Firefox Security Newsletter - Q2 2020

58 views
Skip to first unread message

Frederik Braun

unread,
Aug 6, 2020, 3:49:31 AM8/6/20
to dev-platform, Firefox Dev
Hello fellow Mozillians,

Here comes our third edition of the Firefox Security & Privacy Newsletter.
The shareable link for this newsletter is
<https://wiki.mozilla.org/Firefox_Security_Newsletter/FSN-2020-Q2>
(References are in footnotes at the bottom, due to the text-only
mailing list. You can always read on the wiki instead).

The various security and privacy teams at Mozilla work in different
parts of the org on different projects, but with one goal in common: to
improve every aspect of Firefox’ security and privacy and to keep our
users safe. Since not all of these projects are directly visible to
everyone, we’ve pulled the highlights from April, May, and June. And we
also want to use this newsletter to acknowledge contributions of folks
whose day job isn’t specifically privacy/security but have improved
things in their areas and ratcheted our protections tighter.

To ease consumption of the many improvements listed within this
newsletter, we have grouped them into the following categories:

- PRODUCT SECURITY, showcasing new Security Products, Features and
Services.
- PRODUCT PRIVACY, showcasing new Privacy Products, Features and
Services.
- CORE SECURITY, outlining Security and Hardening efforts within the
Firefox Platform.
- CRYPTOGRAPHY, showcasing improvements to connection security.
- FUZZING, providing updates for automated security testing and
analysis.
- WEB SECURITY, highlighting the support of new web application
security features.
- POLICY & BUG BOUNTY, providing updates on security policy
development.

_Note: Some of the bugs linked below might not be accessible to the
general public and are still restricted to specific work groups._ [_We
derestrict fixed security bugs after a grace-period_][]_, until the
majority of our user population have received their updates._


Product Security

TAB MODAL PROMPTS. Firefox system prompts can be abused for DoS attacks
by websites. They are not rate limited and can be spammed through web
APIs. Since most of these prompts are window modal, they take exclusive
focus, making the user unable to interact with the main browser window
before closing the prompt. In severe cases this can lead to the browser
freezing crashing and system memory exhaustion. This year, we eliminated
this DoS attack vector by migrating window prompts to a new prompt type,
[tab level prompts][], which is shown per tab, can not be spammed by
websites and still allows the user to switch tabs or close the main
browser window while it is open.

CERTIFICATE VIEWER. Previously, it’s difficult to access certificate
information. The only way was to view a specific certificate either from
a website info page or from the about:preferences#privacy section. This
year, we created a new certificate viewer. You can quickly access all of
your certificate information by browsing the about:certificate page.

FIREFOX PASSWORD MANAGER. The Password Manager integrated a new machine
learning model, powered by [Fathom][], which allows users to generate
passwords on more webpages. We increased the number of generated
passwords by 360% in Firefox 76 where more than 1.6 million passwords
are generated per week. The login autocomplete popup also appears 30%
faster due to [a performance fix][].

To bring Fenix to parity on login filling, [a GeckoView login
autocomplete API][] was implemented and also includes generated
passwords. Work is in progress to use this API in Fenix.

Further, about:logins now [warns users about vulnerable passwords][].
This new security feature locally checks for password re-use with saved
breached logins (i.e. a saved password is the same as one for a breached
login). Users are encouraged to change these passwords, hopefully using
password generation to improve their password hygiene. A new option was
added to the about:logins menu to export all logins to a CSV file, e.g.
for backup or migration purposes.

In order to help people save passwords on all websites, the key icon now
appears in the address bar whenever a password field is edited, rather
than waiting until a form submission is detected. The option to delete a
saved password also appears in the doorhanger to update a saved password
in case a user no longer wants to save that password in Firefox.

FIREFOX MOBILE. On Mobile, the Firefox Journey team helped to switch v25
of Firefox for iOS from Firefox Accounts client integration to the
shared [Application Services Rust component][]. Under the hood it
replaces over 5,000 lines of difficult-to-maintain [crypto-related
code][]—including certificate signing and subtle key management logic,
the ghosts of Persona past—with a light wrapper around some shared
cross-platform [Rust code][].


