Firefox Security Newsletter/FSN-2020-Q2
Contents
Firefox Security & Privacy Newsletter 2020-Q2
The shareable link for this newsletter and the back issues is at https://wiki.mozilla.org/Firefox_Security_Newsletter
The various security and privacy teams at Mozilla work in different parts of the org on different projects, but with one goal in common: to improve every aspect of Firefox’ security and privacy and to keep our users safe. Since not all of these projects are directly visible to everyone, we’ve pulled the highlights from April, May, and June. And we also want to use this newsletter to acknowledge contributions of folks whose day job isn’t specifically privacy/security but have improved things in their areas and ratcheted our protections tighter.
To ease consumption of the many improvements listed within this newsletter, we have grouped them into the following categories:
- Product Security, showcasing new Security Products, Features and Services.
- Product Privacy, showcasing new Privacy Products, Features and Services.
- Core Security, outlining Security and Hardening efforts within the Firefox Platform.
- Cryptography, showcasing improvements to connection security.
- Fuzzing, providing updates for automated security testing and analysis.
- Web Security, highlighting the support of new web application security features.
- Policy & Bug Bounty, providing updates on security policy development.
Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We derestrict fixed security bugs after a grace-period, until the majority of our user population have received their updates.
Product Security
Tab Modal Prompts. Firefox system prompts can be abused for DoS attacks by websites. They are not rate limited and can be spammed through web APIs. Since most of these prompts are window modal, they take exclusive focus, making the user unable to interact with the main browser window before closing the prompt. In severe cases this can lead to the browser freezing crashing and system memory exhaustion. This year, we eliminated this DoS attack vector by migrating window prompts to a new prompt type, tab level prompts, which is shown per tab, can not be spammed by websites and still allows the user to switch tabs or close the main browser window while it is open.
Certificate Viewer. Previously, it’s difficult to access certificate information. The only way was to view a specific certificate either from a website info page or from the about:preferences#privacy section. This year, we created a new certificate viewer. You can quickly access all of your certificate information by browsing the about:certificate page.
Firefox Password Manager. The Password Manager integrated a new machine learning model, powered by Fathom, which allows users to generate passwords on more webpages. We increased the number of generated passwords by 360% in Firefox 76 where more than 1.6 million passwords are generated per week. The login autocomplete popup also appears 30% faster due to a performance fix.
To bring Fenix to parity on login filling, a GeckoView login autocomplete API was implemented and also includes generated passwords. Work is in progress to use this API in Fenix.
Further, about:logins now warns users about vulnerable passwords. This new security feature locally checks for password re-use with saved breached logins (i.e. a saved password is the same as one for a breached login). Users are encouraged to change these passwords, hopefully using password generation to improve their password hygiene. A new option was added to the about:logins menu to export all logins to a CSV file, e.g. for backup or migration purposes.
In order to help people save passwords on all websites, the key icon now appears in the address bar whenever a password field is edited, rather than waiting until a form submission is detected. The option to delete a saved password also appears in the doorhanger to update a saved password in case a user no longer wants to save that password in Firefox.
Firefox Mobile. On Mobile, the Firefox Journey team helped to switch v25 of Firefox for iOS from Firefox Accounts client integration to the shared Application Services Rust component. Under the hood it replaces over 5,000 lines of difficult-to-maintain crypto-related code—including certificate signing and subtle key management logic, the ghosts of Persona past—with a light wrapper around some shared cross-platform Rust code.
Product Privacy
Protections Dashboard. Firefox has been providing a Protections Dashboard, which provides insights into how users are tracked online, since last year. To provide yet better insights for users and to protect their online lives we took the next step by rolling out new features to Protections Dashboard in Firefox 78. The new features allow you to:
- See if any of your saved passwords may have been exposed in a data breach.
- Track how many breaches you have resolved right from the dashboard.
Enhanced Tracking Protection. We have updated Enhanced Tracking Protection (ETP), one of our core features for protecting user privacy, to be fully compliant with the Fission architecture, bringing us one step closer to shipping it by default.
