Firefox Security & Privacy Newsletter 2020-Q1 Here comes our second edition of the Firefox Security & Privacy Newsletter.
The shareable link for this newsletter and the back issues is at https://wiki.mozilla.org/Firefox_Security_Newsletter. This link also promises readable and stable markup across transports ;-) Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period <https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#keeping-private-information-private>, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users. Privacy Preventing tracking and online surveillance The Anti-Tracking team shipped fingerprinting protections <https://blog.mozilla.org/firefox/how-to-block-fingerprinting-with-firefox/> as part of the Firefox 72 release. This is following a long period of evaluating and fixing website breakage <https://bugzilla.mozilla.org/show_bug.cgi?id=1527013>, so it’s a big milestone for the team. Erica landed our initial implementation of purging tracking cookies <https://bugzilla.mozilla.org/show_bug.cgi?id=1599262> in Nightly. This will enable ETP to better protect against so-called bounce trackers that track users through first-party redirections. The first pieces of dynamic first-party isolation <https://bugzilla.mozilla.org/show_bug.cgi?id=1549587> (DFPI) landed in Nightly. DFPI is an experimental approach to isolating all third party cookies and storage, similar to FPI (which is enabled by default in the Tor Browser and is also supported by Firefox). The most important difference between DFPI and FPI is that DFPI will adhere to exceptions granted through the storage access API and thus ensure better web compatibility. Se-Yeon implemented versioning <https://github.com/mozilla-services/shavar-prod-lists#list-versioning-and-release-process> for our Shavar blocklists that power Enhanced Tracking Protection (ETP), Fingerprinting and Cryptomining protections. Core Security Securing/hardening the Firefox Platform Freddy started enumerating flags and prefs that would dramatically reduce Firefox security. We’re collecting and removing them one by one to kill exploit chains that require just a single-byte overwrite in bug 1602485 <https://bugzilla.mozilla.org/show_bug.cgi?id=1602485>. First patches have already landed, kudos to volunteer Masatoshi Kimura [:emk] for his excellent work! This January, Security Researchers from Qihoo 360 ATA identified an active attack against Firefox users. With their test case and great help from the JavaScript team we could ship a security release as Firefox 72.0.1 <https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/> on the next day. Kudos to our Engineers, Release Managers and Security staff for jumping on this issue so quickly! We’ve also made some progress to hinder patch gapping. We know that attackers frequently watch commit logs of popular open source software to find vulnerabilities that have been fixed but not yet shipped to our end users. Minimizing this gap has long since been part of our practices for fixing security bugs in Firefox <https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html>. To help leak data and metadata about security vulnerabilities, Tom has implemented a hook for hg.mozilla.org <https://bugzilla.mozilla.org/show_bug.cgi?id=1420510> that disallows pushing patches for security bugs to Continuous Integration. Furthermore, Bugzilla has also started hiding security bugs in dependency and regression fields if a user does not have access (bug 1591549 <https://bugzilla.mozilla.org/show_bug.cgi?id=1591549>), but more to come. The Firefox site isolation project “Fission” is almost ready for testing in Firefox Nightly. There are some known issues with mixed content blocking <https://bugzilla.mozilla.org/show_bug.cgi?id=1584157>, but you can enable fission <https://wiki.mozilla.org/Project_Fission#Enabling_Fission> by setting the prefs “fission.autostart” and “gfx.webrender.all” to true. Bugs worth highlighting: We removed a very, very old testing API called enablePrivilege <https://bugzilla.mozilla.org/show_bug.cgi?id=1602474>, that gave normal web pages extra privileges beyond Web APIs. The API was used in exploit chains and made attacks easier than they should have been. Firefox is no longer going to use ShellExecuteByExplorer <https://bugzilla.mozilla.org/show_bug.cgi?id=1605308> when launching executable files in the download folder, this helps protect against attackers placing malicious DLLs in the same folder. Folks from the JS team have disabled JIT optimizations for JavaScript in Proxy Auto Configuration (PAC) <https://bugzilla.mozilla.org/show_bug.cgi?id=1607494> files as they are currently run in the parent process. Fuzzing Automated security testing, analysis and more Christian Holler deployed ThreadSanitizer (TSan) <https://clang.llvm.org/docs/ThreadSanitizer.html> in our CI with Mochitests and XPCShell Tests enabled <https://bugzilla.mozilla.org/show_bug.cgi?id=1590162>. This will prevent new data races from being added to the code base. Existing