Security/CryptoEngineering: Difference between revisions
(→PSM: updates) |
(→Web Authentication: update dates) |
||
| Line 45: | Line 45: | ||
* 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API. | * 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API. | ||
** [https://bugzilla.mozilla.org/show_bug.cgi?id=1384776 Bug 1384776] | ** [https://bugzilla.mozilla.org/show_bug.cgi?id=1384776 Bug 1384776] | ||
* | * 2019: Support USB HID CTAP devices on desktop platforms. (Exact version TBD) | ||
** [https://github.com/jcjones/u2f-hid-rs/issues/33 u2f-hid-rs Issue #33] | ** [https://github.com/jcjones/u2f-hid-rs/issues/33 u2f-hid-rs Issue #33] | ||
* | * 2019: Support U2F hardware for Firefox for Android. | ||
** [https://github.com/jcjones/u2f-hid-rs/issues/42 u2f-hid-rs Issue #42] | ** [https://github.com/jcjones/u2f-hid-rs/issues/42 u2f-hid-rs Issue #42] | ||
| Line 56: | Line 56: | ||
=== Using U2F / WebAuthn === | === Using U2F / WebAuthn === | ||
WebAuthn is enabled by default. To enable U2F as well, enable this preference in '''about:config''': | |||
* security.webauth.u2f | * security.webauth.u2f | ||
Enabling debugging (example for OSX): | Enabling debugging (example for OSX): | ||
MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox | MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox | ||
Enabling the soft token: | |||
In '''about:config''' enable: | |||
* security.webauth.webauthn_enable_softtoken | |||
This currently stops the use of USB tokens, as the soft token always answers first. To see its code, check https://searchfox.org/mozilla-central/source/dom/webauthn/U2FSoftTokenManager.cpp#151. | |||
==== Useful testing sites ==== | ==== Useful testing sites ==== | ||
Revision as of 13:56, 15 January 2019
Last Updated: 7 Sept 2017
Mission: Use modern cryptography to improve the security and privacy of Firefox
Protect Firefox users on the Internet through up-to-date cryptographic protocols
- Maintain the cryptography and transport security library that powers Firefox, NSS
- Enforce the technical policies of the Mozilla CA Certificate Program
- Lead the adoption of cryptographic technologies to improve security throughout Firefox
Crypto Engineering Projects
Our team's major projects are broken down by module:
NSS
NSS is the cryptography and transport security library that powers Firefox.
- 2018 Q1: Rework TLS session caching to permit better privacy controls
- 2018 Q1: Improve confidence in network-facing ASN.1 parsing
PSM
PSM performs the business logic of deciding whether a given secure network connection is actually trustworthy. It applies logic from the user's choices, the Mozilla Root Program, and the platform in order to make a trust determination. E.g., whether to show a connection as secure.
- 2018 Q1: Move error-string formatting for our error pages into the front-end JavaScript
- 2018 Q2: Retool the "See more" sections of error pages using JavaScript to provide more help
- 2018 Q3: Continue work on our Certificate Transparency implementation and test infrastructure
Web Authentication
Password authentication is known to be a security liability on the Web. The W3C Web Authentication Working Group is developing a specification for using Scoped Credentials to supplement or replace passwords. Mozilla intends to implement Web Authentication (WebAuthn) specification.
- 2016 Q2: FIDO U2F v1.1 JS API landed, hidden behind preferences.
- You can test a "Soft Token" using any recent version of Firefox using the instructions at https://u2f.bin.coffee/
- 2017 Jan: Draft WebAuthn JS API available, hidden behind a pref, using the Soft Token from U2F.
- 2017 Q2: Support USB HID U2F devices on Linux, Mac OS X, and Windows. rust u2f-hid-rs library
- 2017 Q2-3: Integrate USB HID U2F hardware support into Firefox.
- Done in Firefox 57.
- 2017 Q2-3: Update to Working Draft 5 of the WebAuthn JS API.
- Done in Firefox 56
- 2017 Q3: Integrate hardware support with the FIDO U2F v1.1 JS API
- Done in Firefox 57.
- 2017 September: Interoperability testing for WebAuthn.
- Done.
- 2017 (late): Update to the Candidate Recommendation of the WebAuthn JS API.
- 2019: Support USB HID CTAP devices on desktop platforms. (Exact version TBD)
- 2019: Support U2F hardware for Firefox for Android.
All of the above dates are for landing in Firefox Nightly.
