SecurityEngineering/Newsletter: Difference between revisions

SecurityEngineering/Newsletter (view source)

Revision as of 04:55, 28 February 2018

1,096 bytes removed , 28 February 2018

no edit summary

Ptheriault

canmove, Confirmed users

1,220

edits

@@ Line 1: / Line 1: @@
-=Firefox Security Team Newsletter Q3 17=
+= Security Newsletter Q4 2017 =
-Firefox Quantum is almost here, and contains several important security improvements. Improved sandboxing, web platform hardening, crypto performance improvements and much more. Read on to find out all the security goodness coming through the Firefox pipeline.
+Last quarter marked the milestone release of Firefox Quantum, the new Firefox browser. While project Quantum was largely focused on performance, Firefox 57 included a number of key security improvements:
 <ul>
-<li><p>Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and Linux all have file system access restricted by the sandbox which is a major milestone reached. Further [https://wiki.mozilla.org/Security/Sandbox ''restrictions''] are enabled for Windows in Firefox 58.</p></li>
+<li><blockquote><p>As of 57, all supported operating systems (Windows, Mac OS X, and Linux) have file system access restricted by the sandbox which is a major milestone in bringing a sandbox implementation to Firefox.</p></blockquote></li>
-<li><p>Firefox 57 now treats data URLs as unique origins, reducing the risk of Cross-Site Scripting (XSS).</p></li>
+<li><blockquote><p>[https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/ Data URIs are now treated as unique opaque origins], rather than inheriting the origin of the settings object responsible for the navigation - which acts as an XSS mitigation.</p></blockquote></li>
-<li><p>The Firefox Multi-Account Containers Add-on [https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''shipped''], allowing users to juggle multiple identities in a single browsing session.</p></li>
+<li><blockquote><p>Experimental support for anti-phishing FIDO U2F “Security Key” USB devices [https://mobile.twitter.com/jamespugjones/status/912314952232267777 ''landed behind a preference''] in Firefox 57.</p></blockquote></li></ul>
-<li><p>Increased [https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''AES-GCM performance''] in Firefox 56, and support for [https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''Curve25519 in Firefox 57''] (the first [https://en.wikipedia.org/wiki/Formal_verification ''formally verified''] cryptographic algorithm in a web browser)</p></li>
-<li><p>Experimental support for anti-phishing FIDO U2F “Security Key” USB devices [https://mobile.twitter.com/jamespugjones/status/912314952232267777 ''landed behind a preference''] in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a wider market.</p></li>
+And we haven’t stopped there! Since 57, we’ve been busy continuing to make Firefox more secure than ever, including:
-<li><p>The privacy WebExtension API can now be used to control the [https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 '' privacy.resistFingerprinting ''] and [https://bugzilla.mozilla.org/show_bug.cgi?id=1409045 ''first party isolation''] experimental privacy features </p></li></ul>
+<ul>
+<li><blockquote><p>Added more formally verified crypto algorithms (ChaCha20, Poly1305) to Firefox 59</p></blockquote></li>
+<li><blockquote><p>Firefox 59 has preloaded Strict Transport Security support for top-level domains now</p></blockquote></li>
+<li><blockquote><p>Media team completed the audio remoting work, allowing for tighter lockdown of our sandbox</p></blockquote></li></ul>
 = Team Highlights =
@@ Line 18: / Line 22: @@
 <ul>
-<li><p>AES-GCM performance is increased across the board, making large transfers more efficient in Firefox 56. [https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''[blog post]'']</p></li>
+<li><blockquote><p>We’ve implemented a formally-verified ChaCha20 and a verified Poly1305 into Firefox 59, joining our formally-verified Curve25519 implementation from Firefox 57. [[https://www.youtube.com/watch?v=xrZTVRICpSs ''Real World Crypto talk'']] [[https://rwc.iacr.org/2018/Slides/Beurdouche.pdf ''Slides'']]</p></blockquote></li>
-<li><p>Our implementation of Curve25519 in Firefox 57 is the first [https://en.wikipedia.org/wiki/Formal_verification ''formally verified''] cryptographic algorithm in a web browser. [https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''[blog post]'']</p></li>
