Firefox Security & Privacy Newsletter 2021 Q1

Hello fellow Mozillians,

Having so many passionate people improve every aspect of Firefox’s Privacy and Security, it’s always hard to keep track of all the things happening simultaneously. To keep you up to date, we’ve pulled together the highlights from the first quarter in 2021. To ease consumption within this newsletter, we have grouped them into the following categories:

• Product Security & Privacy, showcasing new Security & Privacy Products, Features and Services.
• Core Security, outlining Security and Hardening efforts within the Firefox Platform.
• Cryptography, showcasing improvements to connection security.
• Fuzzing, providing updates for automated security testing and analysis.
• Web Security, highlighting the support of new web application security features.
• Policy & Bug Bounty, providing updates on security policy development.

Firefox Product Security

Insights into HTTPS-Only Mode: Firefox supports an HTTPS-Only Mode since Firefox 83. In February 2021, we presented implementation details as well as the success rate of HTTPS-Only in an academic publication titled HTTPS-Only: Upgrading all connections to https in Web Browsers at MadWeb - Measurements, Attacks, and Defenses for the Web. The publication was ultimately voted Best Paper Award. A lightweight summary of the presented results is available as a blogpost on the Attack and Defense Blog: Insights into HTTPS-Only Mode.

Managing usernames and passwords: The Firefox Password Manager securely stores the usernames and passwords you use to access websites and then automatically fills them in for you the next time you visit a website. Starting with Firefox 85 the Password Manager comes with improved usability which allows you to easily remember, delete and also edit logins and passwords.

Firefox Product Privacy

Supercookie Protections: Starting with Firefox 85 we are partitioning network connections and caches by the website you are visiting by default. Isolating caches and network connections to the website they were created on renders efforts of trackers to rely on them for cross-site tracking useless. Read details in our blogpost: Firefox 85 Cracks Down on Supercookies.

Total Cookie Protection in Enhanced Tracking Protection’s Strict Mode: Starting in Firefox 86, Firefox users browsing the web in ETP’s Strict-Mode can benefit from a privacy feature named Total Cookie Protection. Using Total Cookie Protection, every website gets its own ‘cookie jar’, which ultimately prevents cookies from being used to track you from site to site.

Introducing SmartBlock: Using SmartBlock, end users will encounter less website breakage since it provides stand-in scripts which allows websites to load properly while still preventing tracking abuse. Starting in Firefox 87, this new intelligent tracker blocking mechanism has been enabled by default for Private Browsing and Strict-Mode.

Trimming HTTP Referrers by default: Also starting with Firefox 87, our new default HTTP Referrer Policy will trim path and query string information from referrer headers to prevent sites from accidentally leaking sensitive user data and make it harder for trackers to collect user information from e.g., search parameters.

Core Security

Ending support for Flash: Firefox 84 was the final version to support Flash. Firefox version 85, released in January 2021 shipped without Flash support and also does not provide any setting to re-enable Flash support. Ultimately this change eliminates long-standing security vulnerabilities within browsers for good.

Mitigating the Stack Clash Attack: Starting with Firefox 86, we have shipped new protections against the Stack Clash Attack in Firefox Desktop for Linux and Firefox for Android. The new protections defeat this attack which tries to exploit large stack allocation by splitting large allocation in chunks of the maximum allowed size. Ultimately chunking up the stack into smaller pieces allows us to rely on the kernel’s provided stack guard.

Improved Crash Reporting: We have begun to intercept crash reports that previously only were sent to Windows Error Reporting. This will improve our visibility into stability issues as well as let us see crashes that were caused by Windows security features. Presently parent-process only, but soon expanding to child processes. With this enhanced visibility, we will be able to see the impact of security features we would like to enable such as Control Flow Integrity (see next item for details).

Intel Control Flow Integrity Support: While CET support is only available on a small selection of processors, adding backwards edge control flow protection complements our existing forward-edge CFI provided by Control Flow Guard on Windows. We’ve added the ability to enable the protection for several of our processes; and are testing enabling it by default where possible. Current architecture of our JIT Engine precludes it being enabled on the content-process or parent-process. However, once the improved crash reporting has landed we’ll be able to enable this by default for other process types.

Media Decoding: We’ve continued our efforts to move more media decoders out of the content process and into a dedicated, more locked-down utility process (presently we call it ‘RDD’ for Remote Data Decoder, but in the future it will be renamed ‘Utility’ as a more generic process.) Right now, depending on platform, the RDD process hosts Theora, AV1, VP8/VP9,WMF, Opus, Vorbis, MP3, FLAC, and WAV.

Cryptography

Root Store Updates: We added the root certificates for[1]Fábrica Nacional de Moneda y Timbre (FNMT) and[2]GlobalSign nv-sa CAs, removed the[3]GeoTrust Primary Certification Authority - G2 and VeriSign Universal Root Certification Authority root certificates and turned off the websites (TLS) trust bit for the[4]Staat der Nederlanden Root CA - G3 root certificate as requested by the owners of these certificates.

CCADB: We added links to the CCADB Resources page for developers who need to use a curated list of root certificates for particular use cases, because we became aware that some organizations have incorrectly been using Mozilla's root store without checking that the trust bits aligned with their use case. We enabled multiple root store operators to use the same root inclusion requests within the CCADB, so CAs will be able to apply once to multiple root stores, the root store operators will be able to share the workload of validating the data, yet each root store operator will continue to independently make their own decisions about which root certificates to include in their programs and which trust bits to enable for them. Added API and improved[5]documentation so CAs can automate their updates to the CCADB.

Fuzzing

Eliminating Data Races using ThreadSanitizer: In our blog post titled Eliminating Data Races in Firefox – A Technical Report we describe in detail how we have successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. This post is not only relevant to Firefox enthusiasts, but targets all multithreaded C/C++ projects because it describes in detail how to adopt the ThreadSanitizer tool which ultimately allows to increase the code quality of every project.

Fuzzing: In the first three months of 2021 we published two blog posts on Fuzzing which provide logical entry points into Firefox. The first post titled Effectively Fuzzing the IPC Layer in Firefox targets specifically the inter process communication layer in Firefox. The second post titled Browser fuzzing at Mozilla targets a wider audience and provides details on a lot of underlying components which we use internally to fuzz Firefox which ultimately allows identifying quality and security issues.

Web Security

WebRTC: From Firefox 86 onward, DTLS 1.0 is no longer supported for establishing WebRTC PeerConnections. All WebRTC services need to support DTLS 1.2 from now on as the minimum version.

Going Forward

Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in Q2, please do not forget to add your items to the 2021 Q2 security privacy newsletter collection document so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.

In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,

Christoph, Freddy, Tom