Q4 2016 Summary

Q4’16 was a period of significant change for the security engineering org at Mozilla. Further consolidating the team additions from Q2, security engineering is now united under Selena Deckelmann and reporting into the Firefox team. While our focus continues to cover both front-end and platform, the shift in org is helping to improve ties with the Firefox team and is already bringing results increased collaboration.

Q4 was largely heads down making progress on multi-quarter projects but there are some important milestones to point out:

• Shipped SHA-1 deprecation options in FF51  
• Shipped CSP ‘strict-dynamic’ in FF 52, a significant update to content security policy designed to improve CSP adoption
• Modernized the NSS build environment and enabled fuzzing of TLS stack

Team Highlights

Crypto Engineering

• Modernizing NSS
  • Moved builds to Gyp, bringing clean build time from >3m to <20s, and it’s maintainable!
  • Started continuous integration testing in-house for the first time since ~2003.
  • (Politically) announced end-of-life for NSS on targets that predate C++, making way to add C++ code in 2017.
  • Making the TLS stack fuzzable!
  • Removed mounds of crufty code that neither Firefox or RedHat use.
• TLS 1.3
  • Latest version of the transport-layer security spec!
  • Lower latency on connections, so it goes faster!
  • Whole classes of attacks on earlier TLS/SSL are impossible now. For example: session negotiation is now integrity-checked and encrypted, too!
• PSM
  • Shipped our SHA-1 deprecation preference, for use in Q1.
  • Windows users can flip a pref to use enterprise CA roots stored in the Windows store. (Also: Windows 8/10 Child Mode fixes!)
• Web Authentication / U2F
  • It… continues! Experimental WebAuthn WD-02 code is in nightly and will get hooked to hardware in Q1.

Content Security

• Security By Default (AsyncOpen2)
  • Q4 goal was to convert docshell to use AsyncOpen2(). R+d but testing reveals issues.
  • Still targeting Q1 2017 switch to AsyncOpen, but at risk due to docshell delays.
• Containers
  • Design sprint, user research study leading to improved UX design
  • Implementation of this design as a new ‘hybrid’ add-on
• Content Security Policy
  • “strict-dynamic” implemented in Firefox 52, new feature in CSP to aid developers in adoption and creation of effective policies
  • "require-sri-for" directive, to enforce Subresource Integrity (SRI) through CSP
• Sandbox Hardening
  • Initial audit of Message Manager and IPDL protocols, work continuing in Q1
  • Drafted strategy for sandbox hardening
• Tor
  • Implemented First Party Isolation (also called “double keying”) which prevents third parties from tracking you across multiple sites.  This feature will ship in Firefox 52 (though hidden behind a pref)
  • The collaboration between Mozilla and Tor in 2016 was summarized and published by the blog post: https://blog.torproject.org/blog/tor-heart-firefox
• Safebrowsing
  • Landed support for Safebrowsing V4 (pref’d off) in FF53
  • On target for switching to V4 support by default in 2017
• Cookies
  • Collaborated with the networking team to land support for the "Strict Secure Cookies" spec (bug 976073). Will ship in Firefox 52.

Fuzzing

• Improvements to various fuzzers and frameworks
  • DOMFuzz clean up and refactoring work,
  • Skia fuzzing
  • LibFuzzer build integration into Mozilla Central
• Sandboxing fuzzing
  • Message Manager fuzzer (Bug 777600)
  • Improvements to IPDL fuzzer
• FuzzManger improvements and performance increases
• New member joined the team: Jason Kratzer

Cross-Team Initiatives

• Buildsec
  • New team established in q4 to focus on end-to-end build security
• CA Program
  • Over 2600intermediate certificates disclosed in the Common CA Database; over 230 revoked intermediate certificates added to OneCRL