SecurityEngineering/Newsletter: Difference between revisions

Jump to navigation Jump to search

SecurityEngineering/Newsletter (view source)

Revision as of 23:37, 18 April 2017

4,338 bytes added ,  18 April 2017
q1 update (for real this time)
(Undo revision 1168635 by Ptheriault (talk))
(q1 update (for real this time))
Line 1: Line 1:
=Q4 2016 Summary=
= Firefox Security Team Newsletter =


Q4’16 was a period of significant change for the security engineering org at Mozilla. Further consolidating the team additions from Q2, security engineering is now united under Selena Deckelmann and reporting into the Firefox team. While our focus continues to cover both front-end and platform, the shift in org is helping to improve ties with the Firefox team and is already bringing results increased collaboration.
It was another busy quarter for the teams working tirelessly to keep Firefox users safe online, and Firefox is now safer than ever. New improvements that landed over the last quarter include:


Q4 was largely heads down making progress on multi-quarter projects but there are some important milestones to point out:
* Firefox now [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ warns users] when their passwords are being sent over HTTP
* Firefox explicitly distrusts the use of SHA-1 signatures in TLS certificates
* Firefox Containers, an experimental privacy tool, is available to all users [https://testpilot.firefox.com/experiments/containers/ via test-pilot]
* We reached another milestone in the [https://wiki.mozilla.org/Security/Sandbox Security Sandbox] project, enabling content process sandboxing on release OS X in Firefox 52. (Windows was previously enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted for a June release)
* In addition to support for Tor [https://bugzilla.mozilla.org/show_bug.cgi?id=1299996 first-party isolation] shipping in 52, we [https://bugzilla.mozilla.org/show_bug.cgi?id=1337647 began prototyping] for a project to bring Tor support to Firefox for Android


* Shipped SHA-1 deprecation options in FF51  
And that’s just the highlights, read on to find out what’s new in Firefox security.
* Shipped CSP ‘strict-dynamic’ in FF 52, a significant update to content security policy designed to improve CSP adoption
* Modernized the NSS build environment and enabled fuzzing of TLS stack


=Team Highlights=
=Team Highlights=


==Crypto Engineering==
==Security Engineering==


* Modernizing NSS
* New [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ warnings] are shipping in Firefox to alarm users when passwords are sent over HTTP
** Moved builds to Gyp, bringing clean build time from >3m to <20s, and it’s maintainable!
* Continued our [https://blog.torproject.org/blog/tor-heart-firefox support for the TOR project]:
** Started continuous integration testing in-house for the first time since ~2003.
** Shipped First Party Isolation in Firefox ESR 52 (hidden behind the pref “<nowiki>privacy.firstparty.is</nowiki>olate”), which prevents third parties from tracking users across multiple websites
** (Politically) announced end-of-life for NSS on targets that predate C++, making way to add C++ code in 2017.
** Attended the Tor meeting in Amsterdam to discuss the collaboration between Mozilla and Tor in the future
** Making the TLS stack fuzzable!
** Started a new mobile project "Fennec + Tor", which aims at bringing Orfox-like features into Fennec
** Removed mounds of crufty code that neither Firefox or RedHat use.
** Worked on efforts to port TOR anti-fingerprinting features to Firefox
* TLS 1.3
* Put the finishing touches on a [https://blog.mozilla.org/security/2016/11/10/enforcing-content-security-by-default-within-firefox/ ‘Security By Default’] project; this multi-year effort centralised the network security logic that was previously scattered through the Gecko codebase in a single maintainable place
** Latest version of the transport-layer security spec!
* We implemented a preference to change the origin inheritance behavior for data: URIs in support of an[https://github.com/whatwg/html/issues/1753  important spec change].
** Lower latency on connections, so it goes faster!
* Support for the Content Security Policy &lt;code&gt;strict-dynamic&lt;/code&gt; directive [https://bugzilla.mozilla.org/show_bug.cgi?id=1299483 landed in Firefox 52]
** Whole classes of attacks on earlier TLS/SSL are impossible now. For example: session negotiation is now integrity-checked and encrypted, too!
* The next phase of the [https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers Containers] project continues with the feature [https://hacks.mozilla.org/2017/03/containers-come-to-test-pilot launched in a Firefox Test Pilot experiment].  
* PSM
* This quarter saw several new features added to Firefox Web Extensions in support of privacy add-ons:
** Shipped our SHA-1 deprecation preference, for use in Q1.
** We help the Web Extension team ship [https://bugzilla.mozilla.org/show_bug.cgi?id=1312802 privacy AP]I which can be used to make Privacy add-ons (Firefox 54)
** Windows users can flip a pref to use enterprise CA roots stored in the Windows store. (Also: Windows 8/10 Child Mode fixes!)
** We also added the [https://bugzilla.mozilla.org/show_bug.cgi?id=1302697 ‘cookieStoreId’ to WebExtension APIs ]so that Web Extension authors can leverage Containers feature in their own add-ons (Firefox 52)
* Web Authentication / U2F
* Sandbox hardening project continues, mainly focusing on hardening our IPC layer in support of the upcoming lockdown of file system access (targeted for Firefox 55)
** It… continues! Experimental WebAuthn WD-02 code is in nightly and will get hooked to hardware in Q1.
** Code auditing continues to find IPC bugs so we are experimenting with[https://bugzilla.mozilla.org/show_bug.cgi?id=1325647  IPDL helper classes ]to avoid common IPDL bugs
** Landed a [https://bugzilla.mozilla.org/show_bug.cgi?id=777600 fuzzer] for Message Manager messages
** Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a case study for future IPC fuzzer hardening
* The [https://testpilot.firefox.com/experiments/tracking-protection Tracking Protection experiment graduated from Firefox Test Pilot]


