Hello,
Here comes our Q3 edition of the Firefox Security & Privacy Newsletter.
The shareable link for this newsletter is
<
https://wiki.mozilla.org/Firefox_Security_Newsletter/FSN-2020-Q3>
(References are in footnotes at the bottom, due to the text-only
mailing list. You can always read on the wiki instead).
The various security and privacy teams at Mozilla work in different
parts of the org, and on different projects, but with one goal in
common: to improve every aspect of Firefox’s security and privacy, and
to keep our users safe. Since not all of these projects are directly
visible to everyone, we’ve pulled together the highlights from July,
August, and September. We also want to use this newsletter to
acknowledge contributions of folks whose day job isn’t specifically
privacy/security-related but have improved things in their areas and
have made our protections tighter.
To ease consumption of the many improvements listed within this
newsletter, we have grouped them into the following categories:
- Product Security & Privacy, showcasing new Security & Privacy
Products, Features and Services.
- Core Security, outlining Security and Hardening efforts within the
Firefox Platform.
- Cryptography, showcasing improvements to connection security.
- Fuzzing, providing updates for automated security testing and
analysis.
- Web Security, highlighting the support of new web application
security features.
- Policy & Bug Bounty, providing updates on security policy
development.
Note: Some of the bugs linked below might not be accessible to the
general public and are still restricted to specific work groups. [We
derestrict fixed security bugs after a grace-period][], until the
majority of our user population have received their updates.
[We derestrict fixed security bugs after a grace-period]:
https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#keeping-private-information-private
Product Security & Privacy
Firefox Password Manager: We have made a variety of small yet
significant changes to our password manager.
- When a user types into a password field, a key icon will immediately
appear in the address bar. The icon will help make the “save
password” panel more discoverable, and this behavior also aligns
with Chrome.
- The password manager will also now [autofill logins][] and [show the
key icon][] on some pages where it previously didn’t work.
- Backups of logins.json (where saved logins are stored) are now
created in the profile folder and [automatically used to restore
logins when logins.json is missing or corrupt][]. This feature
addresses recurring, low-volume user complaints.
- The optional [Master Password feature has been renamed to Primary
Password][] to make it more inclusive and [text has been added in
preferences about the name change][].
*Tab-Modal Prompts: *Firefox system prompts can be abused for DoS
(Denial-of-Service) attacks by websites. They are not rate-limited and
can be spammed through Web APIs. Tab-Modal Prompts is our technique to
eliminate this DoS attack vector by migrating window prompts to a new
prompt type, tab level prompts.
We’ve cut over our first two prompts to the new [TabDialogBox][]:
[external protocol dialog][]s and[ dialogs for HTTP
authentication][].
DNS over HTTPS (DoH): Earlier this year, we rolled out [DoH][] to 100%
of our Release channel users in the US. We are now working on extending
our capabilities to support international rollouts. Meanwhile, the DoH
front-end has been converted from a system add-on into a [JSM][]
component. In case any of our support pages mention “add-on” or
“extension,” it’s worth noting that the DoH front-end is now directly
integrated with Firefox and is no longer an add-on.
*Enhanced Tracking Protection (ETP): *We introduced “redirect
tracking protection” to ETP. [Redirect tracking][] is an advanced
tracking technique, also known as bounce tracking. We have rolled out
[ETP 2.0][] to [block redirect trackers by default][] since Firefox 79.
Once every 24 hours ETP 2.0 will completely clear out any cookies and
site data stored by known trackers. This prevents redirect trackers from
being able to build a long-term profile of your activity.
*Research & Academia: *Steven Englehardt published two papers: The
first titled [No boundaries: data exfiltration by third parties
embedded on web pages ][]was presented at [Privacy Enhancing
Technologies Symposium 2020][]. The second titled [Fingerprinting the
Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors][]
will be presented at the [42nd Symposium on Security and Privacy in
2021][]. One of the co-authors, Umar Iqbal, was a 2019 Security Research
Intern in the Security and Privacy Engineering Team.
