Hello, Here comes our Q3 edition of the Firefox Security & Privacy Newsletter. The shareable link for this newsletter is <https://wiki.mozilla.org/Firefox_Security_Newsletter/FSN-2020-Q3>
(References are in footnotes at the bottom, due to the text-only mailing list. You can always read on the wiki instead). The various security and privacy teams at Mozilla work in different parts of the org, and on different projects, but with one goal in common: to improve every aspect of Firefox’s security and privacy, and to keep our users safe. Since not all of these projects are directly visible to everyone, we’ve pulled together the highlights from July, August, and September. We also want to use this newsletter to acknowledge contributions of folks whose day job isn’t specifically privacy/security-related but have improved things in their areas and have made our protections tighter. To ease consumption of the many improvements listed within this newsletter, we have grouped them into the following categories: - Product Security & Privacy, showcasing new Security & Privacy Products, Features and Services. - Core Security, outlining Security and Hardening efforts within the Firefox Platform. - Cryptography, showcasing improvements to connection security. - Fuzzing, providing updates for automated security testing and analysis. - Web Security, highlighting the support of new web application security features. - Policy & Bug Bounty, providing updates on security policy development. Note: Some of the bugs linked below might not be accessible to the general public and are still restricted to specific work groups. [We derestrict fixed security bugs after a grace-period][], until the majority of our user population have received their updates. [We derestrict fixed security bugs after a grace-period]: https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#keeping-private-information-private Product Security & Privacy Firefox Password Manager: We have made a variety of small yet significant changes to our password manager. - When a user types into a password field, a key icon will immediately appear in the address bar. The icon will help make the “save password” panel more discoverable, and this behavior also aligns with Chrome. - The password manager will also now [autofill logins][] and [show the key icon][] on some pages where it previously didn’t work. - Backups of logins.json (where saved logins are stored) are now created in the profile folder and [automatically used to restore logins when logins.json is missing or corrupt][]. This feature addresses recurring, low-volume user complaints. - The optional [Master Password feature has been renamed to Primary Password][] to make it more inclusive and [text has been added in preferences about the name change][]. *Tab-Modal Prompts: *Firefox system prompts can be abused for DoS (Denial-of-Service) attacks by websites. They are not rate-limited and can be spammed through Web APIs. Tab-Modal Prompts is our technique to eliminate this DoS attack vector by migrating window prompts to a new prompt type, tab level prompts. We’ve cut over our first two prompts to the new [TabDialogBox][]: [external protocol dialog][]s and[ dialogs for HTTP authentication][]. DNS over HTTPS (DoH): Earlier this year, we rolled out [DoH][] to 100% of our Release channel users in the US. We are now working on extending our capabilities to support international rollouts. Meanwhile, the DoH front-end has been converted from a system add-on into a [JSM][] component. In case any of our support pages mention “add-on” or “extension,” it’s worth noting that the DoH front-end is now directly integrated with Firefox and is no longer an add-on. *Enhanced Tracking Protection (ETP): *We introduced “redirect tracking protection” to ETP. [Redirect tracking][] is an advanced tracking technique, also known as bounce tracking. We have rolled out [ETP 2.0][] to [block redirect trackers by default][] since Firefox 79. Once every 24 hours ETP 2.0 will completely clear out any cookies and site data stored by known trackers. This prevents redirect trackers from being able to build a long-term profile of your activity. *Research & Academia: *Steven Englehardt published two papers: The first titled [No boundaries: data exfiltration by third parties embedded on web pages ][]was presented at [Privacy Enhancing Technologies Symposium 2020][]. The second titled [Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors][] will be presented at the [42nd Symposium on Security and Privacy in 2021][]. One of the co-authors, Umar Iqbal, was a 2019 Security Research Intern in the Security and Privacy Engineering Team. [autofill logins]: https://bugzilla.mozilla.org/show_bug.cgi?id=1653138 [show the key icon]: https://bugzilla.mozilla.org/show_bug.cgi?id=1638587 [automatically used to restore logins when logins.json is missing or corrupt]: https://bugzilla.mozilla.org/show_bug.cgi?id=1593467 [Master Password feature has been renamed to Primary Password]: https://bugzilla.mozilla.org/show_bug.cgi?id=1644807 [text has been added in preferences about the name change]: https://bugzilla.mozilla.org/show_bug.cgi?id=1653798 [TabDialogBox]: https://bugzilla.mozilla.org/show_bug.cgi?id=1650795 [external protocol dialog]: https://bugzilla.mozilla.org/show_bug.cgi?id=1661030 [ dialogs for HTTP authentication]: https://bugzilla.mozilla.org/show_bug.cgi?id=613785 [DoH]: https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/ [JSM]: https://developer.mozilla.org/en-US/docs/Mozilla/JavaScript_code_modules [Redirect tracking]: https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Redirect_Tracking_Protection#Redirect_tracking_defined [ETP 2.0]: https://blog.mozilla.org/blog/2020/08/04/latest-firefox-rolls-out-enhanced-tracking-protection-2-0-blocking-redirect-trackers-by-default/ [block redirect trackers by default]: https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/ [No boundaries: data exfiltration by third parties embedded on web pages ]: https://petsymposium.org/2020/files/papers/issue4/popets-2020-0068.pdf [Privacy Enhancing Technologies Symposium 2020]: https://petsymposium.org/2020/program.php [Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors]: https://arxiv.org/abs/2008.04480 [42nd Symposium on Security and Privacy in 2021]: https://www.ieee-security.org/TC/SP2021/ Core Security *Visibility: *Aiming to increase transparency on Mozilla’s Security and Privacy efforts we have published articles highlighting technical insights of these efforts on the [Attack & Defense Blog][]. In the months of July, August and September: - We have provided technical details about our hardening efforts: [Hardening Firefox against Injection Attacks – The Technical Details][] - Published the second part of how Firefox enforces Web security checks like the same-origin-policy and other relevant security checks: [Understanding Web Security Checks in Firefox (Part 2)][] - We have added the Exploit Mitigation Bounty to our bug bounty program: [Bug Bounty Program Updates: Adding (another) New Class of Bounties][] - We provided insights regarding our Bug Bounty Program with a contributor’s view of a security bug through a [Guest Blog Post: Rollback Attack][] - We provided technical insights into our JavaScript engine and how it translates the high level language of the web into machine code: [Inspecting Just-in-Time Compiled JavaScript][] In addition to the above articles featured on our Blog, we have also published insights into Firefox-related bugs, news about browser security in general and further bite-sized security announcements on our [Attack & Defense Twitter account][]. *Hardening Firefox: *We have [locked down security checks within our Security Manager][] by only allowing packaged user interface resources to load if explicitly allow-listed. To accomplish this hardening effort we had to repackage lots of our CSS resources to load using the internal chrome: protocol. In addition to increasing security, this effort led to performance improvements for parts in DevTools and Activity Stream. *Research & Academia: *Christoph Kerschbaumer gave a talk at [SecWeb 2020][] presenting techniques which allow to protect Firefox, and Web Applications in general, against code injection attacks. In addition to the presented hardening techniques he was further invited to serve on the Panel discussing the topic: Designing Security for the Web. [Attack & Defense Blog]: https://blog.mozilla.org/attack-and-defense/ [Hardening Firefox against Injection Attacks – The Technical Details]: https://blog.mozilla.org/attack-and-defense/2020/07/07/hardening-firefox-against-injection-attacks-the-technical-details/ [Understanding Web Security Checks in Firefox (Part 2)]: https://blog.mozilla.org/attack-and-defense/2020/08/05/understanding-web-security-checks-in-firefox-part-2/ [Bug Bounty Program Updates: Adding (another) New Class of Bounties]: https://blog.mozilla.org/attack-and-defense/2020/08/18/exploit-mitigation-bounty/ [Guest Blog Post: Rollback Attack]: https://blog.mozilla.org/attack-and-defense/2020/10/12/guest-blog-post-rollback-attack/ [Inspecting Just-in-Time Compiled JavaScript]: https://blog.mozilla.org/attack-and-defense/2020/09/15/inspecting-just-in-time-compiled-javascript/ [Attack & Defense Twitter account]: https://twitter.com/attackndefense [locked down security checks within our Security Manager]: https://bugzilla.mozilla.org/show_bug.cgi?id=1145314 [SecWeb 2020]: https://secweb.work/ Cryptography Crypto Improvements: Our P384 and P521 elliptic curve code has been replaced with constant-time, formally-verified, and more performant implementations from [Fiat-Crypto][] and[][1][ECCKiila][1]. We published a [blog post][] on these and similar efforts. Separately, we improved [SHA1][] and [SHA256][] performance on ARM by 3x, [Curve25519][] performance on 64-bit Windows by 5x, and [Big Integer arithmetic][] on MacOS by 2x. CA Program: Effective September 1, the [allowed certificate lifetime of TLS server certificates is 398 days,][] which is a result of the CA/Browser Forum’s Browser Alignment Ballot. Also in Q3, the CA Program alerted the EU Commission to concerns about Qualified Website Authentication Certificates (QWACs). We also prepared a set of proposed revisions to the Root Store Policy, for which public discussion will take place during Q4. Root Certificate Authorities in NSS are also [updated][] in Fx82. *Research & Academia: *Thyla van der Merwe published a paper titled [Designing Reverse Firewalls for the Real World][] which was presented at