==Content Security==
===Crypto Engineering===


* Security By Default (AsyncOpen2)
==The end of SHA-1 certificates: Following a phased deprecation of SHA-1 in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures in certificates used for HTTPS.==
** Q4 goal was to convert docshell to use AsyncOpen2(). R+d but testing reveals issues.
==We’ve begun fuzzing the TLS client and server side of the NSS library, raising our confidence in the network-facing code used by all Firefoxes==
** Still targeting Q1 2017 switch to AsyncOpen, but at risk due to docshell delays.
==Mozilla now runs the tier 1 continuous integration tests for the NSS library internally, without external reliance on RedHat. We’ve also moved our ARM builds and testing off of local machines and into more stable cloud-hosted hardware.==
* Containers
** Design sprint, user research study leading to improved UX design
** Implementation of this design as a new ‘hybrid’ [https://github.com/mozilla/testpilot-containers add-on]
* Content Security Policy
** “strict-dynamic” implemented in Firefox 52, new feature in CSP to aid developers in adoption and creation of effective policies
** "require-sri-for" directive, to enforce Subresource Integrity (SRI) through CSP
* Sandbox Hardening
** Initial audit of Message Manager and IPDL protocols, work continuing in Q1
** Drafted strategy for [https://wiki.mozilla.org/Security/Sandbox/Hardening sandbox hardening]
* Tor
** Implemented First Party Isolation (also called “double keying”) which prevents third parties from tracking you across multiple sites. &nbsp;This feature will ship in Firefox 52 (though hidden behind a pref)
** The collaboration between Mozilla and Tor in 2016 was summarized and published by the blog post: [https://blog.torproject.org/blog/tor-heart-firefox https://blog.torproject.org/blog/tor-heart-firefox]
* Safebrowsing
** Landed support for Safebrowsing V4 (pref’d off) in FF53
** On target for switching to V4 support by default in 2017
* Cookies
** Collaborated with the networking team to land support for the "Strict Secure Cookies" spec ({{bug|976073}}). Will ship in Firefox 52.


