info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Firefox Security Newsletter - Q1 2017
243 views
Skip to first unread message
Paul Theriault
Apr 28, 2017, 5:38:12 AM4/28/17
to dev-se...@lists.mozilla.org
Hey all, its time for another quarterly newsletter from the Firefox
Security team - now including updates from our security operations team as
well. Read on below, or check out the version on the wiki at
https://wiki.mozilla.org/SecurityEngineering/Newsletter.
Firefox Security Team Newsletter
It was another busy quarter for the teams working tirelessly to keep
Firefox users safe online, and Firefox is now safer than ever. New
improvements that landed over the last quarter include:
- Firefox now warns users
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
when their passwords are being sent over HTTP
- Firefox explicitly distrusts the use of SHA-1
<https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/>
signatures in TLS certificates
- Firefox Containers, an experimental privacy tool, is available to all
users via test-pilot
<https://testpilot.firefox.com/experiments/containers/>
- We reached another milestone in the Security Sandbox
<https://wiki.mozilla.org/Security/Sandbox> project, enabling content
process sandboxing on release OS X in Firefox 52. (Windows was previously
enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted
for a June release)
- In addition to support for Tor first-party isolation
<https://bugzilla.mozilla.org/show_bug.cgi?id=1299996> shipping in 52,
we began prototyping
<https://bugzilla.mozilla.org/show_bug.cgi?id=1337647> for a project to
bring Tor support to Firefox for Android
And that’s just the highlights, read on to find out what’s new in Firefox
security.
Team HighlightsSecurity Engineering
- New warnings
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
are shipping in Firefox to alarm users when passwords are sent over HTTP
- Continued our support for the TOR project
<https://blog.torproject.org/blog/tor-heart-firefox>:
- Shipped First Party Isolation in Firefox ESR 52 (behind the pref
“privacy.firstparty.isolate”), which prevents third parties from tracking
users across multiple websites
- Attended the Tor meeting in Amsterdam to discuss the collaboration
between Mozilla and Tor in the future
- Started a new mobile project "Fennec + Tor", which aims at bringing
Orfox-like features into Fennec
- Worked on efforts to port TOR anti-fingerprinting features to
Firefox
- Put the finishing touches on a ‘Security By Default’
<https://blog.mozilla.org/security/2016/11/10/enforcing-content-security-by-default-within-firefox/>
project; this multi-year effort centralised the network security logic that
was previously scattered through the Gecko codebase in a single
maintainable place
- We implemented a preference to change the origin inheritance behavior
for data: URIs in support of animportant spec change
<https://github.com/whatwg/html/issues/1753>.
- Support for the Content Security Policy <code>strict-dynamic</code>
directive landed in Firefox 52
<https://bugzilla.mozilla.org/show_bug.cgi?id=1299483>
- The next phase of the Containers
<https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers>
project continues with the feature launched in a Firefox Test Pilot
experiment
<https://hacks.mozilla.org/2017/03/containers-come-to-test-pilot>.
- This quarter saw several new features added to Firefox Web Extensions
in support of privacy add-ons:
- We help the Web Extension team ship privacy AP
<https://bugzilla.mozilla.org/show_bug.cgi?id=1312802>I which can be
used to make Privacy add-ons (Firefox 54)
- We also added the ‘cookieStoreId’ to WebExtension APIs
<https://bugzilla.mozilla.org/show_bug.cgi?id=1302697>so that Web
Extension authors can leverage Containers feature in their own add-ons
(Firefox 52)
- Sandbox hardening project continues, mainly focusing on hardening our
IPC layer in support of the upcoming lockdown of file system access
(targeted for Firefox 55)
- Code auditing continues to find IPC bugs so we are experimenting
withIPDL helper classes
<https://bugzilla.mozilla.org/show_bug.cgi?id=1325647>to avoid common
IPDL bugs
- Landed a fuzzer
<https://bugzilla.mozilla.org/show_bug.cgi?id=777600> for Message
Manager messages
- Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a
case study for future IPC fuzzer hardening
- The Tracking Protection experiment graduated from Firefox Test Pilot
<https://testpilot.firefox.com/experiments/tracking-protection>
Crypto Engineering
- The end of SHA-1 certificates: Following a phased deprecation of SHA-1
in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures
in certificates used for HTTPS.
