Firefox Security Newsletter/FSN-2020-Q3
Firefox Security & Privacy Newsletter 2020 Q3
Hello fellow Mozillians,
The various security and privacy teams at Mozilla work in different parts of the org, and on different projects, but with one goal in common: to improve every aspect of Firefox’s security and privacy, and to keep our users safe. Since not all of these projects are directly visible to everyone, we’ve pulled together the highlights from July, August, and September. We also want to use this newsletter to acknowledge contributions of folks whose day job isn’t specifically privacy/security-related but have improved things in their areas and have made our protections tighter.
To ease consumption of the many improvements listed within this newsletter, we have grouped them into the following categories:
- Product Security & Privacy, showcasing new Security & Privacy Products, Features and Services.
- Core Security, outlining Security and Hardening efforts within the Firefox Platform.
- Cryptography, showcasing improvements to connection security.
- Fuzzing, providing updates for automated security testing and analysis.
- Web Security, highlighting the support of new web application security features.
- Policy & Bug Bounty, providing updates on security policy development.
Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We derestrict fixed security bugs after a grace-period, until the majority of our user population have received their updates.
Contents
Product Security & Privacy
Firefox Password Manager: We have made a variety of small yet significant changes to our password manager.
- When a user types into a password field, a key icon will immediately appear in the address bar. The icon will help make the “save password” panel more discoverable, and this behavior also aligns with Chrome.
- The password manager will also now autofill logins and show the key icon on some pages where it previously didn’t work.
- Backups of logins.json (where saved logins are stored) are now created in the profile folder and automatically used to restore logins when logins.json is missing or corrupt. This feature addresses recurring, low-volume user complaints.
- The optional Master Password feature has been renamed to Primary Password to make it more inclusive and text has been added in preferences about the name change.
Tab-Modal Prompts: Firefox system prompts can be abused for DoS (Denial-of-Service) attacks by websites. They are not rate-limited and can be spammed through Web APIs. Tab-Modal Prompts is our technique to eliminate this DoS attack vector by migrating window prompts to a new prompt type, tab level prompts.
We’ve cut over our first two prompts to the new TabDialogBox: external protocol dialogs and dialogs for HTTP authentication.
DNS over HTTPS (DoH): Earlier this year, we rolled out DoH to 100% of our Release channel users in the US. We are now working on extending our capabilities to support international rollouts. Meanwhile, the DoH front-end has been converted from a system add-on into a JSM component. In case any of our support pages mention “add-on” or “extension,” it’s worth noting that the DoH front-end is now directly integrated with Firefox and is no longer an add-on.
Enhanced Tracking Protection (ETP): We introduced “redirect tracking protection” to ETP. Redirect tracking is an advanced tracking technique, also known as bounce tracking. We have rolled out ETP 2.0 to block redirect trackers by default since Firefox 79. Once every 24 hours ETP 2.0 will completely clear out any cookies and site data stored by known trackers. This prevents redirect trackers from being able to build a long-term profile of your activity.
Research & Academia: Steven Englehardt published two papers: The first titled No boundaries: data exfiltration by third parties embedded on web pages was presented at Privacy Enhancing Technologies Symposium 2020. The second titled Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors will be presented at the 42nd Symposium on Security and Privacy in 2021. One of the co-authors, Umar Iqbal, was a 2019 Security Research Intern in the Security and Privacy Engineering Team.
Core Security
Visibility: Aiming to increase transparency on Mozilla’s Security and Privacy efforts we have published articles highlighting technical insights of these efforts on the Attack & Defense Blog. In the months of July, August and September:
- We have provided technical details about our hardening efforts: Hardening Firefox against Injection Attacks – The Technical Details
- Published the second part of how Firefox enforces Web security checks like the same-origin-policy and other relevant security checks: Understanding Web Security Checks in Firefox (Part 2)
- We have added the Exploit Mitigation Bounty to our bug bounty program: Bug Bounty Program Updates: Adding (another) New Class of Bounties
- We provided insights regarding our Bug Bounty Program with a contributor’s view of a security bug through a Guest Blog Post: Rollback Attack
- We provided technical insights into our JavaScript engine and how it translates the high level language of the web into machine code: Inspecting Just-in-Time Compiled JavaScript
In addition to the above articles featured on our Blog, we have also published insights into Firefox-related bugs, news about browser security in general and further bite-sized security announcements on our Attack & Defense Twitter account.
