info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firefox Security Newsletter - Q4 2017
38 views
Skip to first unread message
Paul Theriault
Feb 28, 2018, 12:10:54 AM2/28/18
to dev-se...@lists.mozilla.org
(Text-format below, see online version at
https://wiki.mozilla.org/SecurityEngineering/Newsletter)
Overview
========
Last quarter marked the milestone release of Firefox Quantum, the new
Firefox browser. While project Quantum was largely focused on performance,
Firefox 57 included a number of key security improvements:
- As of 57, all supported operating systems (Windows, Mac OS X, and Linux)
have file system access restricted by the sandbox which is a major
milestone in bringing a sandbox implementation to Firefox.
- Data URIs are now treated as unique opaque, rather than inheriting the
origin of the settings object responsible for the navigation - which acts
as an XSS mitigation.
- Experimental support for anti-phishing FIDO U2F “Security Key” USB
devices landed behind a preference in Firefox 57.
And we haven’t stopped there! Since 57, we’ve been busy continuing to make
Firefox more secure than ever, including:
- Added more formally verified crypto algorithms (ChaCha20, Poly1305) to
Firefox 59
- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now
- Media team completed the audio remoting work, allowing for tighter
lockdown of our sandbox
Team Highlights
===============
Security Engineering
--------------------
### Crypto Engineering
- We’ve implemented a formally-verified ChaCha20 and a verified Poly1305
into Firefox 59, joining our formally-verified Curve25519 implementation
from Firefox 57. (see also Real World Crypto talk:
https://www.youtube.com/watch?v=xrZTVRICpSs and Slides:
https://rwc.iacr.org/2018/Slides/Beurdouche.pdf)
- The certificate and key databases for NSS have moved to a modern SQLite
format from the prior DBM format in Firefox 58.
- Our implementation of TLS 1.3 is updated to draft -23, which is expected
to have much improved behavior with legacy middlebox network equipment
(it’s both in Firefox Nightly and at https://tls13.crypto.mozilla.org).
- Firefox 58 prints a warning to the browser console when encountering a
Symantec-issued website certificate which will be subject to our distrust
plan in Firefox 60. See the CA program's Additional Trust Changes
(https://wiki.mozilla.org/CA/Additional_Trust_Changes) page for details.
- Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures,
as well as a new COSE-based format (RFC 8152) with algorithm agility.
Add-ons will move to the new COSE signature format over time.
- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now, via the hstspreload.org list.
### Privacy and Content Security
- To mitigate phishing attempts we started to block top-level data URI
navigations*
- To help prevent third party data leakage while browsing privately,
Firefox Private Browsing Mode will remove path information from referrers
sent to third parties starting in Firefox 59
- Added a preference to allow users disable FTP (network.ftp.enabled)
- Added CSP improvements in Firefox 58
- Support for worker-src directive landed in 58
- security policy violation events (previously behind a pref) were enabled
in Nightly starting in 58
- Continued our efforts to harden the web against attacks:
- Moved to deprecate AppCache from insecure contexts
- X-Frame-Options will now check all frame ancestors are the same origin
- Treating insecure flash requests as mixed active instead of mixed passive
behind a preference for now, will ship in future version
- Removal of legacy pcast: and feed: protocols (previously a source of
security issues). https://bugzilla.mozilla.org/show_bug.cgi?id=1420622
- Hardening improvements
- FORTIFY\_SOURCE landed for Mac and Linux
- Initial testing of Control Flow Guard deployment
### Content Isolation
- Audio library remoting work completed by the (media team) allowed the
Content Isolation team to secure content process access to various audio
services (OSX) and networking related application programming interfaces
(Linux).
- A newly developed application programming interface (API) hooking
framework is currently being tested in the 64-bit Flash sandbox. For Flash,
the framework will handle better securing of networking related API access
and is planned to ship in 60.
- The alternative-desktop feature on Windows has been held up from shipping
due to various incompatibilities with 3rd party software running on the
same device. A dependent project involving elimination of native windowing
event dispatch in content processes is reaching completion. Completion
should facilitate alternative desktop rolling out in Firefox 60.
Operations Security
-------------------
- With more of the Firefox continuous integration moving to [*Taskcluster*](
https://github.com/taskcluster), we looked into the security posture of the
platform. A number of hardening projects were spun off that will continue
throughout 2018.
- Signature verification of release artifacts now covers all Windows
builds. MacOS and MAR are next.
- We reviewed the security of repositories hosted in GitHub. Next step is
to finalize a security standard and write tools to check compliance.
- In Austin, we ran a Capture The Flag challenge to teach web security to
dozens of engineers. We used ZAP(http://www.zaproxy.org/), OWASP Juice Shop(
https://github.com/bkimminich/juice-shop) and CTFd(
https://github.com/CTFd/CTFd) to great success.
