SecurityEngineering/Newsletter/2017Q1
From MozillaWiki
Contents
Firefox Security Team Newsletter
It was another busy quarter for the teams working tirelessly to keep Firefox users safe online, and Firefox is now safer than ever. New improvements that landed over the last quarter include:
- Firefox now warns users when their passwords are being sent over HTTP
- Firefox explicitly distrusts the use of SHA-1 signatures in TLS certificates
- Firefox Containers, an experimental privacy tool, is available to all users via test-pilot
- We reached another milestone in the Security Sandbox project, enabling content process sandboxing on release OS X in Firefox 52. (Windows was previously enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted for a June release)
- In addition to support for Tor first-party isolation shipping in 52, we began prototyping for a project to bring Tor support to Firefox for Android
And that’s just the highlights, read on to find out what’s new in Firefox security.
Team Highlights
Security Engineering
- New warnings are shipping in Firefox to alarm users when passwords are sent over HTTP
- Continued our support for the TOR project:
- Shipped First Party Isolation in Firefox ESR 52 (behind the pref “privacy.firstparty.isolate”), which prevents third parties from tracking users across multiple websites
- Attended the Tor meeting in Amsterdam to discuss the collaboration between Mozilla and Tor in the future
- Started a new mobile project "Fennec + Tor", which aims at bringing Orfox-like features into Fennec
- Worked on efforts to port TOR anti-fingerprinting features to Firefox
- Put the finishing touches on a ‘Security By Default’ project; this multi-year effort centralised the network security logic that was previously scattered through the Gecko codebase in a single maintainable place
- We implemented a preference to change the origin inheritance behavior for data: URIs in support of animportant spec change.
- Support for the Content Security Policy <code>strict-dynamic</code> directive landed in Firefox 52
- The next phase of the Containers project continues with the feature launched in a Firefox Test Pilot experiment.
- This quarter saw several new features added to Firefox Web Extensions in support of privacy add-ons:
- We help the Web Extension team ship privacy API which can be used to make Privacy add-ons (Firefox 54)
- We also added the ‘cookieStoreId’ to WebExtension APIs so that Web Extension authors can leverage Containers feature in their own add-ons (Firefox 52)
- Sandbox hardening project continues, mainly focusing on hardening our IPC layer in support of the upcoming lockdown of file system access (targeted for Firefox 55)
- Code auditing continues to find IPC bugs so we are experimenting withIPDL helper classes to avoid common IPDL bugs
- Landed a fuzzer for Message Manager messages
- Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a case study for future IPC fuzzer hardening
- The Tracking Protection experiment graduated from Firefox Test Pilot
Crypto Engineering
- The end of SHA-1 certificates: Following a phased deprecation of SHA-1 in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures in certificates used for HTTPS.
- We’ve begun fuzzing the TLS client and server side of the NSS library, raising our confidence in the network-facing code used by all Firefoxes
- Mozilla now runs the tier 1 continuous integration tests for the NSS library internally, without external reliance on RedHat. We’ve also moved our ARM builds and testing off of local machines and into more stable cloud-hosted hardware.
Operations Security
- Addons.mozilla.org and Firefox Accounts have been brought to compliance with Operation Security’s security checklist. These services now have strong CSP, HSTS, HPKP and various other security improvements.
- Simon Bennetts released version 2.6.0 of the ZAP web security scanner, with a long list of enhancements and bug fixes from the OWASP community. Noteworthy is the addition of an OpenAPI/Swagger extension to automate the discovery and scanning of REST APIs. We plan on using it to scan Firefox backend APIs.
- Firefox Screenshots (formerly Pageshot) completed a security review as part of its graduation from the TestPilot program
- TLS Observatory now has the ability to count end-entity certificates associated with a root or intermediate, and a lightweight web ui to visualize certs and their paths. We also started loading certificates from Google’s Aviator CT log, bringing the count of certs over 12 million.
- Will Kahn-Greene released Bleach v2.0, a major new release of this popular Python library used to sanitize HTML in web applications.
Cross-Team Initiatives
- Shipped pwn2own dot-release in less than 24 hours, great work with really dedicated engineers and release team
- Shipped a hook into build machinery to alert when a third party library is out of date
- OneCRL nowhas entries for about 250 revoked intermediate certs
- Deployed mechanism for CAs to directly provide their annual updates to the Common CA Database, and have those updates become available to all member root store operators
- Modernized the TLS Canary tool for performance and maintainability improvements including 2-3x perf improvement, better coverage for sites using redirects and support for OneCRL
Security Blog Posts & Presentations
In case you missed them, here are some of the blog posts and speaker presentations we gave over the last quarter:
- New warnings shipping in Firefox to alarm users when passwords are sent over HTTP
- Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored an academic paper about Origin Attributes, the framework within Firefox that enables First Party Isolation of cookies (an important TOR feature) as well as a number of upcoming Firefox security features
- Announced the deprecation of SHA-1 on the Public Web
- Francois Marier lectured on how to adopt new browser security features at ConFoo
- Julien Vehent presented Test Driven Security in Continuous Integration at Enigma, a technique we developed internally to increase the security of our websites and services.
- Discussed the history and future of CSP in the Security Bytes podcast
- Released version 2.4 of Mozilla’s CA Certificate Policy
Previous Editions