Product Privacy

PROTECTIONS DASHBOARD. Firefox has been providing a [Protections
Dashboard][], which provides insights into how users are tracked online,
since last year. To provide yet better insights for users and to protect
their online lives we took the next step by rolling out new features to
[Protections Dashboard][1] in [Firefox 78][]. The new features allow you
to:

- See if any of your saved passwords may have been exposed in a data
breach.
- Track how many breaches you have resolved right from the dashboard.

ENHANCED TRACKING PROTECTION. We have updated [Enhanced Tracking
Protection][] (ETP), one of our core features for protecting user
privacy, to be fully compliant with the [Fission][] architecture,
bringing us one step closer to shipping it by default.

We took a further step on tracking protection. We developed the
technology “[Dynamic First Party Isolation (dFPI)][]” to eliminate
cross-site tracking. dFPI can prevent tracking even better than ETP and
break less websites than FPI. [dFPI][] was enabled as the default cookie
policy on Nightly now.

We also implemented a feature [Cookie Purging][]. It will periodically
clear cookies and site data of known tracking domains without user
interaction, primarily to protect against redirect/bounce tracking.
Cookie Purging was shipped on Firefox 79.

The WebExtensions team landed v3 of the AddOns blocklist. This
architectural improvement allows us to more efficiently block
significantly larger numbers of add-ons than before. Further, the
WebExtensions team migrated most permissions to optional permissions,
allowing smoother add-on update processes and future user control over
them.

CONTAINERS. We improved [Multi-Account Containers][] Updates including
new UX/UI and support to use Firefox Sync to synchronize Containers and
also settings across Firefox installs.

FIREFOX RELAY. We launched [Firefox Relay][] Beta, a preliminary version
of a new privacy service that lets you generate email aliases that
forward to your real email inbox. It protects you by hiding your real
email addresses and hence unwanted emails.

[DNS OVER HTTPS][] has now been [rolled out][] to 100% of our
release-channel users in the US. We [partnered][] with [Comcast][] to
enable their own DoH endpoint for users on their networks. Under the
hood, the heuristics responsible for enabling/disabling DoH on different
networks have been greatly improved to be more reliable and consistent.

Finally, a big thank you for the following contribution improving
Product Privacy aspects of Firefox:

- Volunteer Tfobias added functionality for [merging CSP headers from
multiple extensions][], which allows to use e.g. uMatrix and
uBlockOrigin together.


Core Security

We launched the new [Attack & Defense Blog][] providing insights into
Security and Privacy efforts as well as the implementation details
behind many of our features. By being yet more transparent of our work
we allow researchers, security minded people and bug bounty hunters to
verify and investigate our code.

In the months of April, May and June we have:

- Increased clarity for participation in our Bug Bounty Program, and
announced higher payouts within the post [Firefox’s Bug Bounty in
2019 and into the Future][]

- Provided technical insights into our Fuzzing efforts to eliminate
security problems within our WebIDL bindings: [Fuzzing Firefox with
WebIDL][] (see also Fuzzing update for more details underneath).
- Published CodeQL databases, making it easier for anyone to perform
CodeQL-based static analysis on Firefox releases: [Firefox CodeQL
Databases Available for Download][]
- Showcased technical insights how Firefox enforces Web Security
Checks like the same-origin-policy: [Understanding Web Security
Checks in Firefox (Part 1)][]
- Announced sponsoring of a Real Time Streaming Parser Server (RTSP)
Fuzzer, a protocol used in browsers, media players and media
editors, aiming to make open source software more secure:
[Sponsoring an RTSP Server Fuzzer][]

Corresponding to the above mentioned new A&D Blog, we also launched an
[Attack & Defense Twitter account][], which will provide updates and
insights into Firefox related bugs, bite-sized security announcements
and acts as a high-signal source of news about browser security in
general.

