[bagacrap]

Your browser sends and receives tons of packets to addresses owned by the browser vendor and third party sites. After all that's its main function. Your open source browser is millions of lines of code. You think it would not be possible to exfiltrate passwords without your notice? It seems a much more practical approach to assume your browser vendor is a "good guy", as the alternative model is that you choose to do all your most sensitive computing via an adversary.

[benburleson]

I think the premise is we would know if it already did that, and incremental code changes can be inspected to see it isn't added. So yeah, it's pretty safe to say open source makes it trustable.

[dancek]

That's pretty reasonable, but if I were a malicious actor looking to do something like this, I'd try to introduce different bugs at different times that combine to leak passwords. That would give plausible deniability, too. Not saying it's an easy scheme to engineer.

[UncleMeat]

People inspect chrome diffs for weird changes too. Closed source software does not prevent people from noticing malware, especially in some of the most heavily scrutinized software in the world.