+<li><blockquote><p>The certificate and key databases for NSS have moved to a modern SQLite format from the prior DBM format in Firefox 58.</p></blockquote></li>
-<li><p>Experimental support for anti-phishing FIDO U2F “Security Key” USB devices landed behind a preference in Firefox 57. This feature is a forerunner to W3C Web Authentication, which will bring this anti-phishing technology to a [https://twitter.com/jamespugjones/status/912314952232267777 wider market].</p></li></ul>
+<li><blockquote><p>Our implementation of TLS 1.3 is updated to draft -23, which is expected to have much improved behavior with legacy middlebox network equipment (it’s both in Firefox Nightly and at [https://tls13.crypto.mozilla.org ''https://tls13.crypto.mozilla.org'']/).</p></blockquote></li>
+<li><blockquote><p>Firefox 58 prints a warning to the browser console when encountering a Symantec-issued website certificate which will be subject to our distrust plan in Firefox 60. See [https://wiki.mozilla.org/CA/Additional_Trust_Changes ''the CA program's Additional Trust Changes''] page for details.</p></blockquote></li>
+<li><blockquote><p>Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures, as well as a new COSE-based format (RFC 8152) with algorithm agility. Add-ons will move to the new COSE signature format over time.</p></blockquote></li>
+<li><blockquote><p>Firefox 59 has preloaded Strict Transport Security support for top-level domains now, via the hstspreload.org list.</p></blockquote></li></ul>
 === Privacy and Content Security ===
 <ul>
-<li><p>The privacy WebExtension API can now be used to [https://bugzilla.mozilla.org/show_bug.cgi?id=1397611 ''control the privacy.resistFingerprinting preference''] and [https://bugzilla.mozilla.org/show_bug.cgi?id=1409045 ''first party isolation'']</p></li>
+<li><blockquote><p>[https://blog.mozilla.org/blog/2018/01/23/latest-firefox-quantum-release-now-available-with-new-features/ ''We enabled always-on Tracking Protection in Firefox Quantum''] (Firefox 57)</p></blockquote></li>
-<li><p>Containers launched as an extension available from [https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/ ''AMO''] (2 [https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''blog''] [https://blog.mozilla.org/tanvi/2017/10/03/update-firefox-containers/ ''posts''])</p></li>
+<li><blockquote><p>[https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-58/ ''To mitigate phishing attempts we started to block top-level data URI navigations''] within Firefox 58.</p></blockquote></li>
-<li><p>Containers have had a few improvements for web extensions [https://hacks.mozilla.org/2017/10/containers-for-add-on-developers/ ''web extensions'']:</p>
+<li><blockquote><p>To help prevent third party data leakage while browsing privately, [https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ''Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59''].</p></blockquote></li>
+<li><blockquote><p>Added a preference to allow users disable FTP (network.ftp.enabled)</p></blockquote></li>
+<li><blockquote><p>Added CSP improvements in Firefox 58</p></blockquote>
 <ul>
-<li><p>Containers now enabled when installing a contextual identity extension</p></li>
+<li><blockquote><p>Support for worker-src directive landed in 58</p></blockquote></li>
-<li><p>Events to monitor container changes</p></li>
+<li><blockquote><p>security policy violation events (previously behind a pref) were enabled in Nightly starting in 58</p></blockquote></li></ul>
-<li><p>Ability to get icon urls for containers along with hex colour codes</p></li>
-<li><p>Cleaner APIs</p></li></ul>
 </li>
-<li><p>Lightbeam was remade as a  [https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/ ''web extension.'']</p></li>
+<li><blockquote><p>Continued our efforts to harden the web against attacks:</p></blockquote>
-<li><p>Firefox 57 treats data URLs as [https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/ ''unique origins''] which mitigates the risk of XSS, make Firefox standard-compliant and consistent with the behavior of other browsers.</p></li>
-<li><p>Shipped version 4 of the Safe Browsing protocol.</p></li></ul>
-=== Firefox and Tor Integration ===
 <ul>
-<li><p>Continue the Tor patch uplift work focusing on [https://wiki.mozilla.org/Security/Fingerprinting ''browser fingerprinting resistance'']</p>