races are handled by an extensive suppression list and will be gradually fixed. TSan has already found several security-related issues and otherwise hard to diagnose correctness problems. For another sanitizer, UndefinedBehaviorSanitizer (UBSan), Tyson Smith has enabled the ‘enum’ check in CI <https://bugzilla.mozilla.org/show_bug.cgi?id=1404547> to detect e.g. loads of invalid values for a certain enum type. The JavaScript engine is receiving more and more parser upgrades as new syntax is being added (e.g. nullish coalescing <https://bugzilla.mozilla.org/show_bug.cgi?id=1566141>). In order to test these changes more thoroughly, Christian has written an experimental libFuzzer target for the JS parser, which has already found what looks like the smallest security bug <https://bugzilla.mozilla.org/show_bug.cgi?id=1596706> on file so far. The fuzzing team has also started to centralize fuzzing documentation <https://firefox-source-docs.mozilla.org/tools/fuzzing/>, stay tuned for more coming soon! Security Ecosystem Security policy development and communicating security-related information to interested parties (not end-users). Tom has updated our Security Severity Ratings <https://wiki.mozilla.org/Security_Severity_Ratings> page. Most notably, critical is reserved for bugs that pose immediate danger to our users. There is no longer a technical difference between critical and high bugs, and we’ll use critical to emphasize risk for our users. We have also separated ratings with clearer examples for our Web <https://wiki.mozilla.org/Security_Severity_Ratings/Web> and Client <https://wiki.mozilla.org/Security_Severity_Ratings/Client> products. Freddy and Tom have launched the new Attack and Defense Blog <https://blog.mozilla.org/attack-and-defense/>, a new outlet to talk about the technical details of our work to a new audience of bug bounty hunters, security researchers, engineers and technologists of all colors. Mozilla joined the newly formed Privacy Community Group of the W3C <https://privacycg.github.io/> (Privacy CG), along with other major browser vendors and industry representatives. In the CG we are discussing the standardization and advancement of technologies that ensure privacy on the web. Kathleen has been working hard to help Apple actively make use of the Common CA Database (CCABD) <https://www.ccadb.org/>. The CCADB is a repository of information about Certificate Authorities (CAs), and their root and intermediate certificates. It is used by a number of root store operators - not only is this a resource that Mozilla can be proud of but it's also very important for the security of the Web PKI. Our Mozilla CA program has a new lead! We’re saying good-bye to Wayne Thayer and are welcoming Ben Wilson to our group! Firefox Security Features, products and services to help users be more secure on the web DNS-Over-HTTPS <https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/> was rolled out to all Firefox users in the US <https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/>, with the initial set of trusted resolvers being Cloudflare and NextDNS. This is an incredible milestone for the private and encrypted web and credit to the tireless work of the team behind DoH in Firefox. In addition to this, the team also rolled out a DoH performance study <https://bugzilla.mozilla.org/show_bug.cgi?id=1613790> to test the real-word latency of different resolvers. The folks working on Lockwise, the Firefox password manager, shipped an incredible number of fixes and improvements in Q1, to name a few: - Bianca added support for detecting password input fields <https://bugzilla.mozilla.org/show_bug.cgi?id=1595244> using Fathom <https://github.com/mozilla/fathom>, a machine learning framework for meaningfully recognizing DOM elements on a page. - Matthew made us support importing passwords <https://bugzilla.mozilla.org/show_bug.cgi?id=1608513> and other profile data from the new Microsoft Edge. - Jared enabled an additional prompt for OS account credentials <https://bugzilla.mozilla.org/show_bug.cgi?id=1194529> before revealing passwords on about:logins. While this doesn’t change the general security considerations of storing passwords without a master password, it does provide an obstacle for local snoopers who don’t have the time or ability to craft a more targeted local attack. - On mobile, we did a number of releases for the Android and iOS Apps for Lockwise, as well as better integration with the new upcoming Firefox Preview for Android. The Crypto Engineering team shipped Intermediate Preloading <https://groups.google.com/d/msg/mozilla.dev.platform/BHWxTOsmNeU/RVog7fSrAAAJ>, which mitigates some of the most common certificate errors by loading known intermediate CAs ahead of time. J.C. Jones wrote a series of blog posts introducing CRLite <https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/>, another exciting innovation from our Crypto Engineering team. CRLite provides a more efficient and private way to perform certificate