We published an academic paper, titled [Hardening Firefox against
Injection Attacks][] (to appear at [SecWeb – Designing Security for the
Web][]), which describes techniques we have incorporated into Firefox to
provide defense in depth against code injection attacks.

Mentioned and described in the academic publication, we restricted
fetching non-UI resources in system privileged contexts. Even though we
are currently in a grace period of still allowing some fetches, we are
confident that our Telemetry numbers will allow us to strictly enforce
that new defense in depth security mechanism in Q3.

We increased the infrastructure for our sandbox process, by upgrading to
the latest [Chromium sandbox code][] (from 74.0.3729.169 to
81.0.4044.129).

The new socket process is available on Nightly and going to be turned on
for Beta soon. It is sandboxed on Windows, Mac, and Linux and at first
it will be used for WebRTC traffic.

Finally, a big thank you for the following contributions improving Core
Security aspects of Firefox:

- Emilio addressed a long-standing source of side channel attacks that
detected :visited link status using redraw timing by [always
repainting links regardless of visited status][].

- gcp landed best-effort [memory layout randomization][] in
non-content processes, making it harder to perform memory corruption
across the IPC boundary.
- Volunteer Masatoshi [got rid of forcePermissiveCOWs()][], and Shane
[dropped usage of allow_unsafe_parent_loads from extension tests][]
– bringing us closer to getting rid of the
security.turn_off_all_security_so_that_viruses_can_take_over_this_computer
preference. The major blocker here is the [remaining tests][] that
enable unsafe_parent_loads, two-thirds of which are in DevTools.


Cryptography

We have enabled [Client certificates provided by the operating system][]
on Windows and macOS by default in Nightly. Rather than loading
third-party libraries we have developed our own library which allows
Firefox to interface with certificate storage provided by the operating
system. In turn, this new library brings more statiblity to Firefox
users.

The [Common CA Database (CCADB)][], a repository of information about
Certificate Authorities (CAs), is enabling academic researchers to study
and evaluate CA audit histories. In summary, this database provides
insights into how well CAs are meeting their obligations and therefore
provides a meaningful security mechanism to help keep the Web safe.

Our formally-verified crypto implementations have been updated with
wider support for hardware acceleration, which brings performance
improvements in the area of Crypto to Firefox. In this [blog post][] we
describe the changes, improvements, and our roadmap.

As part of a browser-coordinated effort to move the TLS ecosystem
forward, and to heed the [advice of the IETF][], we have [disabled TLS
1.0 and TLS 1.1][] by default in Firefox Release (Firefox 78). We expose
an override button should it really be needed. Other browsers, including
[Chrome][] and [Edge][] announced shipping similar changes in mid-July.
Deprecation of TLS 1.0 and TLS 1.1 further allowed us to disable all
[DHE-based ciphersuites][] starting with Firefox 78.


Fuzzing

We have extended our general purpose browser fuzzing framework named
[Grizzly][] by a Replay-Mode which allows easy collection of logs, rr
traces, bug verification and additionally allows for test case
reduction.

We have developed [Bugmon][], a tool for automating the analysis of bugs
filed against Firefox and Spidermonkey (Firefox’ Javascript engine). It
is capable of automatically confirming open bugs, verifying closed bugs,
and bisecting the introduction of the fix of a bug.

We have generated a fuzzer which allows automated testing of our WebIDL
bindings. We have summarized insights and provide detailed information
within the blogpost: [Fuzzing with WebIDL (Moz Hacks)][]

We have assembled a tutorial for [fuzzing using libfuzzer][], where the
fuzzer interface is glue code living in mozilla-central which eases
fuzz-testing for security researchers to test C/C++ code.

Our [ThreadSanitizer][] has settled in CI and we’ve started to fuzz
Firefox with it. So far this sanitizer has revealed 44 new bugs – many
of them being fixed already. The backlog of suppressed bugs is steadily
shrinking and we managed to reduce that number by about 10% in Q2.


