SecurityEngineering/Newsletter: Difference between revisions

Jump to navigation Jump to search

SecurityEngineering/Newsletter (view source)

Revision as of 03:48, 8 August 2017

4,223 bytes removed ,  8 August 2017
no edit summary
(add reference to lasts quarter)
No edit summary
Line 1: Line 1:
= Firefox Security Team Newsletter =


It was another busy quarter for the teams working tirelessly to keep Firefox users safe online, and Firefox is now safer than ever. New improvements that landed over the last quarter include:
= Firefox Security Team Newsletter Q2 17 =
Firefox 55 is out the door, so there’s time now to put together our quarterly newsletter. In addition to the [https://developer.mozilla.org/en-US/Firefox/Releases/55#Security security changes] which hit release last week, there has been a number of important security improvements land over the last quarter:
* We’ve made significant improvement of our security sandbox, with file system restrictions shipping for Windows and macOS on beta (Firefox 56) and Linux on nightly (Firefox 57)
* Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, [https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/ AES-GCM] (an official Mozilla blog post still to come).
* We have continued the Tor Uplift work and entered the second phase to implement [[Security/Fingerprinting|browser fingerprinting resistance]] starting from Firefox 55.
Read on for more highlights of the important work the Firefox security team is doing to keep our users safe online.


* Firefox now [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ warns users] when their passwords are being sent over HTTP
= Team Highlights =
* Firefox [https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/ explicitly distrusts the use of SHA-1] signatures in TLS certificates
* Firefox Containers, an experimental privacy tool, is available to all users [https://testpilot.firefox.com/experiments/containers/ via test-pilot]
* We reached another milestone in the [https://wiki.mozilla.org/Security/Sandbox Security Sandbox] project, enabling content process sandboxing on release OS X in Firefox 52. (Windows was previously enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted for a June release)
* In addition to support for Tor [https://bugzilla.mozilla.org/show_bug.cgi?id=1299996 first-party isolation] shipping in 52, we [https://bugzilla.mozilla.org/show_bug.cgi?id=1337647 began prototyping] for a project to bring Tor support to Firefox for Android


And that’s just the highlights, read on to find out what’s new in Firefox security.
== Security Engineering ==


=Team Highlights=
=== Crypto Engineering ===
* Firefox 56 has a significant speedup for the most common cryptographic algorithm used in secure websites, [https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/ AES-GCM] (an official Mozilla blog post still to come).
* A regression from e10s where CORS error messages weren’t logged properly in the console is fixed in Firefox 56.


==Security Engineering==
=== Privacy and Content Security ===
* We have continued the Tor Uplift work and entered the second phase to implement browser fingerprinting resistance starting from Firefox 55.
** Landed [[Security/Fingerprinting|18 bugs]] for anti-fingerprinting in Firefox 55 and 56.
* Converted hundreds of test cases to obey the origin inheritance behavior for data: URIs in support of an [https://github.com/whatwg/html/issues/1753 important spec change].  Intent to ship in Firefox 57.
* Made significant performance improvement on security components in support of Quantum Flow project.