[autofill logins]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1653138
[show the key icon]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1638587
[automatically used to restore logins when logins.json is missing or corrupt]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1593467
[Master Password feature has been renamed to Primary Password]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1644807
[text has been added in preferences about the name change]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1653798
[TabDialogBox]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1650795
[external protocol dialog]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1661030
[ dialogs for HTTP authentication]:
https://bugzilla.mozilla.org/show_bug.cgi?id=613785
[DoH]:
https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/
[JSM]:
https://developer.mozilla.org/en-US/docs/Mozilla/JavaScript_code_modules
[Redirect tracking]:
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Redirect_Tracking_Protection#Redirect_tracking_defined
[ETP 2.0]:
https://blog.mozilla.org/blog/2020/08/04/latest-firefox-rolls-out-enhanced-tracking-protection-2-0-blocking-redirect-trackers-by-default/
[block redirect trackers by default]:
https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/
[No boundaries: data exfiltration by third parties embedded on web pages ]:
https://petsymposium.org/2020/files/papers/issue4/popets-2020-0068.pdf
[Privacy Enhancing Technologies Symposium 2020]:
https://petsymposium.org/2020/program.php
[Fingerprinting the Fingerprinters: Learning to Detect Browser
Fingerprinting Behaviors]:
https://arxiv.org/abs/2008.04480
[42nd Symposium on Security and Privacy in 2021]:
https://www.ieee-security.org/TC/SP2021/
Core Security
*Visibility: *Aiming to increase transparency on Mozilla’s Security
and Privacy efforts we have published articles highlighting technical
insights of these efforts on the [Attack & Defense Blog][]. In the
months of July, August and September:
- We have provided technical details about our hardening efforts:
[Hardening Firefox against Injection Attacks – The Technical
Details][]
- Published the second part of how Firefox enforces Web security
checks like the same-origin-policy and other relevant security
checks: [Understanding Web Security Checks in Firefox (Part 2)][]
- We have added the Exploit Mitigation Bounty to our bug bounty
program: [Bug Bounty Program Updates: Adding (another) New Class of
Bounties][]
- We provided insights regarding our Bug Bounty Program with a
contributor’s view of a security bug through a [Guest Blog Post:
Rollback Attack][]
- We provided technical insights into our JavaScript engine and how it
translates the high level language of the web into machine code:
[Inspecting Just-in-Time Compiled JavaScript][]
In addition to the above articles featured on our Blog, we have also
published insights into Firefox-related bugs, news about browser
security in general and further bite-sized security announcements on our
[Attack & Defense Twitter account][].
*Hardening Firefox: *We have [locked down security checks within our
Security Manager][] by only allowing packaged user interface resources
to load if explicitly allow-listed. To accomplish this hardening effort
we had to repackage lots of our CSS resources to load using the internal
chrome: protocol. In addition to increasing security, this effort led to
performance improvements for parts in DevTools and Activity Stream.
*Research & Academia: *Christoph Kerschbaumer gave a talk at [SecWeb
2020][] presenting techniques which allow to protect Firefox, and Web
Applications in general, against code injection attacks. In addition to
the presented hardening techniques he was further invited to serve on
the Panel discussing the topic: Designing Security for the Web.
[Attack & Defense Blog]:
https://blog.mozilla.org/attack-and-defense/
[Hardening Firefox against Injection Attacks – The Technical Details]:
https://blog.mozilla.org/attack-and-defense/2020/07/07/hardening-firefox-against-injection-attacks-the-technical-details/
[Understanding Web Security Checks in Firefox (Part 2)]:
https://blog.mozilla.org/attack-and-defense/2020/08/05/understanding-web-security-checks-in-firefox-part-2/
[Bug Bounty Program Updates: Adding (another) New Class of Bounties]:
https://blog.mozilla.org/attack-and-defense/2020/08/18/exploit-mitigation-bounty/
[Guest Blog Post: Rollback Attack]:
https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/
[Inspecting Just-in-Time Compiled JavaScript]:
https://blog.mozilla.org/attack-and-defense/2020/09/15/inspecting-just-in-time-compiled-javascript/
[Attack & Defense Twitter account]:
https://twitter.com/attackndefense
[locked down security checks within our Security Manager]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1145314
[SecWeb 2020]:
https://secweb.work/
Cryptography
Crypto Improvements: Our P384 and P521 elliptic curve code has been
replaced with constant-time, formally-verified, and more performant
implementations from [Fiat-Crypto][] and[][1][ECCKiila][1]. We published
a [blog post][] on these and similar efforts. Separately, we improved
[SHA1][] and [SHA256][] performance on ARM by 3x, [Curve25519][]
performance on 64-bit Windows by 5x, and [Big Integer arithmetic][] on
MacOS by 2x.
CA Program: Effective September 1, the [allowed certificate lifetime of
TLS server certificates is 398 days,][] which is a result of the
CA/Browser Forum’s Browser Alignment Ballot. Also in Q3, the CA Program
alerted the EU Commission to concerns about Qualified Website
Authentication Certificates (QWACs). We also prepared a set of proposed
revisions to the Root Store Policy, for which public discussion will
take place during Q4. Root Certificate Authorities in NSS are also
[updated][] in Fx82.