Web Security

We’ve updated all of our Content Security features (Content Security
Policy, Mixed Content Blocker, x-frame-options, and more) to be fully
compliant with the [Fission architecture][Fission]. Even though we’re
not shipping Fission as a site isolation mechanism yet, this brings us
closer to shipping Fission by default.

We’ve expanded support of _X-Content-Type-Options: nosniff_ to page
loads. While Firefox has provided support of the http nosniff header for
subresources since [Firefox 50][], Firefox 75 and forward will extend
support to mitigate mime confusion attacks to [page loads][] as well.

We added fundamental support for the [Sec-Fetch-*][] header family to
Nightly. We are currently fixing corner cases and improving performance,
but hope to bring that web application security feature to a Firefox
release version before the end of the year.

We added permanent partitioning to nearly all network state in Nightly
to support Dynamic First-Party Isolation. This partitioning mechanism
provides a solid separation mechanism of permanent state and hence
allows to eliminate cross site leaks of all kinds.


Policy & Bug Bounty

To show appreciation and to give credit where credit is due, we have
re-structured and updated our [Firefox Bug Bounty Hall of Fame][]. This
Hall of Fame lists researchers and bug bounty hunters which have helped
make Firefox and the open web a more secure place for all of us – Thank
you all!

We have extended [Security Advisories][] for our Products to also
include Firefox for iOS. Those security advisories provide meaningful
information about critical security fixes and are now part of the
release process for iOS as well.

We have updated our Bug Bounty Policy, announcing higher payouts for
client bug bounties, along with increased clarity for submissions and a
retrospective on bounties paid out. See details in the post: [Firefox’s
Bug Bounty in 2019 and into the Future][].


Going Forward

Thanks to everyone involved in making Firefox and the open web more
secure and privacy respecting. Since we are already in Q3, please do not
forget to add your items to the [Q3 security privacy newsletter
collection document][] so it will show up in the next iteration of the
Security Privacy newsletter.



In the name of everyone improving Security and Privacy within Firefox,
Mozilla and the open web,