* New [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ warnings] are shipping in Firefox to alarm users when passwords are sent over HTTP
=== Content Isolation ===
* Continued our [https://blog.torproject.org/blog/tor-heart-firefox support for the TOR project]:
* Shipping file system user token restriction for Windows content in 56
** Shipped First Party Isolation in Firefox ESR 52 (behind the pref “privacy.firstparty.isolate”), which prevents third parties from tracking users across multiple websites
* Shipping 3rd party legacy extension blocking for Windows content in 56
** Attended the Tor meeting in Amsterdam to discuss the collaboration between Mozilla and Tor in the future
* Shipping file system read access restrictions for OSX content in 56
** Started a new mobile project "Fennec + Tor", which aims at bringing Orfox-like features into Fennec
* Linux content sandboxing (“level 2”: write restrictions, some syscalls, probably escapable) released in 54. Work to enable read restrictions (enabled at time of writing in Nightly 56 targeting 57 rollout) also completed.
** Worked on efforts to port TOR anti-fingerprinting features to Firefox
* Put the finishing touches on a [https://blog.mozilla.org/security/2016/11/10/enforcing-content-security-by-default-within-firefox/ ‘Security By Default’] project; this multi-year effort centralised the network security logic that was previously scattered through the Gecko codebase in a single maintainable place
* We implemented a preference to change the origin inheritance behavior for data: URIs in support of an[https://github.com/whatwg/html/issues/1753  important spec change].
* Support for the Content Security Policy <code>strict-dynamic</code> directive [https://bugzilla.mozilla.org/show_bug.cgi?id=1299483 landed in Firefox 52]
* The next phase of the [https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers Containers] project continues with the feature [https://hacks.mozilla.org/2017/03/containers-come-to-test-pilot launched in a Firefox Test Pilot experiment].
* This quarter saw several new features added to Firefox Web Extensions in support of privacy add-ons:
** We help the Web Extension team ship [https://bugzilla.mozilla.org/show_bug.cgi?id=1312802 privacy AP]I which can be used to make Privacy add-ons (Firefox 54)
** We also added the [https://bugzilla.mozilla.org/show_bug.cgi?id=1302697 ‘cookieStoreId’ to WebExtension APIs ]so that Web Extension authors can leverage Containers feature in their own add-ons (Firefox 52)
* Sandbox hardening project continues, mainly focusing on hardening our IPC layer in support of the upcoming lockdown of file system access (targeted for Firefox 55)
** Code auditing continues to find IPC bugs so we are experimenting with[https://bugzilla.mozilla.org/show_bug.cgi?id=1325647  IPDL helper classes ]to avoid common IPDL bugs
** Landed a [https://bugzilla.mozilla.org/show_bug.cgi?id=777600 fuzzer] for Message Manager messages
** Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a case study for future IPC fuzzer hardening
* The [https://testpilot.firefox.com/experiments/tracking-protection Tracking Protection experiment graduated from Firefox Test Pilot]


===Crypto Engineering===
== Operations Security ==
* The end of SHA-1 certificates: Following a phased deprecation of SHA-1 in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures in certificates used for HTTPS.
* The security audit of Firefox Accounts performed by Cure53 last year was [https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/ publicly released].
* We’ve begun fuzzing the TLS client and server side of the NSS library, raising our confidence in the network-facing code used by all Firefoxes
* We completed the implementation of [https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html API Scanning with ZAP], to automate vulnerability scanning of our services by leveraging OpenAPI definitions.
* Mozilla now runs the tier 1 continuous integration tests for the NSS library internally, without external reliance on RedHat. We’ve also moved our ARM builds and testing off of local machines and into more stable cloud-hosted hardware.
* The signing of add-ons has been ported to the [https://github.com/mozilla-services/autograph Autograph] service, where support for SHA-256 PKCS7 signatures will be added.
* TLS Observatory accelerated the loading of CT logs, with currently ~70M certificates recorded. It should reach 200M in Q3.


==Operations Security ==
== Security Assurance ==
* New team created to focus on Firefox security assurance
* Working on adding security checks to our build tools to help our developer avoid landing security bugs. First outcome of this project was landing an [https://github.com/mozilla/eslint-plugin-no-unsanitized ESLint plugin] to prevent the unsafe usage of eval, innerHTML etc. in Firefox.


