Firefox Security & Privacy Newsletter 2021 Q3

Security and Privacy build cornerstones of Mozilla’s manifesto, and they influence how we build our products. Here are the highlights representing our work from July, August, and September of 2021, grouped into the following categories:

• Firefox Security & Privacy, showcasing new Security & Privacy Features and Integrations in Firefox.
• Core Security, outlining Security and Hardening efforts within the Firefox Platform.
• Mozilla Product Security, providing insights into security efforts of Mozilla Products.
• Cryptography, showcasing improvements to connection security.
• Web Security, allowing websites to better protect themselves against online threats.
• Fuzzing, providing updates for automated security testing and analysis.
• Policy & Bug Bounty, providing updates on security policy development.

Firefox Product Security & Privacy

Defaulting to HTTPS in Private Browsing Mode: Starting with Firefox 91, Private Browsing Windows will favor secure connections to the web by default. For every website you visit, Firefox will automatically establish a secure, encrypted connection over HTTPS whenever possible.

Managing Exceptions for HTTPS-Only Mode: Exceptions to HTTPS-Only mode can be managed in about:preferences#privacy starting with Firefox 90.

Updating Firefox in the background on Windows: Keeping Firefox up to date is the most fundamental facet of users’ security; and Firefox version 90 introduces background updates on Windows. This will automatically check for updates, download, and install them in the background.

Stopping FTP support in Firefox 90: While FTP (File Transfer Protocol) has been a workhorse of the internet almost since its inception, today it represents a barely used feature, limited support for authentication and confidentiality, and unnecessary attack surface for the majority of our users. In version 90, we have removed FTP support.

Troubleshooting third-party modules: Firefox 90 on Windows now offers a new page, about:third-party, to list modules loaded into the browser by third-party applications. These modules can cause crashes, performance loss, or compatibility issues, and can also help you identify components that you were not aware of and prefer to remove.

Enhanced Cookie Clearing: Starting with Firefox 91, we released a new major privacy enhancement to Firefox’s cookie handling that lets you erase your browser history for any website. This new version of Firefox’ Strict Mode lets you easily delete all cookies and supercookies that were stored on your computer by a website or by any trackers embedded in it.

Core Security

Fixing a Security Bug by Changing a Function Signature: We have published a blog post providing insights into how we fixed a segmentation fault due to a heap buffer overflow in the library that parses files using the Mozilla ARchive (MAR) format. The point of the blog post is not only to demonstrate how we fixed that specific bug, but to allow everyone to get a deeper understanding of systems programming.

Supporting runtime bounds checks for Array: Instead of only relying on assertions to ensure the right `out-of-bounds` checks, we converted those assertions into runtime bounds checks for the Arrays (see Bug 1624717).

Mozilla Product Security

Mozilla VPN Security Audit: Our VPN, Virtual Private Network, can help you create a secure, private connection to the internet. To provide transparency into our ongoing efforts to protect your privacy and security on the Internet, we released a security audit of Mozilla VPN.

Cryptography

Making Client Certificates Available By Default in Firefox 90: Starting with version 90, Firefox will automatically find and offer to use client authentication certificates provided by the operating system on macOS and Windows. This security and usability improvement has been available in Firefox since version 75, but previously end users had to manually enable it.

Redesigning Certificate error pages for a better user experience: Starting with Firefox 92, certificate error pages have been redesigned for a better user experience.

September 2021 Root Additions: A root certificate was added for a new CA operator, the Agence Nationale de Certification Electronique of Tunisia (Tuntrust). Additionally, four root CA certificates were added for the Hellenic Academic & Research Institutions Certification Authority (HARICA) See Bug #1717716.

Web Security

Supporting Fetch Metadata Request Headers: Firefox 90 supports Fetch Metadata Request Headers which allows web applications to protect themselves and their users against various cross-origin threats like (a) cross-site request forgery (CSRF), (b) cross-site leaks (XS-Leaks), and (c) speculative cross-site execution side channel (Spectre) attacks.

Fuzzing

Taking WebAssembly fuzzing to the next level: The wasm-smith fuzzer is a public high-logic WebAssembly module generator that we integrated into our engine for additional WebAssembly coverage (see Bug 1720866).

Experimental fuzzing for the IPC Layer: Earlier this year we described how to effectively fuzz the IPC Layer in Firefox. Now, we have received and successfully evaluated a research prototype for fuzzing the IPC Layer. We continue to explore avenues to expand fuzzing on that layer, because ultimately IPC provides a cornerstone in Firefox’ multi-process Security Architecture.

Bug Bounty

Unified Client and Web Bug Bounty Hall of Fame Updates: Our Client and Web Halls of Fame are updated quarterly; or at least they will be more regularly now that we’ve revamped the update script to be more comprehensive and take into account the Web Bug Bounty participants. While improving the scripts, we identified a few inclusions that slipped through the cracks -- in turn this automation of Bounty Publishing allows us to ensure that participating Bug Bounty Hunters get the credit they deserve for helping to advance our mission.

Going Forward

Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in the last quarter of the year 2021, please do not forget to add your items to the 2021 Q4 security privacy newsletter collection document so that they will show up in the next iteration of the Firefox Security & Privacy newsletter.

In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web,

Christoph, Freddy, Tom