Firefox Security Newsletter/FSN-2020-Q1
Firefox Security & Privacy Newsletter 2020-Q1
Here comes our second edition of the Firefox Security & Privacy Newsletter.
The shareable link for this newsletter and the back issues is at https://wiki.mozilla.org/Firefox_Security_Newsletter
Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. We de-restrict fixed security bugs after a grace-period, until the majority of our user population have received their updates. If a link does not work for you, please accept this as a precaution for the safety of all of our users.
Preventing tracking and online surveillance
The Anti-Tracking team shipped fingerprinting protections as part of the Firefox 72 release. This is following a long period of evaluating and fixing website breakage, so it’s a big milestone for the team.
Erica landed our initial implementation of purging tracking cookies in Nightly. This will enable ETP to better protect against so-called bounce trackers that track users through first-party redirections.
The first pieces of dynamic first-party isolation (DFPI) landed in Nightly. DFPI is an experimental approach to isolating all third party cookies and storage, similar to FPI (which is enabled by default in the Tor Browser and is also supported by Firefox). The most important difference between DFPI and FPI is that DFPI will adhere to exceptions granted through the storage access API and thus ensure better web compatibility.
Se-Yeon implemented versioning for our Shavar blocklists that power Enhanced Tracking Protection (ETP), Fingerprinting and Cryptomining protections.
Securing/hardening the Firefox Platform
Freddy started enumerating flags and prefs that would dramatically reduce Firefox security. We’re collecting and removing them one by one to kill exploit chains that require just a single-byte overwrite in bug 1602485. First patches have already landed, kudos to volunteer Masatoshi Kimura [:emk] for his excellent work!
We’ve also made some progress to hinder patch gapping. We know that attackers frequently watch commit logs of popular open source software to find vulnerabilities that have been fixed but not yet shipped to our end users. Minimizing this gap has long since been part of our practices for fixing security bugs in Firefox. To help leak data and metadata about security vulnerabilities, Tom has implemented a hook for hg.mozilla.org that disallows pushing patches for security bugs to Continuous Integration. Furthermore, Bugzilla has also started hiding security bugs in dependency and regression fields if a user does not have access (bug 1591549), but more to come.
The Firefox site isolation project “Fission” is almost ready for testing in Firefox Nightly. There are some known issues with mixed content blocking, but you can enable fission by setting the prefs “fission.autostart” and “gfx.webrender.all” to true.
Bugs worth highlighting:
We removed a very, very old testing API called enablePrivilege, that gave normal web pages extra privileges beyond Web APIs. The API was used in exploit chains and made attacks easier than they should have been.
Firefox is no longer going to use ShellExecuteByExplorer when launching executable files in the download folder, this helps protect against attackers placing malicious DLLs in the same folder.
Automated security testing, analysis and more
Christian Holler deployed ThreadSanitizer (TSan) in our CI with Mochitests and XPCShell Tests enabled. This will prevent new data races from being added to the code base. Existing races are handled by an extensive suppression list and will be gradually fixed. TSan has already found several security-related issues and otherwise hard to diagnose correctness problems.
For another sanitizer, UndefinedBehaviorSanitizer (UBSan), Tyson Smith has enabled the ‘enum’ check in CI to detect e.g. loads of invalid values for a certain enum type.
The fuzzing team has also started to centralize fuzzing documentation, stay tuned for more coming soon!
Security policy development and communicating security-related information to interested parties (not end-users).
Tom has updated our Security Severity Ratings page. Most notably, critical is reserved for bugs that pose immediate danger to our users. There is no longer a technical difference between critical and high bugs, and we’ll use critical to emphasize risk for our users.
Freddy and Tom have launched the new Attack and Defense Blog, a new outlet to talk about the technical details of our work to a new audience of bug bounty hunters, security researchers, engineers and technologists of all colors.
Mozilla joined the newly formed Privacy Community Group of the W3C (Privacy CG), along with other major browser vendors and industry representatives. In the CG we are discussing the standardization and advancement of technologies that ensure privacy on the web.
Kathleen has been working hard to help Apple actively make use of the Common CA Database (CCABD). The CCADB is a repository of information about Certificate Authorities (CAs), and their root and intermediate certificates. It is used by a number of root store operators - not only is this a resource that Mozilla can be proud of but it's also very important for the security of the Web PKI.