We took a further step on tracking protection. We developed the technology “Dynamic First Party Isolation (dFPI)” to eliminate cross-site tracking. dFPI can prevent tracking even better than ETP and break less websites than FPI. dFPI was enabled as the default cookie policy on Nightly now.
We also implemented a feature Cookie Purging. It will periodically clear cookies and site data of known tracking domains without user interaction, primarily to protect against redirect/bounce tracking. Cookie Purging was shipped on Firefox 79.
The WebExtensions team landed v3 of the AddOns blocklist. This architectural improvement allows us to more efficiently block significantly larger numbers of add-ons than before. Further, the WebExtensions team migrated most permissions to optional permissions, allowing smoother add-on update processes and future user control over them.
Containers. We improved Multi-Account Containers Updates including new UX/UI and support to use Firefox Sync to synchronize Containers and also settings across Firefox installs.
Firefox Relay. We launched Firefox Relay Beta, a preliminary version of a new privacy service that lets you generate email aliases that forward to your real email inbox. It protects you by hiding your real email addresses and hence unwanted emails.
DNS over HTTPS has now been rolled out to 100% of our release-channel users in the US. We partnered with Comcast to enable their own DoH endpoint for users on their networks. Under the hood, the heuristics responsible for enabling/disabling DoH on different networks have been greatly improved to be more reliable and consistent.
Finally, a big thank you for the following contribution improving Product Privacy aspects of Firefox:
- Volunteer Tfobias added functionality for merging CSP headers from multiple extensions, which allows to use e.g. uMatrix and uBlockOrigin together.
Core Security
We launched the new Attack & Defense Blog providing insights into Security and Privacy efforts as well as the implementation details behind many of our features. By being yet more transparent of our work we allow researchers, security minded people and bug bounty hunters to verify and investigate our code.
In the months of April, May and June we have:
- Increased clarity for participation in our Bug Bounty Program, and announced higher payouts within the post Firefox’s Bug Bounty in 2019 and into the Future
- Provided technical insights into our Fuzzing efforts to eliminate security problems within our WebIDL bindings: Fuzzing Firefox with WebIDL (see also Fuzzing update for more details underneath).
- Published CodeQL databases, making it easier for anyone to perform CodeQL-based static analysis on Firefox releases: Firefox CodeQL Databases Available for Download
- Showcased technical insights how Firefox enforces Web Security Checks like the same-origin-policy: Understanding Web Security Checks in Firefox (Part 1)
- Announced sponsoring of a Real Time Streaming Parser Server (RTSP) Fuzzer, a protocol used in browsers, media players and media editors, aiming to make open source software more secure: Sponsoring an RTSP Server Fuzzer
Corresponding to the above mentioned new A&D Blog, we also launched an Attack & Defense Twitter account, which will provide updates and insights into Firefox related bugs, bite-sized security announcements and acts as a high-signal source of news about browser security in general.
We published an academic paper, titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web), which describes techniques we have incorporated into Firefox to provide defense in depth against code injection attacks.
Mentioned and described in the academic publication, we restricted fetching non-UI resources in system privileged contexts. Even though we are currently in a grace period of still allowing some fetches, we are confident that our Telemetry numbers will allow us to strictly enforce that new defense in depth security mechanism in Q3.
We increased the infrastructure for our sandbox process, by upgrading to the latest Chromium sandbox code (from 74.0.3729.169 to 81.0.4044.129).
The new socket process is available on Nightly and going to be turned on for Beta soon. It is sandboxed on Windows, Mac, and Linux and at first it will be used for WebRTC traffic.
Finally, a big thank you for the following contributions improving Core Security aspects of Firefox:
- Emilio addressed a long-standing source of side channel attacks that detected :visited link status using redraw timing by always repainting links regardless of visited status.
- gcp landed best-effort memory layout randomization in non-content processes, making it harder to perform memory corruption across the IPC boundary.
- Volunteer Masatoshi got rid of forcePermissiveCOWs(), and Shane dropped usage of allow_unsafe_parent_loads from extension tests – bringing us closer to getting rid of the security.turn_off_all_security_so_that_viruses_can_take_over_this_computer preference. The major blocker here is the remaining tests that enable unsafe_parent_loads, two-thirds of which are in DevTools.