*Research & Academia: *Thyla van der Merwe published a paper titled
[Designing Reverse Firewalls for the Real World][] which was presented
at the [25th European Symposium On Research In Computer Security
2020.][] Further, Benjamin Beurdouche published a paper titled [HACLxN:
Verified Generic SIMD Crypto][] which was presented at the [Conference
on Computer and Communications Security (CCS) 2020.][]
[Fiat-Crypto]:
https://github.com/mit-plv/fiat-crypto
[1]:
https://gitlab.com/nisec/ecckiila/
[blog post]:
https://blog.mozilla.org/security/2020/07/06/performance-improvements-via-formally-verified-cryptography-in-firefox/
[SHA1]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1650702
[SHA256]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1528113
[Curve25519]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1642802
[Big Integer arithmetic]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1656981
[allowed certificate lifetime of TLS server certificates is 398 days,]:
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
[updated]:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes#Certificate_Authority_Changes
[Designing Reverse Firewalls for the Real World]:
https://link.springer.com/chapter/10.1007/978-3-030-58951-6_10
[25th European Symposium On Research In Computer Security 2020.]:
https://www.surrey.ac.uk/esorics-2020
[HACLxN: Verified Generic SIMD Crypto]:
https://eprint.iacr.org/2020/572.pdf
[Conference on Computer and Communications Security (CCS) 2020.]:
https://www.sigsac.org/ccs/CCS2020/accepted-papers.html
Fuzzing
*LibFuzzer: *We have upgraded our [in-tree libfuzzer][] to the
latest version which provides our fuzzing targets with various
improvements such as the recent [entropic][] functionality.
ThreadSanitizer: We also continued to push the ThreadSanitizer (TSan)
project forward, eliminated more data races (both from backlog and new
test suites) and made TSan ready for fuzzing. In the future, we plan to
run even more CI on TSan to further improve the overall stability and
security of our products. If you want to work with this and other
sanitizers, make sure to also check out our [new sanitizer
documentation][].
Research & Academia: Christian Holler gave [a talk][] about the human
component in bug finding at FuzzCon EU 2020. This talk is particularly
interesting for people who want to deploy fuzzing in larger projects or
companies and focuses on related non-technical issues.
[in-tree libfuzzer]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1656463
[entropic]:
https://reviews.llvm.org/D73776
[new sanitizer documentation]:
https://firefox-source-docs.mozilla.org/tools/sanitizer/index.html
[a talk]:
https://www.youtube.com/watch?v=ifc2C5fLIWU
Web Security
*Content Security & FIssion: *We have finalized and eliminated
corner cases for making all of our Content Security features (e.g. Mixed
Content Blocker, Content Security Policy, and more) compliant with the
[Fission architecture][]. This brings us yet a little closer to shipping
our Site Isolation mechanism by default.
*Sanitizer API: *We started to implement a prototype for a
[Sanitizer API][] which allows us to convert strings containing HTML to
return a safe version of that string, making sure that no JavaScript can
execute in an unexpected way. This effectively helps to prevent XSS in
web applications.
[Fission architecture]:
https://wiki.mozilla.org/Project_Fission
[Sanitizer API]:
https://bugzilla.mozilla.org/show_bug.cgi?id=1650370
Policy & Bug Bounty
*Security Advisories: *We have published [Security Advisories][] for
our products which provide meaningful information about critical
security fixes.
*Bug Bounty Update: *In addition to recent efforts where we have
[increased bounty payouts][] and also included [a Static Analysis
component ][]in our bounty program, we have now extended our Bug
Bounty Policy to also include a [Exploit Mitigation Bug bounty][]. This
will hopefully attract even more bug bounty hunters to our program.
*Bug Bounty Hall of Fame: *To show appreciation and to give credit
where credit is due, we have updated our [Firefox Bug Bounty Hall of
Fame][]. This Hall of Fame lists researchers and bug bounty hunters
which have helped make Firefox and the open web a more secure place for
all of us - Thank you all!
[Security Advisories]:
https://www.mozilla.org/en-US/security/advisories/
[increased bounty payouts]:
https://blog.mozilla.org/attack-and-defense/2020/04/23/bug-bounty-2019-and-future/
[a Static Analysis component ]:
https://blog.mozilla.org/attack-and-defense/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/
[Exploit Mitigation Bug bounty]:
https://blog.mozilla.org/attack-and-defense/2020/08/18/exploit-mitigation-bounty/
[Firefox Bug Bounty Hall of Fame]:
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
Going Forward
Thanks to everyone involved in making Firefox and the Open Web more
secure and privacy-respecting. Since we are already in Q4, please do not
forget to add your items to the [Q4 security privacy newsletter
collection document][] so that they will show up in the next iteration
of the Security Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox,
Mozilla and the Open Web,
Christoph, Ethan, Freddy, Tom
[Q4 security privacy newsletter collection document]:
https://docs.google.com/document/d/1WQxittEUHwtkOXoWfTZInolO53pMMTyw7O9a6ECv9oM/edit