the [25th European Symposium On Research In Computer Security 2020.][] Further, Benjamin Beurdouche published a paper titled [HACLxN: Verified Generic SIMD Crypto][] which was presented at the [Conference on Computer and Communications Security (CCS) 2020.][] [Fiat-Crypto]: https://github.com/mit-plv/fiat-crypto [1]: https://gitlab.com/nisec/ecckiila/ [blog post]: https://blog.mozilla.org/security/2020/07/06/performance-improvements-via-formally-verified-cryptography-in-firefox/ [SHA1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1650702 [SHA256]: https://bugzilla.mozilla.org/show_bug.cgi?id=1528113 [Curve25519]: https://bugzilla.mozilla.org/show_bug.cgi?id=1642802 [Big Integer arithmetic]: https://bugzilla.mozilla.org/show_bug.cgi?id=1656981 [allowed certificate lifetime of TLS server certificates is 398 days,]: https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/ [updated]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes#Certificate_Authority_Changes [Designing Reverse Firewalls for the Real World]: https://link.springer.com/chapter/10.1007/978-3-030-58951-6_10 [25th European Symposium On Research In Computer Security 2020.]: https://www.surrey.ac.uk/esorics-2020 [HACLxN: Verified Generic SIMD Crypto]: https://eprint.iacr.org/2020/572.pdf [Conference on Computer and Communications Security (CCS) 2020.]: https://www.sigsac.org/ccs/CCS2020/accepted-papers.html Fuzzing *LibFuzzer: *We have upgraded our [in-tree libfuzzer][] to the latest version which provides our fuzzing targets with various improvements such as the recent [entropic][] functionality. ThreadSanitizer: We also continued to push the ThreadSanitizer (TSan) project forward, eliminated more data races (both from backlog and new test suites) and made TSan ready for fuzzing. In the future, we plan to run even more CI on TSan to further improve the overall stability and security of our products. If you want to work with this and other sanitizers, make sure to also check out our [new sanitizer documentation][]. Research & Academia: Christian Holler gave [a talk][] about the human component in bug finding at FuzzCon EU 2020. This talk is particularly interesting for people who want to deploy fuzzing in larger projects or companies and focuses on related non-technical issues. [in-tree libfuzzer]: https://bugzilla.mozilla.org/show_bug.cgi?id=1656463 [entropic]: https://reviews.llvm.org/D73776 [new sanitizer documentation]: https://firefox-source-docs.mozilla.org/tools/sanitizer/index.html [a talk]: https://www.youtube.com/watch?v=ifc2C5fLIWU Web Security *Content Security & FIssion: *We have finalized and eliminated corner cases for making all of our Content Security features (e.g. Mixed Content Blocker, Content Security Policy, and more) compliant with the [Fission architecture][]. This brings us yet a little closer to shipping our Site Isolation mechanism by default. *Sanitizer API: *We started to implement a prototype for a [Sanitizer API][] which allows us to convert strings containing HTML to return a safe version of that string, making sure that no JavaScript can execute in an unexpected way. This effectively helps to prevent XSS in web applications. [Fission architecture]: https://wiki.mozilla.org/Project_Fission [Sanitizer API]: https://bugzilla.mozilla.org/show_bug.cgi?id=1650370 Policy & Bug Bounty *Security Advisories: *We have published [Security Advisories][] for our products which provide meaningful information about critical security fixes. *Bug Bounty Update: *In addition to recent efforts where we have [increased bounty payouts][] and also included [a Static Analysis component ][]in our bounty program, we have now extended our Bug Bounty Policy to also include a [Exploit Mitigation Bug bounty][]. This will hopefully attract even more bug bounty hunters to our program. *Bug Bounty Hall of Fame: *To show appreciation and to give credit where credit is due, we have updated our [Firefox Bug Bounty Hall of Fame][]. This Hall of Fame lists researchers and bug bounty hunters which have helped make Firefox and the open web a more secure place for all of us - Thank you all! [Security Advisories]: https://www.mozilla.org/en-US/security/advisories/ [increased bounty payouts]: https://blog.mozilla.org/attack-and-defense/2020/04/23/bug-bounty-2019-and-future/ [a Static Analysis component ]: https://blog.mozilla.org/attack-and-defense/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/ [Exploit Mitigation Bug bounty]: https://blog.mozilla.org/attack-and-defense/2020/08/18/exploit-mitigation-bounty/ [Firefox Bug Bounty Hall of Fame]: https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/ Going Forward Thanks to everyone involved in making Firefox and the Open Web more secure and privacy-respecting. Since we are already in Q4, please do not forget to add your items to the [Q4 security privacy newsletter collection document][] so that they will show up in the next iteration of the Security Privacy newsletter. In the name of everyone improving Security and Privacy within Firefox, Mozilla and the Open Web, Christoph, Ethan, Freddy, Tom [Q4 security privacy newsletter collection document]: https://docs.google.com/document/d/1WQxittEUHwtkOXoWfTZInolO53pMMTyw7O9a6ECv9oM/edit _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