==Fuzzing==
==Operations Security ==


* Improvements to various fuzzers and frameworks
* <nowiki>Addons.mozilla.org</nowiki> and Firefox Accounts have been brought to compliance with [https://wiki.mozilla.org/Security/FoxSec Operation Security’s security checklist]. These services now have strong CSP, HSTS, HPKP and various other security improvements.
** DOMFuzz clean up and refactoring work,
* Simon Bennetts released [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0 version 2.6.0] of the ZAP web security scanner, with a long list of enhancements and bug fixes from the OWASP community. Noteworthy is the addition of an [https://github.com/zaproxy/zap-extensions/pull/765 OpenAPI/Swagger extension] to automate the discovery and scanning of REST APIs. We plan on using it to scan Firefox backend APIs.
** Skia fuzzing
* Firefox Screenshots (formerly Pageshot) completed a [https://github.com/mozilla-services/screenshots/issues?utf8=✓&q=is:issue label:secreview  security review ]as part of its graduation from the TestPilot program
** LibFuzzer build integration into Mozilla Central
* TLS Observatory now has the ability to count end-entity certificates associated with a root or intermediate, and a [https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=1820980 lightweight web ui ]to visualize certs and their paths. We also started loading certificates from Google’s Aviator CT log, bringing the [https://tls-observatory.services.mozilla.com/api/v1/__stats__?format=text count of certs ]over 12 million.
* Sandboxing fuzzing
* Will Kahn-Greene released [http://bluesock.org/~willkg/blog/dev/bleach_2_0.html Bleach v2.0], a major new release of this popular Python library used to sanitize HTML in web applications.
** Message Manager fuzzer ([https://bugzilla.mozilla.org/show_bug.cgi?id=777600 Bug 777600])
** Improvements to IPDL fuzzer
* FuzzManger improvements and performance increases
* New member joined the team: Jason Kratzer


==Cross-Team Initiatives==
==Cross-Team Initiatives==


* Buildsec
* Shipped pwn2own dot-release in less than 24 hours, great work with really dedicated engineers and release team
** New team established in q4 to focus on end-to-end build security
* Shipped a [https://github.com/mozilla-services/third-party-library-alert hook] into build machinery to alert when a third party library is out of date
* CA Program
* OneCRL now[https://crt.sh/revoked-intermediates  has entries] for about 250 revoked intermediate certs
** Over 2600[https://wiki.mozilla.org/CA:SubordinateCAcerts  intermediate certificates] disclosed in the [https://wiki.mozilla.org/CA:CommonCADatabase Common CA Database]; over 230 [https://wiki.mozilla.org/CA:RevokedSubCAcerts revoked intermediate certificates] added to [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL]
* Deployed [https://wiki.mozilla.org/CA:CommonCADatabase mechanism] for CAs to directly provide their annual updates to the Common CA Database, and have those updates become available to all member root store operators
* Modernized the [https://tlscanary.mozilla.org/ TLS Canary tool] for performance and maintainability improvements including 2-3x perf improvement, better coverage for sites using redirects and support for OneCRL
 
=Security Blog Posts & Presentations=
 
In case you missed them, here are some of the blog posts and speaker presentations we gave over the last quarter:
 
* [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ New warnings shipping in Firefox to alarm users when passwords are sent over HTTP]
* Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored an [http://www.scitepress.org/DigitalLibrary/PublicationsDetail.aspx?ID=UoE90ECay/Q=&t=1 academic paper ]about Origin Attributes, the framework within Firefox that enables First Party Isolation of cookies ([https://blog.torproject.org/blog/tor-heart-firefox an important TOR feature]) as well as a number of upcoming Firefox security features
* Announced the [https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/ deprecation of SHA-1 on the Public Web]
* Francois Marier lectured on [https://speakerdeck.com/fmarier/getting-browsers-to-improve-the-security-of-your-webapp how to adopt new browser security features at] ConFoo
* Discussed the [https://blog.mozilla.org/security/2017/01/29/mozilla-security-bytes-episode-1-csp/ history and future of CSP] in the [https://github.com/mozilla/security-bytes-podcast Security Bytes podcast]
* Released version [https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ 2.4 of Mozilla’s CA Certificate Policy]
 
----
'''Previous Editions'''
* [[SecurityEngineering/Newsletter/2016Q4|2016 4th Quarter]]
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1168637"

Navigation menu