- We’ve begun fuzzing the TLS client and server side of the NSS library,
raising our confidence in the network-facing code used by all Firefoxes
- Mozilla now runs the tier 1 continuous integration tests for the NSS
library internally, without external reliance on RedHat. We’ve also moved
our ARM builds and testing off of local machines and into more stable
cloud-hosted hardware.
Operations Security
- Addons.mozilla.org and Firefox Accounts have been brought to
compliance with Operation Security’s security checklist
<https://wiki.mozilla.org/Security/FoxSec>. These services now have
strong CSP, HSTS, HPKP and various other security improvements.
- Simon Bennetts released version 2.6.0
<https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0> of the
ZAP web security scanner, with a long list of enhancements and bug fixes
from the OWASP community. Noteworthy is the addition of an OpenAPI/Swagger
extension <https://github.com/zaproxy/zap-extensions/pull/765> to
automate the discovery and scanning of REST APIs. We plan on using it to
scan Firefox backend APIs.
- Firefox Screenshots (formerly Pageshot) completed a security review
<https://github.com/mozilla-services/screenshots/issues?utf8=%E2%9C%93&q=is:issue%20label:secreview>
as part of its graduation from the TestPilot program
- TLS Observatory now has the ability to count end-entity certificates
associated with a root or intermediate, and a lightweight web ui
<https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=1820980>to
visualize certs and their paths. We also started loading certificates from
Google’s Aviator CT log, bringing the count of certs
<https://tls-observatory.services.mozilla.com/api/v1/__stats__?format=text>
over 12 million.
- Will Kahn-Greene released Bleach v2.0
<http://bluesock.org/%7Ewillkg/blog/dev/bleach_2_0.html>, a major new
release of this popular Python library used to sanitize HTML in web
applications.
Cross-Team Initiatives
- Shipped pwn2own dot-release in less than 24 hours, great work with
really dedicated engineers and release team
- Shipped a hook
<https://github.com/mozilla-services/third-party-library-alert> into
build machinery to alert when a third party library is out of date
- OneCRL nowhas entries <https://crt.sh/revoked-intermediates> for about
250 revoked intermediate certs
- Deployed mechanism <https://wiki.mozilla.org/CA:CommonCADatabase> for
CAs to directly provide their annual updates to the Common CA Database, and
have those updates become available to all member root store operators
- Modernized the TLS Canary tool <https://tlscanary.mozilla.org/> for
performance and maintainability improvements including 2-3x perf
improvement, better coverage for sites using redirects and support for
OneCRL
Security Blog Posts & Presentations
In case you missed them, here are some of the blog posts and speaker
presentations we gave over the last quarter:
- New warnings shipping in Firefox to alarm users when passwords are
sent over HTTP
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
- Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored
an academic paper
<http://www.scitepress.org/DigitalLibrary/PublicationsDetail.aspx?ID=UoE90ECay/Q=&t=1>about
Origin Attributes, the framework within Firefox that enables First Party
Isolation of cookies (an important TOR feature
<https://blog.torproject.org/blog/tor-heart-firefox>) as well as a
number of upcoming Firefox security features
- Announced the deprecation of SHA-1 on the Public Web
<https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/>
- Francois Marier lectured on how to adopt new browser security features
at
<https://speakerdeck.com/fmarier/getting-browsers-to-improve-the-security-of-your-webapp>
ConFoo
- Julien Vehent presented Test Driven Security in Continuous Integration
<https://www.youtube.com/watch?v=e2axToBYD68> at Enigma, a technique we
developed internally
<https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/>
to increase the security of our websites and services.
- Discussed the history and future of CSP
<https://blog.mozilla.org/security/2017/01/29/mozilla-security-bytes-episode-1-csp/>
in the Security Bytes podcast
<https://github.com/mozilla/security-bytes-podcast>
- Released version 2.4 of Mozilla’s CA Certificate Policy
<https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/>
Security team - now including updates from our security operations team as
well. Read on below, or check out the version on the wiki at
https://wiki.mozilla.org/SecurityEngineering/Newsletter.