Goal: permit use of U2F tokens via a user-controllable preference (not on by default) in Firefox 56 or 57 (Done in Firefox 57), and Web Authentication (on by default) in Firefox 59 or 60. (See RapidRelease/Calendar)
Using U2F / WebAuthn
WebAuthn is enabled by default. To enable U2F as well, enable this preference in about:config:
- security.webauth.u2f
Enabling debugging (example for OSX):
MOZ_LOG="webauthnmanager:5, webauth_u2f:5, webauth_u2f:5, u2fkeymanager:5, u2fhidtoken:5, u2fmanager:5" ~/Desktop/NightlyDebug.app/Contents/MacOS/firefox
Enabling the soft token:
In about:config enable:
- security.webauth.webauthn_enable_softtoken
This currently stops the use of USB tokens, as the soft token always answers first. To see its code, check https://searchfox.org/mozilla-central/source/dom/webauthn/U2FSoftTokenManager.cpp#151.
Useful testing sites
U2F:
- https://u2fdemo.appspot.com/
- https://github.com/
- https://u2f.bin.coffee/
- https://demo.yubico.com/u2f
Web Authentication:
It does not work on Facebook or Google Accounts; there are issues beyond browser detection that haven't been analyzed yet.
WD-07 Updates
| ID | Summary | Status | Assigned to | Whiteboard | Last change time |
|---|---|---|---|---|---|
| 1381190 | Web Authentication - Change to COSE Algorithm Identifier types | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-18T09:53:22Z |
| 1382893 | WebAuthn RP-IDs should enforce HTTPS and be permissive for alternative TCP ports | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-01-08T23:20:32Z |
| 1406456 | Update WebAuthn WebIDL to the WD-07 draft | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-12T10:45:57Z |
| 1406458 | WebAuthn: Add extension types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-02-07T22:10:27Z |
| 1406459 | Web Authentication - Add token binding types | RESOLVED | [webauthn][webauthn-wd07] | 2017-11-08T21:04:37Z | |
| 1406462 | Web Authentication - Add authenticator selection criteria and attachment types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-11-29T22:49:59Z |
| 1406466 | Web Authentication - WD-07 Updates to Create Credential | RESOLVED | [webauthn][webauthn-wd07] | 2017-11-20T10:37:32Z | |
| 1406467 | Web Authentication - WD-07 Updates to Make Assertion | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-01-25T16:04:24Z |
| 1406468 | Web Authentication - Implement isUserVerifyingPlatformAuthenticatorAvailable() method | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2019-03-20T20:41:26Z |
| 1406469 | Web Authentication - Update Authenticator Data generation for User Verified bit | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-12T10:46:00Z |
| 1406471 | Web Authentication - Implement FIDO AppID Extension | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-04-27T16:07:24Z |
| 1407093 | Web Authentication - Correctly plumb User Handle | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-12-13T22:04:19Z |
| 1407789 | Web Authentication - Prohibit cross-site iframes | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-01-16T20:44:09Z |
| 1407829 | Web Authentication - Implement CredMan's Store method | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2017-10-17T22:15:30Z |
| 1409202 | Web Authentication - Restrict to active documents | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2018-04-04T13:29:32Z |
| 1415675 | Web Authentication - Support AbortSignal types | RESOLVED | Tim Taubert [:ttaubert] (inactive) | [webauthn][webauthn-wd07] | 2017-11-22T06:28:24Z |
| 1420760 | webauthn: out-of-order keys in CBOR map. | RESOLVED | Adam Langley | [webauthn][webauthn-wd07] | 2018-01-03T21:45:43Z |
| 1420763 | webauthn: credential public key not a COSE_Key | RESOLVED | Adam Langley | [webauthn][webauthn-wd07] | 2018-01-06T09:59:34Z |
| 1428916 | Web Authentication - Support Attestation Conveyance | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-02-07T12:45:44Z |
| 1428918 | Web Authentication - Enable in Nightly | RESOLVED | J.C. Jones [:jcj] (he/they) | [webauthn][webauthn-wd07] | 2018-05-09T15:15:11Z |
20 Total; 0 Open (0%); 20 Resolved (100%); 0 Verified (0%);
All WebAuthn Tracked Bugs
No results.
0 Total; 0 Open (0%); 0 Resolved (0%); 0 Verified (0%);
DOM Security
- 2017 Q2: Enable HSTS Priming in Firefox Beta
- 2017 Q2: Update our Mixed Content Blocking implementation to the W3C Candidate Recommendation
- 2017 Q3: Release paper on HSTS Priming approach