Firefox Security Newsletter/FSN-2022-Q3

From MozillaWiki
Jump to: navigation, search

Hello fellow Mozillians,

Security and Privacy build cornerstones of Mozilla’s manifesto, and they influence how we operate and build our products. Following are the highlights of our work from July, August, September 2022, grouped into the following categories:

  • Firefox Product Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
  • Core Security, outlining Security and Hardening efforts within the Firefox Platform.
  • Fuzzing, providing updates for automated security testing and analysis.
  • Cryptography & CA Program, showcasing improvements to connection security.
  • Web Security, allowing websites to better protect themselves against online threats.

Preface

Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.

Firefox Product Security & Privacy

Total Cookie Protections now supports partitioned Service Workers: We are further advancing our implementation of Total Cookie Protection. Starting with version 105, Firefox now supports partitioned Service Workers in third-party contexts. The technical mechanism that powers TCP is known as dynamic state partitioning and this now allows registration of service workers in a third-party iframe which will be partitioned under the top-level domain.

Core Security

In order to increase our readiness to ship features that help drive HTTPS adoption even further (like HTTPS-Only / HTTPS-First mode), we are now requiring all new test cases to run under HTTPS by default.

Fuzzing

As usual, we develop new fuzzers or extend their capabilities based on upcoming features or newly introduced parsers. In Q3, we have added support for COLRv1 fonts and the Origin Private File Systems API. In addition, we’re also improving our IPC fuzzing efforts which are eradicating numerous potential sandbox escapes.

Cryptography & CA Program

While SHA-1 is insecure and has been mostly unsupported since 2017, we had kept some support for re-allowing SHA-1 certificates by using an opt-in setting. This configuration may have helped users faced with an outdated certificate. However, given the time that has passed, have now removed all configuration options

Web Security

In supporting websites to achieve cross-origin isolation and preventing cross-site leaks (xsleaks) more easily, our DOM team has implemented the Cross-Origin-Embedder-Policy value “credentialless”.

Going Forward

Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in the fourth quarter of the year 2022, please do not forget to add your items to the 2022 Q4 Security & Privacy Newsletter (Collection Document) so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.

In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,

Christoph, Freddy, Tom