Hardening Firefox: We have locked down security checks within our Security Manager by only allowing packaged user interface resources to load if explicitly allow-listed. To accomplish this hardening effort we had to repackage lots of our CSS resources to load using the internal chrome: protocol. In addition to increasing security, this effort led to performance improvements for parts in DevTools and Activity Stream.
Research & Academia: Christoph Kerschbaumer gave a talk at SecWeb 2020 presenting techniques which allow to protect Firefox, and Web Applications in general, against code injection attacks. In addition to the presented hardening techniques he was further invited to serve on the Panel discussing the topic: Designing Security for the Web.
Cryptography
Crypto Improvements: Our P384 and P521 elliptic curve code has been replaced with constant-time, formally-verified, and more performant implementations from Fiat-Crypto and[1]ECCKiila. We published a blog post on these and similar efforts. Separately, we improved SHA1 and SHA256 performance on ARM by 3x, Curve25519 performance on 64-bit Windows by 5x, and Big Integer arithmetic on MacOS by 2x.
CA Program: Effective September 1, the allowed certificate lifetime of TLS server certificates is 398 days, which is a result of the CA/Browser Forum’s Browser Alignment Ballot. Also in Q3, the CA Program alerted the EU Commission to concerns about Qualified Website Authentication Certificates (QWACs). We also prepared a set of proposed revisions to the Root Store Policy, for which public discussion will take place during Q4. Root Certificate Authorities in NSS are also updated in Fx82.
Research & Academia: Thyla van der Merwe published a paper titled Designing Reverse Firewalls for the Real World which was presented at the 25th European Symposium On Research In Computer Security 2020. Further, Benjamin Beurdouche published a paper titled HACLxN: Verified Generic SIMD Crypto which was presented at the Conference on Computer and Communications Security (CCS) 2020.
Fuzzing
LibFuzzer: We have upgraded our in-tree libfuzzer to the latest version which provides our fuzzing targets with various improvements such as the recent entropic functionality.
ThreadSanitizer: We also continued to push the ThreadSanitizer (TSan) project forward, eliminated more data races (both from backlog and new test suites) and made TSan ready for fuzzing. In the future, we plan to run even more CI on TSan to further improve the overall stability and security of our products. If you want to work with this and other sanitizers, make sure to also check out our new sanitizer documentation.
Research & Academia: Christian Holler gave a talk about the human component in bug finding at FuzzCon EU 2020. This talk is particularly interesting for people who want to deploy fuzzing in larger projects or companies and focuses on related non-technical issues.
Web Security
Content Security & FIssion: We have finalized and eliminated corner cases for making all of our Content Security features (e.g. Mixed Content Blocker, Content Security Policy, and more) compliant with the Fission architecture. This brings us yet a little closer to shipping our Site Isolation mechanism by default.
Sanitizer API: We started to implement a prototype for a Sanitizer API which allows us to convert strings containing HTML to return a safe version of that string, making sure that no JavaScript can execute in an unexpected way. This effectively helps to prevent XSS in web applications.
Policy & Bug Bounty
Security Advisories: We have published Security Advisories for our products which provide meaningful information about critical security fixes.
Bug Bounty Update: In addition to recent efforts where we have increased bounty payouts and also included a Static Analysis component in our bounty program, we have now extended our Bug Bounty Policy to also include a Exploit Mitigation Bug bounty. This will hopefully attract even more bug bounty hunters to our program.
Bug Bounty Hall of Fame: To show appreciation and to give credit where credit is due, we have updated our Firefox Bug Bounty Hall of Fame. This Hall of Fame lists researchers and bug bounty hunters which have helped make Firefox and the open web a more secure place for all of us - Thank you all!
Going Forward
Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in Q4, please do not forget to add your items to the Q4 security privacy newsletter collection document so that they will show up in the next iteration of the Security Privacy newsletter.
In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,
Christoph, Ethan, Freddy, Tom