SecurityEngineering/Newsletter/2017Q2
From MozillaWiki
Contents
Firefox Security Team Newsletter Q2 17
Firefox 55 is out the door, so there’s time now to put together our quarterly newsletter. In addition to the security changes which hit release last week, there has been a number of important security improvements land over the last quarter:
- We’ve made significant improvement of our security sandbox, with file system restrictions shipping for Windows and macOS on beta (Firefox 56) and Linux on nightly (Firefox 57)
- Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, AES-GCM (an official Mozilla blog post still to come).
- We have continued the Tor Uplift work and entered the second phase to implement browser fingerprinting resistance starting from Firefox 55.
Read on for more highlights of the important work the Firefox security team is doing to keep our users safe online.
Team Highlights
Security Engineering
Crypto Engineering
- Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, AES-GCM (an official Mozilla blog post still to come).
- A regression from e10s where CORS error messages weren’t logged properly in the console is fixed in Firefox 56.
Privacy and Content Security
- We have continued the Tor Uplift work and entered the second phase to implement browser fingerprinting resistance starting from Firefox 55.
- Landed 18 bugs for anti-fingerprinting in Firefox 55 and 56.
- Converted hundreds of test cases to obey the origin inheritance behavior for data: URIs in support of an important spec change. Intent to ship in Firefox 57.
- Made significant performance improvement on security components in support of Quantum Flow project.
Content Isolation
- Shipping file system user token restriction for Windows content in 56
- Shipping 3rd party legacy extension blocking for Windows content in 56
- Shipping file system read access restrictions for OSX content in 56
- Linux content sandboxing (“level 2”: write restrictions, some syscalls, probably escapable) released in 54. Work to enable read restrictions (enabled at time of writing in Nightly 56 targeting 57 rollout) also completed.
Operations Security
- The security audit of Firefox Accounts performed by Cure53 last year was publicly released.
- We completed the implementation of API Scanning with ZAP, to automate vulnerability scanning of our services by leveraging OpenAPI definitions.
- The signing of add-ons has been ported to the Autograph service, where support for SHA-256 PKCS7 signatures will be added.
- TLS Observatory accelerated the loading of CT logs, with currently ~70M certificates recorded. It should reach 200M in Q3.
Security Assurance
- New team created to focus on Firefox security assurance
- Working on adding security checks to our build tools to help our developer avoid landing security bugs. First outcome of this project was landing an ESLint plugin to prevent the unsafe usage of eval, innerHTML etc. in Firefox.
Cross-Team Initiatives
- The TLS Canary project has seen the feature release 3.1. NSS team is working on treeherder integration.
- Common CA Database (CCADB) access has been granted to the rest of the CAs in Microsoft’s root store (those that are also in Mozilla’s root store already had CA Community licenses/access).
Security Blog Posts & Presentations
- https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ (Kathleen)
- https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/ (April from Enterprise Infosec)
- https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/ (April from Enterprise Infosec)
- https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/ (Greg from Services Security)
- Francois Marier gave a talk on security and privacy settings for Firefox power users at LinuxFest Northwest.
Previous Editions