Cross-Team Initiatives
----------------------
Mozilla sent a CA Communication() to inform [*Certificate Authorities
(CAs)* who have root certificates included in Mozilla’s program about
current events related to domain validation for SSL certificates and to
remind them of a number of upcoming deadlines.
https://blog.mozilla.org/security/2018/01/29/january-2018-ca-communication
Security Blog Posts & Presentations
===================================
https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers
https://blog.mozilla.org/blog/2018/01/23/latest-firefox-quantum-release-now-available-with-new-features
https://wiki.mozilla.org/SecurityEngineering/Newsletter)
Overview
========
Last quarter marked the milestone release of Firefox Quantum, the new
Firefox browser. While project Quantum was largely focused on performance,
Firefox 57 included a number of key security improvements:
- As of 57, all supported operating systems (Windows, Mac OS X, and Linux)
have file system access restricted by the sandbox which is a major
milestone in bringing a sandbox implementation to Firefox.
- Data URIs are now treated as unique opaque, rather than inheriting the
origin of the settings object responsible for the navigation - which acts
as an XSS mitigation.
- Experimental support for anti-phishing FIDO U2F “Security Key” USB
devices landed behind a preference in Firefox 57.
And we haven’t stopped there! Since 57, we’ve been busy continuing to make
Firefox more secure than ever, including:
- Added more formally verified crypto algorithms (ChaCha20, Poly1305) to
Firefox 59
- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now
- Media team completed the audio remoting work, allowing for tighter
lockdown of our sandbox
Team Highlights
===============
Security Engineering
--------------------
### Crypto Engineering
- We’ve implemented a formally-verified ChaCha20 and a verified Poly1305
into Firefox 59, joining our formally-verified Curve25519 implementation
from Firefox 57. (see also Real World Crypto talk:
https://www.youtube.com/watch?v=xrZTVRICpSs and Slides:
https://rwc.iacr.org/2018/Slides/Beurdouche.pdf)
- The certificate and key databases for NSS have moved to a modern SQLite
format from the prior DBM format in Firefox 58.
- Our implementation of TLS 1.3 is updated to draft -23, which is expected
to have much improved behavior with legacy middlebox network equipment
(it’s both in Firefox Nightly and at https://tls13.crypto.mozilla.org).
- Firefox 58 prints a warning to the browser console when encountering a
Symantec-issued website certificate which will be subject to our distrust
plan in Firefox 60. See the CA program's Additional Trust Changes
(https://wiki.mozilla.org/CA/Additional_Trust_Changes) page for details.
- Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures,
as well as a new COSE-based format (RFC 8152) with algorithm agility.
Add-ons will move to the new COSE signature format over time.
- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now, via the hstspreload.org list.
### Privacy and Content Security
- To mitigate phishing attempts we started to block top-level data URI
navigations*
- To help prevent third party data leakage while browsing privately,
Firefox Private Browsing Mode will remove path information from referrers
sent to third parties starting in Firefox 59
- Added a preference to allow users disable FTP (network.ftp.enabled)
- Added CSP improvements in Firefox 58
- Support for worker-src directive landed in 58
- security policy violation events (previously behind a pref) were enabled
in Nightly starting in 58
- Continued our efforts to harden the web against attacks:
- Moved to deprecate AppCache from insecure contexts
- X-Frame-Options will now check all frame ancestors are the same origin
- Treating insecure flash requests as mixed active instead of mixed passive
behind a preference for now, will ship in future version
- Removal of legacy pcast: and feed: protocols (previously a source of
security issues). https://bugzilla.mozilla.org/show_bug.cgi?id=1420622
- Hardening improvements
- FORTIFY\_SOURCE landed for Mac and Linux
- Initial testing of Control Flow Guard deployment
### Content Isolation
- Audio library remoting work completed by the (media team) allowed the
Content Isolation team to secure content process access to various audio
services (OSX) and networking related application programming interfaces
(Linux).
- A newly developed application programming interface (API) hooking
framework is currently being tested in the 64-bit Flash sandbox. For Flash,
the framework will handle better securing of networking related API access
and is planned to ship in 60.
- The alternative-desktop feature on Windows has been held up from shipping
due to various incompatibilities with 3rd party software running on the
same device. A dependent project involving elimination of native windowing
event dispatch in content processes is reaching completion. Completion
should facilitate alternative desktop rolling out in Firefox 60.
Operations Security
-------------------
- With more of the Firefox continuous integration moving to [*Taskcluster*](
https://github.com/taskcluster), we looked into the security posture of the
platform. A number of hardening projects were spun off that will continue
throughout 2018.
- Signature verification of release artifacts now covers all Windows
builds. MacOS and MAR are next.
- We reviewed the security of repositories hosted in GitHub. Next step is
to finalize a security standard and write tools to check compliance.
- In Austin, we ran a Capture The Flag challenge to teach web security to
dozens of engineers. We used ZAP(http://www.zaproxy.org/), OWASP Juice Shop(
https://github.com/bkimminich/juice-shop) and CTFd(
https://github.com/CTFd/CTFd) to great success.
Cross-Team Initiatives
----------------------
Mozilla sent a CA Communication() to inform [*Certificate Authorities
(CAs)* who have root certificates included in Mozilla’s program about
current events related to domain validation for SSL certificates and to
remind them of a number of upcoming deadlines.
https://blog.mozilla.org/security/2018/01/29/january-2018-ca-communication
Security Blog Posts & Presentations
===================================
https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers
https://blog.mozilla.org/blog/2018/01/23/latest-firefox-quantum-release-now-available-with-new-features
0 new messages