SecurityEngineering/Newsletter/2017Q4

From MozillaWiki
Jump to: navigation, search

Overview

Last quarter marked the milestone release of Firefox Quantum, the new Firefox browser. While project Quantum was largely focused on performance, Firefox 57 included a number of key security improvements:

  • As of 57, all supported operating systems (Windows, Mac OS X, and Linux) have file system access restricted by the sandbox which is a major milestone in bringing a sandbox implementation to Firefox.

  • Data URIs are now treated as unique opaque origins, rather than inheriting the origin of the settings object responsible for the navigation - which acts as an XSS mitigation.

  • Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57.

And we haven’t stopped there! Since 57, we’ve been busy continuing to make Firefox more secure than ever, including:

  • Added more formally verified crypto algorithms (ChaCha20, Poly1305) to Firefox 59

  • Firefox 59 has preloaded Strict Transport Security support for top-level domains now

  • Media team completed the audio remoting work, allowing for tighter lockdown of our sandbox

Team Highlights

Security Engineering

Crypto Engineering

  • We’ve implemented a formally-verified ChaCha20 and a verified Poly1305 into Firefox 59, joining our formally-verified Curve25519 implementation from Firefox 57. [Real World Crypto talk] [Slides]

  • The certificate and key databases for NSS have moved to a modern SQLite format from the prior DBM format in Firefox 58.

  • Our implementation of TLS 1.3 is updated to draft -23, which is expected to have much improved behavior with legacy middlebox network equipment (it’s both in Firefox Nightly and at https://tls13.crypto.mozilla.org/).

  • Firefox 58 prints a warning to the browser console when encountering a Symantec-issued website certificate which will be subject to our distrust plan in Firefox 60. See the CA program's Additional Trust Changes page for details.

  • Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures, as well as a new COSE-based format (RFC 8152) with algorithm agility. Add-ons will move to the new COSE signature format over time.

  • Firefox 59 has preloaded Strict Transport Security support for top-level domains now, via the hstspreload.org list.

Privacy and Content Security

Content Isolation

  • Audio library remoting work completed by the (media team) allowed the Content Isolation team to secure content process access to various audio services (OSX) and networking related application programming interfaces (Linux).

  • A newly developed application programming interface (API) hooking framework is currently being tested in the 64-bit Flash sandbox. For Flash, the framework will handle better securing of networking related API access and is planned to ship in 60.

  • The alternative-desktop feature on Windows has been held up from shipping due to various incompatibilities with 3rd party software running on the same device. A dependent project involving elimination of native windowing event dispatch in content processes is reaching completion. Completion should facilitate alternative desktop rolling out in Firefox 60.

Operations Security

  • With more of the Firefox continuous integration moving to Taskcluster, we looked into the security posture of the platform. A number of hardening projects were spun off that will continue throughout 2018.

  • Signature verification of release artifacts now covers all Windows builds. MacOS and MAR are next.

  • We reviewed the security of repositories hosted in GitHub. Next step is to finalize a security standard and write tools to check compliance.

  • In Austin, we ran a Capture The Flag challenge to teach web security to dozens of engineers. We used ZAP, OWASP Juice Shop and CTFd to great success.

Cross-Team Initiatives

Security Blog Posts & Presentations