a security point of view: a number of major players have been involved in significant incidents. However, Mozilla is betting on this system to improve the confidentiality and integrity of websites. One of these initiatives is the creation of a new CA called "Let’s Encrypt" [2]. Can you give us an update on this project?

I’m only involved in Let’s Encrypt as a Debian packager so I don’t have a lot of visibility on the rest of the project. What I can say though is that the Apache and nginx clients are coming along quite well. Anybody interested can keep an eye on the project by following it on Github [6]. Another project to keep an eye on is Google’s Certificate Transparency [14] which we are thinking about joining.

Others prefer betting on "pinning" [3], is Firefox interested in this alternative as well?

We already have the infrastructure in place [7] for pinning and use it with a pre-configured list. We don’t yet support pinning with the HTTP header, but we are planning on doing it soon.

You are part of the Firefox development team. Can you talk about the topics you are currently working on that you are passionate about?

I’m currently working on two very exciting things. The first one is an anti-tracking feature [8]. It’s easy to enable [9] and also has some pretty dramatic effects on performance [10].

The other feature [11] targets web developers. It’s about making sure that external resources loaded from a third-party server won’t change. It’s a response to the very common practice of loading jQuery directly from code.jquery.com. With this feature, if an attacker adds their own malicious code on the code.jquery.com server, that code will be blocked since it will be different from what the developer expects.

The Mozilla Foundation has been around for 12 years and has become an international organisation with several hundred employees with a lot of projects on the go. Given such growth, how does Mozilla manage to stay flexible?

Obviously when we got to a thousand employees, the company started hiring a few more managers :) On the other hand, the basic governance structure [12] is still the one that the free software project is based on. Every module has an owner and many peers, and teams are generally organized around a group of such modules. Developers are somewhat mobile and collaborate through newgroups and bugzilla. Also, every Monday, there is a project meeting that everyone can attend [13].

In your opinion, what are the greatest challenges facing Mozilla but also the free software world in the age of mobile, cloud computing, big data and IoT?

I am personally terrifed of the Internet of Things. After all, it seems that all you need to do to sell an "appliance" is to take the software you’re already selling and then install it on a 5-year old Linux box (without any security updates obviously). The only thing that could be worse would be to connect all kinds of sensors and actual appliances to the whole thing. What an exciting future!

The biggest challenge in my opinion will be to bring security awareness to the embedded developers who live in a world of disposable software. If we want to avoid giving free software a bad name, we’ll need to develop an update infrastructure that these proprietary software vendors will be able to piggy-back on. In other words, what we need is a Debian for these new ways of developing software :)

You’ve been a Debian developer for more than 10 years, were born in Québec, now live in New Zealand working for Internet giant. Given your background, have you noticed that free software is now an important part of life as a computer science student everywhere in the world, or does it depend a lot on the country? Has the battle for free software in computing education been won or not at all?

Despite the fact that most of the students I meet know what free software is, there are still very few contributors amongst them. It might be that it is intimidating for those who are just getting started in computing, after all the technical excellence found within many free software projects can easily make some of the largest companies jealous. But it’s unfortunate that so many students miss out on a great opportunity to get involved in a community that could teach them as much as 3 or 4 years of university. I think that free software hackers still have a lot of work to ensure a sustainable future for our community.

Thanks a lot for this interview François. Please come see his talk on Tuesday 7 July at 10:00 :-)

My pleasure.