+<li><blockquote><p>Moved to deprecate AppCache from insecure [https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ''contexts'']</p></blockquote></li>
+<li><blockquote><p>X-Frame-Options will now check all frame ancestors are the same origin</p></blockquote></li>
+<li><blockquote><p>Treating insecure flash requests as mixed active instead of mixed passive (behind a preference for now, will ship in future version)</p></blockquote></li>
+<li><blockquote><p>[https://bugzilla.mozilla.org/show_bug.cgi?id=1420622 ''Removal''] of legacy pcast: and feed: protocols (previously a source of security issues)</p></blockquote></li></ul>
+</li>
+<li><blockquote><p>Hardening improvements</p></blockquote>
 <ul>
-<li><p>Landed 12 more anti-fingerprinting patches in 57</p></li></ul>
+<li><blockquote><p>FORTIFY_SOURCE landed for Mac and Linux</p></blockquote></li>
-</li>
+<li><blockquote><p>Initial testing of Control Flow Guard deployment (bug [https://bugzilla.mozilla.org/show_bug.cgi?id=1235982 ''1235982''])</p></blockquote></li></ul>
-<li><p>The MinGW build has landed in mozilla-central and is available in treeherder</p></li></ul>
+</li></ul>
 === Content Isolation ===
 <ul>
-<li><p>Various Windows content process security features enabled over the quarter including [https://bugzilla.mozilla.org/show_bug.cgi?id=1381326 ''disabling of legacy extension points''] (56), [https://bugzilla.mozilla.org/show_bug.cgi?id=1314801 ''image load policy improvements''] (57), [https://bugzilla.mozilla.org/show_bug.cgi?id=1403707 ''increased restrictions''] on job objects (58), and finally we've enabled the [https://bugzilla.mozilla.org/show_bug.cgi?id=1229829 ''alternate desktop feature''] in Nightly after battling various problems with anti-virus software interfering with child process startup.</p></li>
+<li><blockquote><p>Audio library remoting work completed by the (media team) allowed the Content Isolation team to secure content process access to various audio services (OSX) and networking related application programming interfaces (Linux).</p></blockquote></li>
-<li><p>The [https://bugzilla.mozilla.org/show_bug.cgi?id=1308400 ''new 'default deny' read access policy''] for the [https://bugzilla.mozilla.org/show_bug.cgi?id=1308400 ''Linux file access broker''] is now enabled by default for content processes and is rolling out in Firefox 57. The broker forwards content process file access requests to the parent process for approval, severely restricting what a compromised content process could do within the local file system.</p></li>
+<li><blockquote><p>A newly developed application programming interface (API) hooking framework is currently being tested in the 64-bit Flash sandbox. For Flash, the framework will handle better securing of networking related API access and is planned to ship in 60.</p></blockquote></li>
-<li><p>Numerous access rules associated with file system, operating system services, and device access have been removed from the OSX content process sandbox. In terms of file system access, we've reached parity with Chrome's renderer. Remaining print server access will be removed in Q4, removal of graphics and audio access is currently in planning.</p></li>
+<li><blockquote><p>The alternative-desktop feature on Windows has been held up from shipping due to various incompatibilities with 3rd party software running on the same device. A dependent project involving elimination of native windowing event dispatch in content processes is reaching completion. Completion should facilitate alternative desktop rolling out in Firefox 60.</p></blockquote></li></ul>
-<li><p>We continue to invest in cleaning up various areas of the code that have accumulated technical debt.</p></li>
-<li><p>We’ve completed our research on the scope of enabling the [https://msdn.microsoft.com/en-us/library/windows/desktop/hh871472(v=vs.85).aspx ''Win32k System Call Disable Policy''] feature. This feature will isolate content processes from a large class of Win32k kernel APIs commonly used to gain sandbox escape and privilege escalation. Planning for this [https://bugzilla.mozilla.org/show_bug.cgi?id=1381019 ''long term project''] is currently underway with work expected to commence in Q4.</p></li>
