Hello fellow Mozillians, Security and Privacy build cornerstones of Mozilla’s manifesto <https://www.mozilla.org/en-US/about/manifesto/>, and they influence how we operate and build our products. Here are the highlights representing our work from October, November, December 2021, grouped into the following categories:
- Firefox Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox. - Core Security, outlining Security and Hardening efforts within the Firefox Platform. - Cryptography, showcasing improvements to connection security. - Web Security, allowing websites to better protect themselves against online threats. - Fuzzing, providing updates for automated security testing and analysis. Firefox Product Security & Privacy Introducing a New Site Isolation Security Architecture: You are probably aware that Project ‘Fission’ shipped in Firefox 94 - when visiting sites using this new security architecture <https://hacks.mozilla.org/2021/05/introducing-firefox-new-site-isolation-security-architecture/> Firefox ensures separated memory for different sites and as a result provides advanced security guarantees. Protecting against insecure downloads: To better protect you from the dangers of insecure HTTP downloads, Firefox will now block insecure HTTP downloads <https://blog.mozilla.org/security/2021/10/05/firefox-93-protects-against-insecure-downloads/> from HTTPS pages. Improving SmartBlock and new Referrer Tracking Protections: Firefox 93 ships with a more comprehensive version of SmartBlock <https://blog.mozilla.org/security/2021/10/05/firefox-93-features-an-improved-smartblock-and-new-referrer-tracking-protections/>. Additionally, our new and enhanced referrer tracking protection <https://blog.mozilla.org/security/2021/10/05/firefox-93-features-an-improved-smartblock-and-new-referrer-tracking-protections/> prevents sites from sharing sensitive user data via HTTP referrers. To further protect against navigational tracking, we have also enabled URL Query Stripping <https://bugzilla.mozilla.org/show_bug.cgi?id=1706602>, which removes known tracking parameters from the URL. Adding EDNS Padding Support: DNS over HTTPS in Firefox provides greater confidentiality for queries made by the end-user; so traffic analysis mitigations like padding become more relevant. EDNS Padding support <https://bugzilla.mozilla.org/show_bug.cgi?id=1543811> landed in Firefox 95. Core Security RLBox: In Firefox 95 we shipped a lightweight intra-process sandboxing technology to isolate sub-components by compiling them to WebAssembly. While RLBox had been shipping in some capacity before, this release marks a milestone where it ships on all platforms (Desktop and Mobile) isolating five different modules in Firefox 95 and subsequently 96: Graphite <https://scripts.sil.org/cms/scripts/page.php?site_id=projects&item_id=graphite_home> , Hunspell <http://hunspell.github.io/>, Ogg <https://xiph.org/ogg/>, Expat <https://libexpat.github.io/> and Woff2 <https://github.com/google/woff2>. You can read more about this on the Mozilla Hacks blog <https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/> . API Hardening: After discovering some integer truncation issues in nsCString APIs, some benign and others not-so-benign <https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43537>, we hardened the apis <https://bugzilla.mozilla.org/show_bug.cgi?id=1739219> exposed <https://bugzilla.mozilla.org/show_bug.cgi?id=1741665> so that these types of issues cannot recur. Enabling FORTIFY_SOURCE on Android: FORTIFY_SOURCE <https://bugzilla.mozilla.org/show_bug.cgi?id=1415595> is a lightweight macro that allows detecting buffer overflows. We have now enabled FORTIFY_SOURCE on Android, bringing it to parity with our Desktop. Cryptography Securing Connections by disabling 3DES: Our continuous work to ensure that Firefox provides secure and private network connections causes us to disable configurations or even entire protocols when they’re old and infrequently used. 3DES (“triple DES”) was a popular encryption algorithm for many years <https://blog.mozilla.org/security/2021/10/05/securing-connections-disabling-3des-in-firefox-93/> but has