* <nowiki>Addons.mozilla.org</nowiki> and Firefox Accounts have been brought to compliance with [https://wiki.mozilla.org/Security/FoxSec Operation Security’s security checklist]. These services now have strong CSP, HSTS, HPKP and various other security improvements.
== Cross-Team Initiatives ==
* Simon Bennetts released [https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0 version 2.6.0] of the ZAP web security scanner, with a long list of enhancements and bug fixes from the OWASP community. Noteworthy is the addition of an [https://github.com/zaproxy/zap-extensions/pull/765 OpenAPI/Swagger extension] to automate the discovery and scanning of REST APIs. We plan on using it to scan Firefox backend APIs.
* The TLS Canary project has seen the feature [https://github.com/mozilla/tls-canary/releases/tag/v3.1.0 release 3.1]. NSS team is working on treeherder integration.
* Firefox Screenshots (formerly Pageshot) completed a [https://github.com/mozilla-services/screenshots/issues?utf8=✓&q=is:issue%20label:secreview security review] as part of its graduation from the TestPilot program
* [http://ccadb.org/ Common CA Database (CCADB)] access has been granted to the rest of the CAs in Microsoft’s root store (those that are also in Mozilla’s root store already had CA Community licenses/access).
* TLS Observatory now has the ability to count end-entity certificates associated with a root or intermediate, and a [https://tls-observatory.services.mozilla.com/static/certsplainer.html?id=1820980 lightweight web ui ]to visualize certs and their paths. We also started loading certificates from Google’s Aviator CT log, bringing the [https://tls-observatory.services.mozilla.com/api/v1/__stats__?format=text count of certs ] over 12 million.
* Will Kahn-Greene released [http://bluesock.org/~willkg/blog/dev/bleach_2_0.html Bleach v2.0], a major new release of this popular Python library used to sanitize HTML in web applications.


==Cross-Team Initiatives==
= Security Blog Posts & Presentations =
* https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ (Kathleen)
* https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/ (April from Enterprise Infosec)
* https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/ (April from Enterprise Infosec)
* https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/(Greg from Services Security)
* Francois Marier gave a talk on [https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-settings-firefox-power-users security and privacy settings] for Firefox power users at LinuxFest Northwest.


* Shipped pwn2own dot-release in less than 24 hours, great work with really dedicated engineers and release team
* Shipped a [https://github.com/mozilla-services/third-party-library-alert hook] into build machinery to alert when a third party library is out of date
* OneCRL now[https://crt.sh/revoked-intermediates  has entries] for about 250 revoked intermediate certs
* Deployed [https://wiki.mozilla.org/CA:CommonCADatabase mechanism] for CAs to directly provide their annual updates to the Common CA Database, and have those updates become available to all member root store operators
* Modernized the [https://tlscanary.mozilla.org/ TLS Canary tool] for performance and maintainability improvements including 2-3x perf improvement, better coverage for sites using redirects and support for OneCRL
=Security Blog Posts & Presentations=
In case you missed them, here are some of the blog posts and speaker presentations we gave over the last quarter:
* [https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ New warnings shipping in Firefox to alarm users when passwords are sent over HTTP]
* Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored an [http://www.scitepress.org/DigitalLibrary/PublicationsDetail.aspx?ID=UoE90ECay/Q=&t=1 academic paper ]about Origin Attributes, the framework within Firefox that enables First Party Isolation of cookies ([https://blog.torproject.org/blog/tor-heart-firefox an important TOR feature]) as well as a number of upcoming Firefox security features
* Announced the [https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-public-web/ deprecation of SHA-1 on the Public Web]
* Francois Marier lectured on [https://speakerdeck.com/fmarier/getting-browsers-to-improve-the-security-of-your-webapp how to adopt new browser security features at] ConFoo
* Julien Vehent presented [https://www.youtube.com/watch?v=e2axToBYD68 Test Driven Security in Continuous Integration] at Enigma, a technique [https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web-security-controls/ we developed internally] to increase the security of our websites and services.
* Discussed the [https://blog.mozilla.org/security/2017/01/29/mozilla-security-bytes-episode-1-csp/ history and future of CSP] in the [https://github.com/mozilla/security-bytes-podcast Security Bytes podcast]
* Released version [https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/ 2.4 of Mozilla’s CA Certificate Policy]


----
----
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1177571"

Navigation menu