Firefox Security Newsletter/FSN-2021-Q2

From MozillaWiki
Jump to: navigation, search

Firefox Security & Privacy Newsletter 2021 Q2

The security and privacy of our users are cornerstones of Mozilla’s manifesto, and they influence everything we do, regardless of team membership or community involvement. Here are the highlights from Q2 of 2021, grouped into the following categories:

  • Product Privacy & Security, showcasing new Security & Privacy Products, Features and Services.
  • Core Security, outlining Security and Hardening efforts within the Firefox Platform.
  • Cryptography, showcasing improvements to connection security.
  • Fuzzing, providing updates for automated security testing and analysis.
  • Policy & Bug Bounty, providing updates on security policy development.

Firefox Product Privacy

Combating window.name privacy abuse: Historically, the window.name property allowed stored data to persist even across navigations. Regrettably, trackers successfully turned this data storage into a side channel to follow people around on the web. Starting with version 88, Firefox introduced a new protection mechanism against such privacy leaks and clears the window.name property when performing a navigation between websites.


Enabling Total Cookie Protection by default in Private Browsing: Starting with Firefox 89 we have enabled a new, extra strong protection against cross-site tracking cookies by default in Private Browsing. While previously third-party cookies were shared between websites - now every website gets its own cookie jar so that cookies cannot be used to share data between them.


Introducing SmartBlock 2.0 in Private Browsing: Starting with Firefox 90, we are shipping an improved version of SmartBlock, our advanced tracker-blocking mechanism built into Private Browsing and also Strict Mode. While this new version still builds upon strong privacy protections, it ensures smooth interactions with third party logins, which combines a great web browsing experience with robust privacy protections.


Removed legacy Device Sensor APIs: We removed our implementations of DeviceProximityEvent, UserProximityEvent, DeviceLightEvent and their event handlers. Removing those old, legacy Device Sensor APIs helps avoiding privacy leaks and achieves better interoperability and web compatibility.

Firefox Product Security

Upstreaming Breach Alerts into mainstream Firefox: Mozilla initially launched Firefox Monitor in 2018 - a service which instantly notifies users if their data was involved in a data breach. In May 2021, we updated our Breach Alert Policy and expanded the scope for protecting our users across the world by integrating alerts from Firefox Monitor into mainstream Firefox. This new awareness system prompts Firefox users by showing an alert for websites where passwords were exposed in a breach and hence provides a solid warning system to counterfeit data breaches.

Core Security

Identifying problems caused by third-party software: Sometimes, third-party modules try to interact with or injects itself into the Firefox process to get insights into the browser. It’s not uncommon that such modules have very specific expectations about Firefox’s internal behavior, even though it can change with every minor release which has caused stability issues. To help end-users better understand how third-party modules may affect Firefox stability, we are now providing an overview in the “about:third-party” page on Windows.


Examining JavaScript Inter-Process Communication (IPC) in Firefox: We have published insights that explain core security aspects of Site Isolation and how our internal JavaScript code communicates between processes. The explanation comes with hands-on advice on how to inspect, debug and invoke custom IPC messages for further security testing. We are thrilled that Security Youtuber LiveOverflow covered the blog post in his video “What is a Browser Security Sandbox”.

Cryptography

Root Store Updates: We added root certificates for e-commerce monitoring GmbH, Autoridad de Certificación (ANF AC), and Asseco Data Systems S.A. (previously Unizeto Certum). We removed the Trustis FPS Root CA root certificate that the CA is retiring, and we removed expired root certificates for QuoVadis and Telia Company (previously TeliaSonera).


Proper Use of a Root Store: We published a security blog post explaining misuse and proper use of root stores, and provided links to data usage terms and root certificate lists that are curated for specific use cases on our Common CA Database (CCADB) website https://www.ccadb.org/resources.


Root Store Policy: Version 2.7.1 of Mozilla’s Root Store Policy went live on April 14th with an effective date of May 1st, and we posted a security blog, “Upgrading Mozilla’s Root Store Policy to Version 2.7.1” highlighting the policy updates. One of the updates requires CAs to verify the domain names and IP addresses for TLS certificates within 398 days prior to certificate issuance. This aligns with the validity period of TLS certificates being required to be 398 days or less, such that before annually renewing TLS certificates, the CA will need to reconfirm that the certificate requestor still controls the domain and IP addresses to be included in the certificate. The CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates has also been updated with this requirement.


CA Communication and Survey: We sent an email and survey to all CAs in Mozilla’s root store to raise awareness about the updates to Mozilla’s Root Store Policy and collect feedback on creating a plan to replace old root certificates. All CAs in our root store responded and indicated their intent to comply with the updated requirements by the specified dates. Discussion and creation of a plan to replace old root certificates will continue in Mozilla’s Dev Security Policy (MDSP) email group.


Common CA Database (CCADB): We moved the CCADB roadmap and enhancement requests into Bugzilla and created a CCADB Dashboard wiki page. Our current project is redesigning Cases and enabling CAs to more easily and frequently provide updates for their CA and root certificates.


Government MiTM CAs: Mozilla responded in a joint submission with Google to the Mauritian Government’s public consultation and blogged about it. Additionally, we continue to add the Kazakhstan Government’s MiTM root certificates to OneCRL as they continue creating them.

Fuzzing

Browser Fuzzing at Mozilla: We have published an article that gives a broad overview of all fuzzing efforts at Mozilla. This article allows contributors to learn more about our infrastructure and the fuzzing software we use. The blog post further covers the various fuzzing targets and how to reduce and report the identified crashes in a meaningful and effective way. Last but not least, we stress how intentionally designed interactions between developers and security engineers make this a successful feedback mechanism in our software development process.


Eliminating Data Races in Firefox: We have adopted ThreadSanitizer and summarized technical insights in a blogpost titled: Eliminating Data Races in Firefox – A Technical Report.

In summary the post focuses on how to integrate such a tool into our software development life cycle, how to classify benign and malicious data races and how to deal with false positives.


Extended Windows Fuzzing: While most of our code and therefore most of our fuzzing efforts are platform agnostic, we have extended fuzzing jobs to Windows. Previously we have been fuzzing almost exclusively on Linux. Expanding our fuzzing efforts to Windows allows us to cover even more code that Firefox interacts with and in turn allows us to uncover potential problems and ultimately improve the stability of Firefox.


Integrating Fuzzili in our Fuzzing Suite: The coverage-guided fuzzer for dynamic language interpreters named Fuzzili has been proven valuable at finding serious bugs. After many great bug reports and useful interactions with the developers and maintainers before and after it was released as open source, we have decided to also run it ourselves. Testing our own JavaScript engine SpiderMonkey with Fuzzili is now integrated into our existing processes.


Going Forward

Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in Q3, please do not forget to add your items to the 2021 Q3 security privacy newsletter collection document so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.


In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,

Christoph, Freddy, Tom