Our Mozilla CA program has a new lead! We’re saying good-bye to Wayne Thayer and are welcoming Ben Wilson to our group!
Features, products and services to help users be more secure on the web
DNS-Over-HTTPS was rolled out to all Firefox users in the US, with the initial set of trusted resolvers being Cloudflare and NextDNS. This is an incredible milestone for the private and encrypted web and credit to the tireless work of the team behind DoH in Firefox. In addition to this, the team also rolled out a DoH performance study to test the real-word latency of different resolvers.
The folks working on Lockwise, the Firefox password manager, shipped an incredible number of fixes and improvements in Q1, to name a few:
- Bianca added support for detecting password input fields using Fathom, a machine learning framework for meaningfully recognizing DOM elements on a page.
- Matthew made us support importing passwords and other profile data from the new Microsoft Edge.
- Jared enabled an additional prompt for OS account credentials before revealing passwords on about:logins. While this doesn’t change the general security considerations of storing passwords without a master password, it does provide an obstacle for local snoopers who don’t have the time or ability to craft a more targeted local attack.
- On mobile, we did a number of releases for the Android and iOS Apps for Lockwise, as well as better integration with the new upcoming Firefox Preview for Android.
The Crypto Engineering team shipped Intermediate Preloading, which mitigates some of the most common certificate errors by loading known intermediate CAs ahead of time.
J.C. Jones wrote a series of blog posts introducing CRLite, another exciting innovation from our Crypto Engineering team. CRLite provides a more efficient and private way to perform certificate revocation checks. It is currently being tested in Nightly.
The Firefox 72 release shipped our restrictions against notification permission spam. You can read more about our initial experiments, the restrictions in detail and what this means for web developers.
Paul removed nsContentblocker, an old mechanism for blocking literally any type of content that could be loaded through Firefox. The content blocker had to check permissions before any network request could happen, so it would show up in performance profiles, but Telemetry showed that it was virtually unused.
Outreachy intern Kendall completed her intern project that adds Firefox Sync support to the Multi-Account Containers add-on.
Dana made Firefox stop offering to import CA certificates when browsed to. This functionality was kept around for a long time because of legacy reasons, but has always been a considerable security risk. We’re happy to see it gone! To import custom root certificates, you can still always use the certificate manager in about:preferences.
Dana also made it so that Firefox can use client certificates provided by the operating system on Windows and macOS, which will significantly benefit our enterprise users! Her blog post explains our approach and also gives tips on how to achieve the same thing on Linux.
Julian landed the first version of our experimental HTTPS-Only Mode in Nightly. It currently works mostly under the hood, preventing insecure connections from happening in Firefox, but additional improvements, such as UI integration are in the works.
Making websites more secure
It's the Boot for TLS 1.0 and TLS 1.1: We’re committed to improving security for all of our users by disabling support for TLS1.0 and TLS 1.1. However, we have re-enabled TLS 1.0 and 1.1 in Firefox 74 and 75 Beta to better enable access to sites sharing critical and important information during this time.
Firefox 74 shipped Feature Policy, which allows websites to prevent iframes from using advanced features (mostly those that are otherwise restricted by web permissions). As part of this we also shipped Permission Delegation, which enables sites to delegate their own permissions to embedded iframes through Feature Policy. This was originally proposed and implemented by the Chrome team and we agree that this approach makes it much easier to build a comprehensible permissions UI, so we’re happy to ship it in Gecko.
Kevin and Ben have been continuing our efforts to include verified cryptographic primitives in NSS. This work ensures that our cryptographic libraries are free of common, and at times subtle, crypto bugs. Most recently, ChaCha20, Poly1305 and ChaCha20-Poly1305 for AVX2 have been integrated. Kevin has also updated our Delegated Credentials implementation to match the most current Internet Engineering Task Force (IETF) draft. Interoperability testing with Cloudflare has gone well and this feature is now enabled in Nightly. It will remain there until the Delegated Credentials draft gets ratified by the IETF.
Sebastian and Christoph fixed a bug in our implementation of the “X-Content-Type-Options: nosniff” header for page loads that do not provide a MIME type. Starting from Firefox 75, we will respect 'nosniff' for Page Loads.