Christoph, Ethan, Freddy, Tom

[_We derestrict fixed security bugs after a grace-period_]:
https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#keeping-private-information-private
[tab level prompts]: https://bugzilla.mozilla.org/show_bug.cgi?id=1629808
[Fathom]: https://mozilla.github.io/fathom/intro.html
[a performance fix]: https://bugzilla.mozilla.org/show_bug.cgi?id=1630681
[a GeckoView login autocomplete API]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1618058
[warns users about vulnerable passwords]:
https://blog.mozilla.org/firefox/trust-firefox-with-your-passwords/
[Application Services Rust component]:
https://mozilla.github.io/application-services/docs/accounts/fxa-client-ios.html
[crypto-related code]: https://github.com/mozilla-mobile/firefox-ios/pull/6388
[Rust code]: https://github.com/mozilla-mobile/firefox-ios/pull/6328
[Protections Dashboard]:
https://blog.mozilla.org/blog/2019/10/22/latest-firefox-brings-privacy-protections-front-and-center-letting-you-track-the-trackers/
[1]: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop#w_protections-dashboard
[Firefox 78]: https://www.mozilla.org/en-US/firefox/78.0/releasenotes/
[Enhanced Tracking Protection]:
https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
[Fission]: https://wiki.mozilla.org/Project_Fission
[Dynamic First Party Isolation (dFPI)]:
https://docs.google.com/document/d/1-guhUloq_O_H7B7o_sdpKjAjgiil9IzC5qdnXrR_ui4/edit?usp=sharing
[dFPI]: https://bugzilla.mozilla.org/show_bug.cgi?id=1549587
[Cookie Purging]:
https://docs.google.com/document/d/11bH7K2U-7Qku1oTjdlMiyjlBthMlFlH1BIVIIv1cuow/edit?usp=sharing
[Multi-Account Containers]:
https://addons.mozilla.org/firefox/addon/multi-account-containers/
[Firefox Relay]: https://relay.firefox.com/
[DNS OVER HTTPS]: https://support.mozilla.org/en-US/kb/firefox-dns-over-https
[rolled out]:
https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/
[partnered]: https://blog.mozilla.org/blog/2020/06/25/comcasts-xfinity-internet-service-joins-firefoxs-trusted-recursive-resolver-program/
[Comcast]: https://blog.mozilla.org/blog/2020/06/26/more-details-on-comcast-as-a-trusted-recursive-resolver/
[merging CSP headers from multiple extensions]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1462989
[Attack & Defense Blog]: https://blog.mozilla.org/attack-and-defense/
[Firefox’s Bug Bounty in 2019 and into the Future]:
https://blog.mozilla.org/attack-and-defense/2020/04/23/bug-bounty-2019-and-future/
[Fuzzing Firefox with WebIDL]:
https://blog.mozilla.org/attack-and-defense/2020/05/12/fuzzing-firefox-with-webidl/
[Firefox CodeQL Databases Available for Download]:
https://blog.mozilla.org/attack-and-defense/2020/05/25/firefox-codeql-databases-available-for-download/
[Understanding Web Security Checks in Firefox (Part 1)]:
https://blog.mozilla.org/attack-and-defense/2020/06/10/understanding-web-security-checks-in-firefox-part-1/
[Sponsoring an RTSP Server Fuzzer]:
https://blog.mozilla.org/attack-and-defense/2020/06/15/sponsoring-an-rtsp-server-fuzzer/
[Attack & Defense Twitter account]: https://twitter.com/attackndefense
[Hardening Firefox against Injection Attacks]:
https://research.mozilla.org/files/2020/05/hardening_firefox_against_injection_attacks.pdf
[SecWeb – Designing Security for the Web]: https://secweb.work/
[Chromium sandbox code]: https://bugzilla.mozilla.org/show_bug.cgi?id=1639030
[always repainting links regardless of visited status]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1632765
[memory layout randomization]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1553717
[got rid of forcePermissiveCOWs()]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1481640
[dropped usage of allow_unsafe_parent_loads from extension tests]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1644287
[remaining tests]:
https://searchfox.org/mozilla-central/search?q=allow_unsafe_parent_loads
[Client certificates provided by the operating system]:
https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/
[Common CA Database (CCADB)]: https://www.ccadb.org/
[blog post]: https://blog.mozilla.org/security/2020/07/06/performance-improvements-via-formally-verified-cryptography-in-firefox/
[advice of the IETF]:
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-06
[disabled TLS 1.0 and TLS 1.1]:
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
[Chrome]: https://blog.chromium.org/2019/10/chrome-ui-for-deprecating-legacy-tls.html
[Edge]: https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/
[DHE-based ciphersuites]: https://bugzilla.mozilla.org/show_bug.cgi?id=1496639
[Grizzly]: https://github.com/MozillaSecurity/grizzly
[Bugmon]: https://github.com/MozillaSecurity/bugmon
[Fuzzing with WebIDL (Moz Hacks)]:
https://hacks.mozilla.org/2020/04/fuzzing-with-webidl/
[fuzzing using libfuzzer]:
https://firefox-source-docs.mozilla.org/tools/fuzzing/fuzzing_interface.html
[ThreadSanitizer]: https://bugzilla.mozilla.org/show_bug.cgi?id=929478
[Firefox 50]:
https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/
[page loads]:
https://blog.mozilla.org/security/2020/04/07/firefox-75-will-respect-nosniff-for-page-loads/
[Sec-Fetch-*]: https://bugzilla.mozilla.org/show_bug.cgi?id=1508292
[Firefox Bug Bounty Hall of Fame]:
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
[Security Advisories]: https://www.mozilla.org/en-US/security/advisories/
[Q3 security privacy newsletter collection document]:
https://docs.google.com/document/d/1-nJvnHetOHip8ptTlFCtj6zlZoYruUndD1fjUTLb4DA/edit#
Reply all
Reply to author
Forward
0 new messages