revocation checks. It is currently being tested in Nightly. The Firefox 72 release shipped our restrictions against notification permission spam <https://blog.mozilla.org/firefox/block-notification-requests/>. You can read more about our initial experiments <https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/>, the restrictions in detail <https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/> and what this means for web developers <https://hacks.mozilla.org/2019/11/upcoming-notification-permission-changes-in-firefox-72/> . The Firefox Monitor <https://monitor.firefox.com/> team added a new feature to their service: Breach Resolutions <https://blog.mozilla.org/firefox/resolve-data-breaches/>, which allow you to mark the breaches that you’ve dealt with as resolved and get some peace of mind. Paul removed nsContentblocker <https://bugzilla.mozilla.org/show_bug.cgi?id=1357107>, an old mechanism for blocking literally any type of content that could be loaded through Firefox. The content blocker had to check permissions before any network request could happen, so it would show up in performance profiles, but Telemetry showed that it was virtually unused. Outreachy intern Kendall completed her intern project that adds Firefox Sync support to the Multi-Account Containers add-on <https://blog.mozilla.org/security/2020/02/06/multi-account-containers-sync/> . Dana made Firefox stop offering to import CA certificates when browsed to <https://bugzilla.mozilla.org/show_bug.cgi?id=1024871>. This functionality was kept around for a long time because of legacy reasons, but has always been a considerable security risk. We’re happy to see it gone! To import custom root certificates, you can still always use the certificate manager in about:preferences. Dana also made it so that Firefox can use client certificates provided by the operating system on Windows and macOS, which will significantly benefit our enterprise users! Her blog post <https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/> explains our approach and also gives tips on how to achieve the same thing on Linux. Julian landed the first version of our experimental HTTPS-Only Mode <https://bugzilla.mozilla.org/show_bug.cgi?id=1613063> in Nightly. It currently works mostly under the hood, preventing insecure connections from happening in Firefox, but additional improvements, such as UI integration are in the works. Web Security Making websites more secure It's the Boot for TLS 1.0 and TLS 1.1 <https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/>: We’re committed to improving security for all of our users by disabling support for TLS1.0 and TLS 1.1. However, we have re-enabled TLS 1.0 and 1.1 in Firefox 74 and 75 Beta to better enable access to sites sharing critical and important information during this time. Firefox 74 shipped Feature Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy>, which allows websites to prevent iframes from using advanced features (mostly those that are otherwise restricted by web permissions). As part of this we also shipped Permission Delegation, which enables sites to delegate their own permissions to embedded iframes through Feature Policy. This was originally proposed and implemented by the Chrome team <https://docs.google.com/document/d/1x5QejvpyQ71LPWhMLsaM1lWCfSsBsSQ8Dap9kJ6uLv0/edit#heading=h.jvj3q1vhn2yo> and we agree that this approach makes it much easier to build a comprehensible permissions UI, so we’re happy to ship it in Gecko. Kevin and Ben have been continuing our efforts to include verified cryptographic primitives in NSS <https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/>. This work ensures that our cryptographic libraries are free of common, and at times subtle, crypto bugs. Most recently, ChaCha20, Poly1305 and ChaCha20-Poly1305 for AVX2 have been integrated <https://bugzilla.mozilla.org/show_bug.cgi?id=1612493>. Kevin has also updated our Delegated Credentials <https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/> implementation to match the most current Internet Engineering Task Force (IETF) draft <https://tools.ietf.org/html/draft-ietf-tls-subcerts-07>. Interoperability testing with Cloudflare has gone well and this feature is now enabled in Nightly. It will remain there until the Delegated Credentials draft gets ratified by the IETF. Sebastian and Christoph fixed a bug in our implementation of the “X-Content-Type-Options: nosniff” header for page loads that do not provide a MIME type. Starting from Firefox 75, we will respect 'nosniff' for Page Loads <https://blog.mozilla.org/security/2020/04/07/firefox-75-will-respect-nosniff-for-page-loads/> . Chris landed our implementation of Fetch Metadata Request Headers <https://w3c.github.io/webappsec-fetch-metadata/> in Bug 1508292 <https://bugzilla.mozilla.org/show_bug.cgi?id=1508292>, which is a W3C working draft that gives websites additional context to protect themselves against cross-site attacks. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