Firefox Security Team Newsletter
It was another busy quarter for the teams working tirelessly to keep
Firefox users safe online, and Firefox is now safer than ever. New
improvements that landed over the last quarter include:
- Firefox now warns users
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
when their passwords are being sent over HTTP
- Firefox explicitly distrusts the use of SHA-1
<https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/>
signatures in TLS certificates
- Firefox Containers, an experimental privacy tool, is available to all
users via test-pilot
<https://testpilot.firefox.com/experiments/containers/>
- We reached another milestone in the Security Sandbox
<https://wiki.mozilla.org/Security/Sandbox> project, enabling content
process sandboxing on release OS X in Firefox 52. (Windows was previously
enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted
for a June release)
- In addition to support for Tor first-party isolation
<https://bugzilla.mozilla.org/show_bug.cgi?id=1299996> shipping in 52,
we began prototyping
<https://bugzilla.mozilla.org/show_bug.cgi?id=1337647> for a project to
bring Tor support to Firefox for Android
And that’s just the highlights, read on to find out what’s new in Firefox
security.
Team HighlightsSecurity Engineering
- New warnings
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
are shipping in Firefox to alarm users when passwords are sent over HTTP
- Continued our support for the TOR project
<https://blog.torproject.org/blog/tor-heart-firefox>:
- Shipped First Party Isolation in Firefox ESR 52 (behind the pref
“privacy.firstparty.isolate”), which prevents third parties from tracking
users across multiple websites
- Attended the Tor meeting in Amsterdam to discuss the collaboration
between Mozilla and Tor in the future
- Started a new mobile project "Fennec + Tor", which aims at bringing
Orfox-like features into Fennec
- Worked on efforts to port TOR anti-fingerprinting features to
Firefox
- Put the finishing touches on a ‘Security By Default’
<https://blog.mozilla.org/security/2016/11/10/enforcing-content-security-by-default-within-firefox/>
project; this multi-year effort centralised the network security logic that
was previously scattered through the Gecko codebase in a single
maintainable place
- We implemented a preference to change the origin inheritance behavior
for data: URIs in support of animportant spec change
<https://github.com/whatwg/html/issues/1753>.
- Support for the Content Security Policy <code>strict-dynamic</code>
directive landed in Firefox 52
<https://bugzilla.mozilla.org/show_bug.cgi?id=1299483>
- The next phase of the Containers
<https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers>
project continues with the feature launched in a Firefox Test Pilot
experiment
<https://hacks.mozilla.org/2017/03/containers-come-to-test-pilot>.
- This quarter saw several new features added to Firefox Web Extensions
in support of privacy add-ons:
- We help the Web Extension team ship privacy AP
<https://bugzilla.mozilla.org/show_bug.cgi?id=1312802>I which can be
used to make Privacy add-ons (Firefox 54)
- We also added the ‘cookieStoreId’ to WebExtension APIs
<https://bugzilla.mozilla.org/show_bug.cgi?id=1302697>so that Web
Extension authors can leverage Containers feature in their own add-ons
(Firefox 52)
- Sandbox hardening project continues, mainly focusing on hardening our
IPC layer in support of the upcoming lockdown of file system access
(targeted for Firefox 55)
- Code auditing continues to find IPC bugs so we are experimenting
withIPDL helper classes
<https://bugzilla.mozilla.org/show_bug.cgi?id=1325647>to avoid common
IPDL bugs
- Landed a fuzzer
<https://bugzilla.mozilla.org/show_bug.cgi?id=777600> for Message
Manager messages
- Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a
case study for future IPC fuzzer hardening
- The Tracking Protection experiment graduated from Firefox Test Pilot
<https://testpilot.firefox.com/experiments/tracking-protection>
Crypto Engineering
- The end of SHA-1 certificates: Following a phased deprecation of SHA-1
in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures
in certificates used for HTTPS.
- We’ve begun fuzzing the TLS client and server side of the NSS library,
raising our confidence in the network-facing code used by all Firefoxes
- Mozilla now runs the tier 1 continuous integration tests for the NSS
library internally, without external reliance on RedHat. We’ve also moved
our ARM builds and testing off of local machines and into more stable
cloud-hosted hardware.
