SecurityEngineering/Newsletter/2017Q4
Contents
Overview
Last quarter marked the milestone release of Firefox Quantum, the new Firefox browser. While project Quantum was largely focused on performance, Firefox 57 included a number of key security improvements:
As of 57, all supported operating systems (Windows, Mac OS X, and Linux) have file system access restricted by the sandbox which is a major milestone in bringing a sandbox implementation to Firefox.
Data URIs are now treated as unique opaque origins, rather than inheriting the origin of the settings object responsible for the navigation - which acts as an XSS mitigation.
Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57.
And we haven’t stopped there! Since 57, we’ve been busy continuing to make Firefox more secure than ever, including:
Added more formally verified crypto algorithms (ChaCha20, Poly1305) to Firefox 59
Firefox 59 has preloaded Strict Transport Security support for top-level domains now
Media team completed the audio remoting work, allowing for tighter lockdown of our sandbox
Team Highlights
Security Engineering
Crypto Engineering
We’ve implemented a formally-verified ChaCha20 and a verified Poly1305 into Firefox 59, joining our formally-verified Curve25519 implementation from Firefox 57. [Real World Crypto talk] [Slides]
The certificate and key databases for NSS have moved to a modern SQLite format from the prior DBM format in Firefox 58.
Our implementation of TLS 1.3 is updated to draft -23, which is expected to have much improved behavior with legacy middlebox network equipment (it’s both in Firefox Nightly and at https://tls13.crypto.mozilla.org/).
Firefox 58 prints a warning to the browser console when encountering a Symantec-issued website certificate which will be subject to our distrust plan in Firefox 60. See the CA program's Additional Trust Changes page for details.
Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures, as well as a new COSE-based format (RFC 8152) with algorithm agility. Add-ons will move to the new COSE signature format over time.
Firefox 59 has preloaded Strict Transport Security support for top-level domains now, via the hstspreload.org list.
Privacy and Content Security
We enabled always-on Tracking Protection in Firefox Quantum (Firefox 57)
To mitigate phishing attempts we started to block top-level data URI navigations within Firefox 58.
To help prevent third party data leakage while browsing privately, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59.
Added a preference to allow users disable FTP (network.ftp.enabled)
Added CSP improvements in Firefox 58
Support for worker-src directive landed in 58
security policy violation events (previously behind a pref) were enabled in Nightly starting in 58
Continued our efforts to harden the web against attacks:
Moved to deprecate AppCache from insecure contexts
X-Frame-Options will now check all frame ancestors are the same origin
Treating insecure flash requests as mixed active instead of mixed passive (behind a preference for now, will ship in future version)
Removal of legacy pcast: and feed: protocols (previously a source of security issues)
Hardening improvements
FORTIFY_SOURCE landed for Mac and Linux
Initial testing of Control Flow Guard deployment (bug 1235982)
Content Isolation
Audio library remoting work completed by the (media team) allowed the Content Isolation team to secure content process access to various audio services (OSX) and networking related application programming interfaces (Linux).
A newly developed application programming interface (API) hooking framework is currently being tested in the 64-bit Flash sandbox. For Flash, the framework will handle better securing of networking related API access and is planned to ship in 60.
The alternative-desktop feature on Windows has been held up from shipping due to various incompatibilities with 3rd party software running on the same device. A dependent project involving elimination of native windowing event dispatch in content processes is reaching completion. Completion should facilitate alternative desktop rolling out in Firefox 60.
Operations Security
With more of the Firefox continuous integration moving to Taskcluster, we looked into the security posture of the platform. A number of hardening projects were spun off that will continue throughout 2018.
Signature verification of release artifacts now covers all Windows builds. MacOS and MAR are next.
We reviewed the security of repositories hosted in GitHub. Next step is to finalize a security standard and write tools to check compliance.
In Austin, we ran a Capture The Flag challenge to teach web security to dozens of engineers. We used ZAP, OWASP Juice Shop and CTFd to great success.
Cross-Team Initiatives
Mozilla sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events related to domain validation for SSL certificates and to remind them of a number of upcoming deadlines.