Security/CryptoEngineering

From MozillaWiki
Jump to: navigation, search

Last Updated: 7 Sept 2017

Mission: Use modern cryptography to improve the security and privacy of Firefox

Protect Firefox users on the Internet through up-to-date cryptographic protocols

  • Maintain the cryptography and transport security library that powers Firefox, NSS
  • Enforce the technical policies of the Mozilla CA Certificate Program
  • Lead the adoption of cryptographic technologies to improve security throughout Firefox

Crypto Engineering Projects

Our team's major projects are broken down by module:

NSS

NSS is the cryptography and transport security library that powers Firefox.

  • 2018 Q1: Rework TLS session caching to permit better privacy controls
  • 2018 Q1: Improve confidence in network-facing ASN.1 parsing

PSM

PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.

  • 2018 Q1: Move error-string formatting for our error pages into the front-end JavaScript
  • 2018 Q2: Retool the "See more" sections of error pages using JavaScript to provide more help
  • 2018 Q3: Continue work on our Certificate Transparency implementation and test infrastructure

Web Authentication

Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.

  • 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
    • You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
  • 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
  • 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. rust u2f-hid-rs library
  • 2017 Q2-3: Integrate USB HID U2F hardware support into Firefox.
    • Done in Firefox 57.
  • 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
    • Done in Firefox 56
  • 2017 Q3: Integrate hardware support with the FIDO U2F v1.1 JS API
    • Done in Firefox 57.
  • 2017 September: Interoperability testing for WebAuthn.
    • Done.
  • 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
  • 2018: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
  • 2018: Support U2F hardware for Firefox for Android.

All of the above dates are for landing in Firefox Nightly.

Goal: permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60. (See RapidRelease/Calendar)

Using U2F / WebAuthn

Enable the preferences in about:config:

  • security.webauth.u2f
  • security.webauth.webauthn

Enabling debugging (example for OSX):

  MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox

Useful testing sites

U2F:

Web Authentication:

It does not work on Facebook or Google Accounts; there are issues beyond browser detection that haven't been analyzed yet.

WD-07 Updates

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1381190 Web Authentication - Change to COSE Algorithm Identifier types RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2017-10-18T09:53:22Z
1382893 WebAuthn RP-IDs should enforce HTTPS and be permissive for alternative TCP ports RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2018-01-08T23:20:32Z
1406456 Update WebAuthn WebIDL to the WD-07 draft RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2017-10-12T10:45:57Z
1406458 WebAuthn: Add extension types RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2018-02-07T22:10:27Z
1406459 Web Authentication - Add token binding types RESOLVED [webauthn][webauthn-wd07] 2017-11-08T21:04:37Z
1406462 Web Authentication - Add authenticator selection criteria and attachment types RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2017-11-29T22:49:59Z
1406466 Web Authentication - WD-07 Updates to Create Credential RESOLVED [webauthn][webauthn-wd07] 2017-11-20T10:37:32Z
1406467 Web Authentication - WD-07 Updates to Make Assertion RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2018-01-25T16:04:24Z
1406468 Web Authentication - Implement isUserVerifyingPlatformAuthenticatorAvailable() method RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2017-11-14T20:57:03Z
1406469 Web Authentication - Update Authenticator Data generation for User Verified bit RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2017-10-12T10:46:00Z
1406471 Web Authentication - Implement FIDO AppID Extension RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2018-04-27T16:07:24Z
1407093 Web Authentication - Correctly plumb User Handle RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2017-12-13T22:04:19Z
1407789 Web Authentication - Prohibit cross-site iframes RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2018-01-16T20:44:09Z
1407829 Web Authentication - Implement CredMan's Store method RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2017-10-17T22:15:30Z
1409202 Web Authentication - Restrict to active documents RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2018-04-04T13:29:32Z
1415675 Web Authentication - Support AbortSignal types RESOLVED Tim Taubert [:ttaubert] [webauthn][webauthn-wd07] 2017-11-22T06:28:24Z
1420760 webauthn: out-of-order keys in CBOR map. RESOLVED Adam Langley [webauthn][webauthn-wd07] 2018-01-03T21:45:43Z
1420763 webauthn: credential public key not a COSE_Key RESOLVED Adam Langley [webauthn][webauthn-wd07] 2018-01-06T09:59:34Z
1428916 Web Authentication - Support Attestation Conveyance RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2018-02-07T12:45:44Z
1428918 Web Authentication - Enable in Nightly RESOLVED J.C. Jones [:jcj] [webauthn][webauthn-wd07] 2018-05-09T15:15:11Z

20 Total; 0 Open (0%); 20 Resolved (100%); 0 Verified (0%);


All WebAuthn Tracked Bugs

Full Query
ID Summary Status Assigned to Whiteboard Last change time
1294514 [meta] Implement the W3C WebAuthn API NEW J.C. Jones [:jcj] [webauthn] 2018-05-22T20:20:39Z
1381578 Use a Rust CBOR library for WebAuthn NEW [webauthn] [webauthn-ctap] 2017-08-14T00:35:14Z
1384776 [meta] Update WebAuthn JS API to the WD-07 working draft NEW J.C. Jones [:jcj] [webauthn] [webauthn-interop] 2018-03-07T17:01:29Z
1391438 Support U2F Tokens for WebAuthn on Android NEW [webauthn] 2018-05-07T12:22:10Z
1395293 u2f-hid-rs should be moved out-of-tree and into crates.io NEW [webauthn] [webauthn-cleanup] 2017-12-16T06:04:00Z
1395294 Provide dlopen improvements to libudev-sys back to maintainer NEW [webauthn] [webauthn-cleanup] 2017-12-16T06:04:37Z
1409220 Move mPubKeyCredParams processing to U2FTokenManager NEW [webauthn] [webauthn-cleanup] 2018-03-07T17:01:29Z
1409532 u2f.register fails with registeredKeys array NEW [webauthn] [webauthn-interop][u2f] 2018-02-19T11:46:33Z
1431137 Our CredentialRequestOptions doesn't look much like the spec's ASSIGNED J.C. Jones [:jcj] [webauthn] [webauthn-interop][credman] 2018-01-17T17:07:35Z
1434277 Web Authentication, U2F - Document Dependencies for Common Linux Distributions ASSIGNED Tim Taubert [:ttaubert] [webauthn] [u2f] 2018-05-02T14:55:07Z
1436085 Web Authentication - Remove hard-coded support for U2F Google Accounts NEW [webauthn][u2f] 2018-05-22T06:50:18Z
1436471 Web Authentication - Web Platform Test Correctness Cleanups NEW [webauthn][webauthn-interop] 2018-02-07T18:49:19Z
1448408 Web Authentication - SoftU2F unusable due to context switch aborts NEW [webauthn][webauthn-ux] 2018-04-19T09:14:15Z
1460986 Web Authentication - Enable Cross-Origin iframes via Feature-Policy NEW [webauthn] 2018-05-14T07:51:43Z
1463170 Web Authentication - Set AuthenticatorAssertionResponse.userHandle to null ASSIGNED J.C. Jones [:jcj] [webauthn] [webauthn-interop] 2018-05-22T09:16:04Z

15 Total; 15 Open (100%); 0 Resolved (0%); 0 Verified (0%);


DOM Security