Firefox Security Roadmap
The core security guarantee of the web is that it’s safe to browse. You can run a web browser and connect to any web server on the planet, and whatever that server sends you, it won’t be able to harm you.
Delivering on this promise requires many layers of assurance:
- That the browser itself is safe to run -- that no malicious code has been introduced, and that we find and fix vulnerabilities before they can be exploited.
- That the browser is protecting web content as it’s delivered over the network.
- That that web content is forced to play by our rules, including assuring that privacy-sensitive actions that web pages take are gated on a user’s permission.
- That we’re providing a user experience that helps people understand the risks and how they can stay safe.
1. Secure Software
Protecting our build and release process
The vast majority of our users rely on Mozilla to build, package, and ship Firefox to them in binary form, as opposed to building it themselves. As Firefox moves to loading components on demand from Mozilla servers, our users are also trusting in the security of that ongoing process. An attacker that can compromise the systems we use to build and ship software can introduce malicious code that will automatically be provided to millions of users. We need to have defense in depth, at all layers of our infrastructure to reduce the risk of such a compromise, and provide tools for external parties to verify that our infrastructure is performing as expected.
- Release engineering security audit
- Binary transparency
- Reproducible builds
- Signed Privileged Content
Finding and fixing vulnerabilities
Like any piece of software, Firefox is going to have bugs that lead to unexpected behavior, and often, attackers can exploit these bugs to do bad things: gaining unauthorized access to private information, or even taking control of a user’s computer. To reduce our users’ exposure to these risks, it’s critical that we find security bugs through our own research and through collaboration with the broader community, then get them fixed as quickly as possible.
- Bug bounty program
Maintaining Integrity at Run-time
Even when there are vulnerabilities in Firefox, there are technologies that can be employed to limit the damage that an attacker can do -- but often the use of these technologies comes at a cost, e.g., by making things run more slowly. We need to make sure that we are using these tools to provide as much protection as we can while still delivering a good user experience.
- e10s / Sandboxing
- Study: CFI / ASAN
2. Secure Networking
Protecting users’ communications from spying or tampering
Firefox relies on encryption to protect users’ communications as they flow over untrusted networks that may be home to spies, criminals, or just service providers with a different notion of privacy. We need to make sure that we make the best, most modern encryption technologies available to our users, and that we apply the best protection possible for every connection.
- NSS Enhancements: CI, new ciphers, TLS 1.3 etc.
- HSTS Priming
- Security state via Kinto
- Study: Built in VPN capability (e.g. via Tor)
Preventing web site impersonation
Having a secure connection to a website isn’t very helpful if you’re connected to the wrong website. For example, if someone can impersonate your bank, they can probably steal your financial information, even if you have an encrypted connection. The Mozilla Root CA program is one of the world’s most widely-used and trusted systems for verifying the identity of a website. By maintaining this program, and ensuring that Firefox has the best available technology and policy to do identity checks, we protect users from attackers masquerading as real websites.
- Root CA program
- Intermediate certificate whitelist
- Enforcement of CABF BRs
- Use Windows root store
- Use/Validate Certificate Transparency SCTs
- Incentivize developers to use secure communications
3. Secure web content
Enforcing security policies for content
Interconnected information is what makes the Web work, but in order to prevent malicious websites from abusing that interconnection to steal information, we need to impose policies that limit what web content can do. We need to enforce a robust set of default policies across Gecko so that it’s safe to put sensitive information on the web, and enable web developers to tell Firefox how to create additional protections that are specific to their sites.
- Per-element referrer policies
- Default security checks
- CSP, SRI, Mixed Content Blocker, iframe sandbox
- Web developer security panel, security console updates
Giving users more control over privacy and anonymity
In addition to giving web developers the ability to protect information on their sites, we also need to enable users to control the information they present to the web -- to control web sites ability to profile and track them. In addition to Private Browsing Mode, the Containers project provides users the ability to create separate browsing contexts, so that what happens in one context is separate from all the others. The Tor project has invested a lot of effort into adding privacy features to Tor Browser (their version of Firefox), and we’re working on bringing those features into Firefox itself to give all Firefox users more opportunities to browse the web privately and anonymously.
- Integrate Tor patches into mozilla-central
- First-party isolation using OriginAttributes
- Tracking protection and DNT
- User Cookie controls
Protecting users from malicious content
One of the most effective ways to protect users from malicious content is to keep Firefox from downloading it at all. Firefox uses the Google SafeBrowsing service to verify that web content and downloaded files are OK before they’re downloaded or handed over to the user.
- SafeBrowsing v4
- Download protection
4. Secure User Experience
Helping users understand privacy and security
As all the above text illustrates, the complexity of the web creates a lot of different possibilities for how attackers might try to harm users. In order for users to safely navigate the web, we must provide a safe and usable set of default restrictions, as well as giving them sensible tools to increase and decrease their risk exposure, in ways that are both understandable and actionable.
- Improve site permissions
- Insecure Password UI
- Modernize security UI
- Create tools that allow users to take control of their security and privacy settings
- Offer security coaching to users who seek it
Securing the login experience
Almost all logins in the web are based on passwords, and we know that passwords are horrible. Hundreds of millions of passwords have been compromised, giving attackers unprecedented access to private information across many sites on the web. We need to bolster the security of the password system to make it as secure as it can be, while also investing in new technologies that can remove the danger of password breaches.
- WebAuthn / FIDO
- Password Manager Improvements
- Phishing Protection via SafeBrowsing API