-<li><p>As a result of the stability and process startup problems encountered due to 3rd party code injection, a new internal initiative has formed to better address problems associated with unstable software injected into Firefox. This cross-team group will explore and improve policy revolving around outreach and blocking, data collection and research, and improved injection mitigation techniques within Firefox.</p></li></ul>
 == Operations Security ==
 <ul>
-<li><p>addons.mozilla.org and Firefox Screenshots went through external security audits. The reports will be released soon.</p></li>
+<li><blockquote><p>With more of the Firefox continuous integration moving to [https://github.com/taskcluster ''Taskcluster''], we looked into the security posture of the platform. A number of hardening projects were spun off that will continue throughout 2018.</p></blockquote></li>
-<li><p>Internal audits of Crash Reports and Phabricator were completed and have found no maximum or high risk issues.</p></li>
+<li><blockquote><p>Signature verification of release artifacts now covers all Windows builds. MacOS and MAR are next.</p></blockquote></li>
-<li><p>addons.mozilla.org, Crash Reports, Telemetry, Pontoon, Push and Tracking Protection backends have been connected to pyup.io to track vulnerabilities in upstream Python dependencies.</p></li>
+<li><blockquote><p>We reviewed the security of repositories hosted in GitHub. Next step is to finalize a security standard and write tools to check compliance.</p></blockquote></li>
-<li><p>Verification of the signature of installer and update files has been integrated to the product delivery pipeline, to prevent an attacker from feeding an improperly signed file to our download sites.</p></li></ul>
+<li><blockquote><p>In Austin, we ran a Capture The Flag challenge to teach web security to dozens of engineers. We used [http://www.zaproxy.org/ ''ZAP''], [https://github.com/bkimminich/juice-shop ''OWASP Juice Shop''] and [https://github.com/CTFd/CTFd ''CTFd''] to great success.</p></blockquote></li></ul>
-== Security Assurance ==
-<ul>
-<li><p>Developed new static analysis tool to detect sandbox-related flaws in IPDL endpoints.</p></li>
-<li><p>Established mobile security review process to cover projects coming through New Mobile Experience pipeline.</p></li>
-<li><p>[https://bugzilla.mozilla.org/show_bug.cgi?id=1394433 ''Identified a number of warnings''] by building for Windows with gcc, and resolved many of them.</p></li></ul>
 == Cross-Team Initiatives ==
 <ul>
-<li><p>Google has become an official [http://ccadb.org/rootstores/how ''Root Store Member''] of the [http://ccadb.org/ ''Common CA Database (CCADB)''].</p></li></ul>
+<li><blockquote><p>Mozilla sent a [https://blog.mozilla.org/security/2018/01/29/january-2018-ca-communication/ ''CA Communication''] to inform [https://en.wikipedia.org/wiki/Certificate_authority ''Certificate Authorities (CAs)''] who have root certificates [https://wiki.mozilla.org/CA/Included_Certificates ''included in Mozilla’s program''] about current events related to domain validation for SSL certificates and to remind them of a number of upcoming deadlines.</p></blockquote></li></ul>
 = Security Blog Posts &amp; Presentations =
 <ul>
-<li><p>[https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/ ''https://blog.mozilla.org/firefox/introducing-firefox-multi-account-containers/'']</p></li>
+<li><blockquote><p>[https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ Preventing data leaks by stripping path information in HTTP Referrers]</p></blockquote></li>
-<li><p>[https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/ ''https://blog.mozilla.org/security/2017/09/29/improving-aes-gcm-performance/'']</p></li>
+<li><blockquote><p>[https://blog.mozilla.org/blog/2018/01/23/latest-firefox-quantum-release-now-available-with-new-features/ ''https://blog.mozilla.org/blog/2018/01/23/latest-firefox-quantum-release-now-available-with-new-features/'']</p></blockquote></li></ul>
-<li><p>[https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/ ''https://blog.mozilla.org/security/2017/09/13/verified-cryptography-firefox-57/'']</p></li>
-<li><p>[https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/ ''https://hacks.mozilla.org/2017/10/remaking-lightbeam-as-a-browser-extension/'']</p></li>
-<li><p>[https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/ ''https://blog.mozilla.org/security/2017/10/04/treating-data-urls-unique-origins-firefox-57/'']</p></li></ul>
 ----