Cryptography
We have enabled Client certificates provided by the operating system on Windows and macOS by default in Nightly. Rather than loading third-party libraries we have developed our own library which allows Firefox to interface with certificate storage provided by the operating system. In turn, this new library brings more statiblity to Firefox users.
The Common CA Database (CCADB), a repository of information about Certificate Authorities (CAs), is enabling academic researchers to study and evaluate CA audit histories. In summary, this database provides insights into how well CAs are meeting their obligations and therefore provides a meaningful security mechanism to help keep the Web safe.
Our formally-verified crypto implementations have been updated with wider support for hardware acceleration, which brings performance improvements in the area of Crypto to Firefox. In this blog post we describe the changes, improvements, and our roadmap.
As part of a browser-coordinated effort to move the TLS ecosystem forward, and to heed the advice of the IETF, we have disabled TLS 1.0 and TLS 1.1 by default in Firefox Release (Firefox 78). We expose an override button should it really be needed. Other browsers, including Chrome and Edge announced shipping similar changes in mid-July. Deprecation of TLS 1.0 and TLS 1.1 further allowed us to disable all DHE-based ciphersuites starting with Firefox 78.
Fuzzing
We have extended our general purpose browser fuzzing framework named Grizzly by a Replay-Mode which allows easy collection of logs, rr traces, bug verification and additionally allows for test case reduction.
We have developed Bugmon, a tool for automating the analysis of bugs filed against Firefox and Spidermonkey (Firefox’ Javascript engine). It is capable of automatically confirming open bugs, verifying closed bugs, and bisecting the introduction of the fix of a bug.
We have generated a fuzzer which allows automated testing of our WebIDL bindings. We have summarized insights and provide detailed information within the blogpost: Fuzzing with WebIDL (Moz Hacks)
We have assembled a tutorial for fuzzing using libfuzzer, where the fuzzer interface is glue code living in mozilla-central which eases fuzz-testing for security researchers to test C/C++ code.
Our ThreadSanitizer has settled in CI and we’ve started to fuzz Firefox with it. So far this sanitizer has revealed 44 new bugs – many of them being fixed already. The backlog of suppressed bugs is steadily shrinking and we managed to reduce that number by about 10% in Q2.
Web Security
We’ve updated all of our Content Security features (Content Security Policy, Mixed Content Blocker, x-frame-options, and more) to be fully compliant with the Fission architecture. Even though we’re not shipping Fission as a site isolation mechanism yet, this brings us closer to shipping Fission by default.
We’ve expanded support of X-Content-Type-Options: nosniff to page loads. While Firefox has provided support of the http nosniff header for subresources since Firefox 50, Firefox 75 and forward will extend support to mitigate mime confusion attacks to page loads as well.
We added fundamental support for the Sec-Fetch-* header family to Nightly. We are currently fixing corner cases and improving performance, but hope to bring that web application security feature to a Firefox release version before the end of the year.
We added permanent partitioning to nearly all network state in Nightly to support Dynamic First-Party Isolation. This partitioning mechanism provides a solid separation mechanism of permanent state and hence allows to eliminate cross site leaks of all kinds.
Policy & Bug Bounty
To show appreciation and to give credit where credit is due, we have re-structured and updated our Firefox Bug Bounty Hall of Fame. This Hall of Fame lists researchers and bug bounty hunters which have helped make Firefox and the open web a more secure place for all of us – Thank you all!
We have extended Security Advisories for our Products to also include Firefox for iOS. Those security advisories provide meaningful information about critical security fixes and are now part of the release process for iOS as well.
We have updated our Bug Bounty Policy, announcing higher payouts for client bug bounties, along with increased clarity for submissions and a retrospective on bounties paid out. See details in the post: Firefox’s Bug Bounty in 2019 and into the Future.
Going Forward
Thanks to everyone involved in making Firefox and the open web more secure and privacy respecting. Since we are already in Q3, please do not forget to add your items to the Q3 security privacy newsletter collection document so it will show up in the next iteration of the Security Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox, Mozilla and the open web,
Christoph, Ethan, Freddy, Tom