Last Updated: 7 Sept 2017

Mission: Use modern cryptography to improve the security and privacy of Firefox

Protect Firefox users on the Internet through up-to-date cryptographic protocols

• Maintain the cryptography and transport security library that powers Firefox, NSS
• Enforce the technical policies of the Mozilla CA Certificate Program
• Lead the adoption of cryptographic technologies to improve security throughout Firefox

Crypto Engineering Projects

Our team's major projects are broken down by module:

NSS

NSS is the cryptography and transport security library that powers Firefox.

• 2017 Q2: [MWOS] Add new NSS demonstration code to show how to use NSS in a modern way.
• 2017 Q2: [MWOS] Implement Argon2 to provide a basis to modernize the Master Password in Firefox.
• 2017 Q2: Implement hardware crypto accelerations on OSX and ARM
• 2017 Q3: Integrate BoGo's integration tests into NSS builds.
  • The automated tests for NSS are mostly unit tests. Integration testing was historically assumed to happen at Firefox, but that's limited. BoGo is a rich set of integration tests that can diagnose protocol issues during automated testing.
• 2017 Q4: Post-Quantum Research and Development.
  • Mozilla is intending to join the efforts in developing cryptography that will remain secure once quantum computers come online. This is expected to be a long-duration R&D effort.

PSM

PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.

• 2016 Q4 / 2017 Q1: Re-architect PSM/NSS interaction to eliminate shutdown crashes.
  • The interaction between PSM and NSS is extremely old, and doesn't follow the modern methods Gecko uses to initialize and shutdown modules. As such, NSS sometimes crashes when shutting down; this is a leading crash on Android. Fixing this is a substantial architectural change.
  • Details here: Platform Use of NSS
• 2017 Q2: Speed up TLS handshakes
• 2017 Q2: Continue work on our Certificate Transparency implementation and test infrastructure
• 2017 Q3: Move error-string formatting for our error pages into the front-end JavaScript
• 2017 Q3: Retool the "See more" sections of error pages using JavaScript to provide more help

Web Authentication

Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.

• 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
  • You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
• 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
  • Intent to Implement Announcement
  • Ready For Experiment Announcement
• 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. rust u2f-hid-rs library
• 2017 Q2-3: Integrate USB HID U2F hardware support into Firefox.
  • Done in Firefox 57.
• 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
  • Done in Firefox 56
• 2017 Q3: Integrate hardware support with the FIDO U2F v1.1 JS API
  • Done in Firefox 57.
• 2017 September: Interoperability testing for WebAuthn.
  • Done.
• 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
  • Bug 1384776
• 2018: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
  • u2f-hid-rs Issue #33
• 2018: Support U2F hardware for Firefox for Android.
  • u2f-hid-rs Issue #42

All of the above dates are for landing in Firefox Nightly.

Goal: permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60. (See RapidRelease/Calendar)

Using U2F / WebAuthn

Enable the preferences in about:config:

• security.webauth.u2f
• security.webauth.webauthn

Enabling debugging (example for OSX):

  MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox

Useful testing sites

U2F:

• https://u2fdemo.appspot.com/
• https://github.com/
• https://u2f.bin.coffee/
• https://demo.yubico.com/u2f

Web Authentication:

• https://webauthn.bin.coffee/
• https://webauthn.io/

It does not work on Facebook or Google Accounts; there are issues beyond browser detection that haven't been analyzed yet.

WD-07 Updates

20 Total; 0 Open (0%); 20 Resolved (100%); 0 Verified (0%);

All WebAuthn Tracked Bugs

No results.

0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);

DOM Security

• 2017 Q2: Enable HSTS Priming in Firefox Beta
• 2017 Q2: Update our Mixed Content Blocking implementation to the W3C Candidate Recommendation
• 2017 Q3: Release paper on HSTS Priming approach