Operations Security
- Addons.mozilla.org and Firefox Accounts have been brought to
compliance with Operation Security’s security checklist
<https://wiki.mozilla.org/Security/FoxSec>. These services now have
strong CSP, HSTS, HPKP and various other security improvements.
- Simon Bennetts released version 2.6.0
<https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0> of the
ZAP web security scanner, with a long list of enhancements and bug fixes
from the OWASP community. Noteworthy is the addition of an OpenAPI/Swagger
extension <https://github.com/zaproxy/zap-extensions/pull/765> to
automate the discovery and scanning of REST APIs. We plan on using it to
scan Firefox backend APIs.
- Firefox Screenshots (formerly Pageshot) completed a security review
<https://github.com/mozilla-services/screenshots/issues?utf8=%E2%9C%93&q=is:issue%20label:secreview>
as part of its graduation from the TestPilot program
- TLS Observatory now has the ability to count end-entity certificates
associated with a root or intermediate, and a lightweight web ui
<https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=1820980>to
visualize certs and their paths. We also started loading certificates from
Google’s Aviator CT log, bringing the count of certs
<https://tls-observatory.services.mozilla.com/api/v1/__stats__?format=text>
over 12 million.
- Will Kahn-Greene released Bleach v2.0
<http://bluesock.org/%7Ewillkg/blog/dev/bleach_2_0.html>, a major new
release of this popular Python library used to sanitize HTML in web
applications.
Cross-Team Initiatives
- Shipped pwn2own dot-release in less than 24 hours, great work with
really dedicated engineers and release team
- Shipped a hook
<https://github.com/mozilla-services/third-party-library-alert> into
build machinery to alert when a third party library is out of date
- OneCRL nowhas entries <https://crt.sh/revoked-intermediates> for about
250 revoked intermediate certs
- Deployed mechanism <https://wiki.mozilla.org/CA:CommonCADatabase> for
CAs to directly provide their annual updates to the Common CA Database, and
have those updates become available to all member root store operators
- Modernized the TLS Canary tool <https://tlscanary.mozilla.org/> for
performance and maintainability improvements including 2-3x perf
improvement, better coverage for sites using redirects and support for
OneCRL
Security Blog Posts & Presentations
In case you missed them, here are some of the blog posts and speaker
presentations we gave over the last quarter:
- New warnings shipping in Firefox to alarm users when passwords are
sent over HTTP
<https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/>
- Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored
an academic paper
<http://www.scitepress.org/DigitalLibrary/PublicationsDetail.aspx?ID=UoE90ECay/Q=&t=1>about
Origin Attributes, the framework within Firefox that enables First Party
Isolation of cookies (an important TOR feature
<https://blog.torproject.org/blog/tor-heart-firefox>) as well as a
number of upcoming Firefox security features
- Announced the deprecation of SHA-1 on the Public Web
<https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/>
- Francois Marier lectured on how to adopt new browser security features
at
<https://speakerdeck.com/fmarier/getting-browsers-to-improve-the-security-of-your-webapp>
ConFoo
- Julien Vehent presented Test Driven Security in Continuous Integration
<https://www.youtube.com/watch?v=e2axToBYD68> at Enigma, a technique we
developed internally
<https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/>
to increase the security of our websites and services.
- Discussed the history and future of CSP
<https://blog.mozilla.org/security/2017/01/29/mozilla-security-bytes-episode-1-csp/>
in the Security Bytes podcast
<https://github.com/mozilla/security-bytes-podcast>
- Released version 2.4 of Mozilla’s CA Certificate Policy
<https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/>
pther...@mozilla.com
May 1, 2017, 4:58:47 PM5/1/17
to mozilla-de...@lists.mozilla.org
For reasons that escape me right now, this email was plaintext only, which makes this pretty unreadable. For an easier to read version (and archives of previous newsletters), see our wiki: https://wiki.mozilla.org/SecurityEngineering/Newsletter
Regards,
Paul
Regards,
Paul
0 new messages