fallen out of use and we disabled it by default in Firefox 93. Advancing our implementation of Encrypted Client Hello: In early 2021 we announced that we are working on Encrypted Client Hello <https://blog.mozilla.org/security/2021/01/07/encrypted-client-hello-the-future-of-esni-in-firefox/>, which allows us to provide better privacy for TLS1.3 connections. In Q4 of 2021 we updated our implementation to the latest IETF draft specification (Draft 14 <https://datatracker.ietf.org/doc/draft-ietf-tls-esni/14/>) and tested interoperability with other major implementations. Improving the Quality of Publicly Trusted Intermediate CA Certificates: Keeping our commitment to the security and privacy of individuals on the internet, we continued to increase our oversight and add automation to our compliance-checking of publicly trusted intermediate CA <https://blog.mozilla.org/security/2021/12/09/improved-quality-of-intermediate-certificates-with-enhanced-oversight-and-automation/> certificates. These include improvements that allow us to automatically process CA audit reports using Audit Letter Validation (ALV), advise CAs on the status of their intermediate certificates, and provide CAs and root store operators with lists of tasks relevant to intermediate certificates listed in the CCADB. Web Security SHA-256 support for HTTP Auth: The SHA-256 algorithm <https://bugzilla.mozilla.org/show_bug.cgi?id=472823> is now supported for digest-based HTTP Authentication <https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication> in Firefox 93. This allows much more secure authentication than previously available using the MD5 algorithm. crypto.randomUUID() support: The crypto.randomUUID() <https://developer.mozilla.org/en-US/docs/Web/API/Crypto/randomUUID> function is now supported <https://bugzilla.mozilla.org/show_bug.cgi?id=1723674>. This returns a cryptographically strong 36 character fixed-length UUID. Support onsecuritypolicyviolation on global: In Firefox 93, the onsecuritypolicyviolation <https://developer.mozilla.org/en-US/docs/Web/API/GlobalEventHandlers/onsecuritypolicyviolation> event handler property is now supported <https://bugzilla.mozilla.org/show_bug.cgi?id=1727302>: This can be used to assign a global handler for processing securitypolicyviolation <https://developer.mozilla.org/en-US/docs/Web/API/Element/securitypolicyviolation_event> events fired when there is a Content Security Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP> violation. Fuzzing Adding additional UBSan Checks: Our Fuzzing Team has been reducing our undefined behavior by testing additional UBSan checks like function <https://bugzilla.mozilla.org/show_bug.cgi?id=1748880> and float-cast-overflow <https://bugzilla.mozilla.org/show_bug.cgi?id=1749864> and filing and correcting issues. Nightly can already launch without triggering any issues, though a few fixes remain for tests failing in CI. Fuzzing WebGPU’s Javascript API in Domino: The Fuzzing Team expanded <https://bugzilla.mozilla.org/show_bug.cgi?id=1753982> our fuzzing coverage to WebGPU by implementing a fuzzing target for its Javascript API in Domino. Domino is our primary fuzzer for Web APIs in full-browser testing <https://blog.mozilla.org/attack-and-defense/2021/05/20/browser-fuzzing-at-mozilla/>. In addition, we are also investigating further testing methods for the WebGPU feature before release. Going Forward Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in the first quarter of the year 2022, please do not forget to add your items to the 2022 Q1 Security & Privacy Newsletter (Collection Document) <https://docs.google.com/document/d/146CKzGZeMHFNW9i1zxB7z1aIutA8fyUTr1vAdQuH7SI/edit#heading=h.e41zam76yx7w> so that they will show up in the next iteration of the Firefox Security & Privacy newsletter. In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web, Christoph, Freddy, Tom P.S. This quarter's edition as well as all previous issues are also archived on the Mozilla Wiki: https://wiki.mozilla.org/Firefox_Security_Newsletter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CAE5OA1WDKOi-K6FtrpE43dNrYpqBiE%3DcwkVx%2BivusUCDu2zf_g%40mail.gmail.com.
