Firefox Security Newsletter - Q1 2017

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Firefox Security Newsletter - Q1 2017

Paul Theriault
Hey all,  its time for another quarterly newsletter from the Firefox
Security team - now including updates from our security operations team as
well. Read on below, or check out the version on the wiki at
Firefox Security Team Newsletter

It was another busy quarter for the teams working tirelessly to keep
Firefox users safe online, and Firefox is now safer than ever. New
improvements that landed over the last quarter include:

   - Firefox now warns users
   when their passwords are being sent over HTTP
   - Firefox explicitly distrusts the use of SHA-1
   signatures in TLS certificates
   - Firefox Containers, an experimental privacy tool, is available to all
   users via test-pilot
   - We reached another milestone in the Security Sandbox
   <> project, enabling content
   process sandboxing on release OS X in Firefox 52. (Windows was previously
   enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targeted
   for a June release)
   - In addition to support for Tor first-party isolation
   <> shipping in 52,
   we began prototyping
   <> for a project to
   bring Tor support to Firefox for Android

And that’s just the highlights, read on to find out what’s new in Firefox
Team HighlightsSecurity Engineering

   - New warnings
   are shipping in Firefox to alarm users when passwords are sent over HTTP
   - Continued our support for the TOR project
      - Shipped First Party Isolation in Firefox ESR 52 (behind the pref
      “privacy.firstparty.isolate”), which prevents third parties from tracking
      users across multiple websites
      - Attended the Tor meeting in Amsterdam to discuss the collaboration
      between Mozilla and Tor in the future
      - Started a new mobile project "Fennec + Tor", which aims at bringing
      Orfox-like features into Fennec
      - Worked on efforts to port TOR anti-fingerprinting features to
   - Put the finishing touches on a ‘Security By Default’
   project; this multi-year effort centralised the network security logic that
   was previously scattered through the Gecko codebase in a single
   maintainable place
   - We implemented a preference to change the origin inheritance behavior
   for data: URIs in support of animportant spec change
   - Support for the Content Security Policy <code>strict-dynamic</code>
   directive landed in Firefox 52
   - The next phase of the Containers
   project continues with the feature launched in a Firefox Test Pilot
   - This quarter saw several new features added to Firefox Web Extensions
   in support of privacy add-ons:
      - We help the Web Extension team ship privacy AP
      <>I which can be
      used to make Privacy add-ons (Firefox 54)
      - We also added the ‘cookieStoreId’ to WebExtension APIs
      <>so that Web
      Extension authors can leverage Containers feature in their own add-ons
      (Firefox 52)
   - Sandbox hardening project continues, mainly focusing on hardening our
   IPC layer in support of the upcoming lockdown of file system access
   (targeted for Firefox 55)
      - Code auditing continues to find IPC bugs so we are experimenting
      withIPDL helper classes
      <>to avoid common
      IPDL bugs
      - Landed a fuzzer
      <> for Message
      Manager messages
      - Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a
      case study for future IPC fuzzer hardening
   - The Tracking Protection experiment graduated from Firefox Test Pilot

Crypto Engineering

   - The end of SHA-1 certificates: Following a phased deprecation of SHA-1
   in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatures
   in certificates used for HTTPS.
   - We’ve begun fuzzing the TLS client and server side of the NSS library,
   raising our confidence in the network-facing code used by all Firefoxes
   - Mozilla now runs the tier 1 continuous integration tests for the NSS
   library internally, without external reliance on RedHat. We’ve also moved
   our ARM builds and testing off of local machines and into more stable
   cloud-hosted hardware.

Operations Security

   - and Firefox Accounts have been brought to
   compliance with Operation Security’s security checklist
   <>. These services now have
   strong CSP, HSTS, HPKP and various other security improvements.
   - Simon Bennetts released version 2.6.0
   <> of the
   ZAP web security scanner, with a long list of enhancements and bug fixes
   from the OWASP community. Noteworthy is the addition of an OpenAPI/Swagger
   extension <> to
   automate the discovery and scanning of REST APIs. We plan on using it to
   scan Firefox backend APIs.
   - Firefox Screenshots (formerly Pageshot) completed a security review
   as part of its graduation from the TestPilot program
   - TLS Observatory now has the ability to count end-entity certificates
   associated with a root or intermediate, and a lightweight web ui
   visualize certs and their paths. We also started loading certificates from
   Google’s Aviator CT log, bringing the count of certs
   over 12 million.
   - Will Kahn-Greene released Bleach v2.0
   <>, a major new
   release of this popular Python library used to sanitize HTML in web

Cross-Team Initiatives

   - Shipped pwn2own dot-release in less than 24 hours, great work with
   really dedicated engineers and release team
   - Shipped a hook
   <> into
   build machinery to alert when a third party library is out of date
   - OneCRL nowhas entries <> for about
   250 revoked intermediate certs
   - Deployed mechanism <> for
   CAs to directly provide their annual updates to the Common CA Database, and
   have those updates become available to all member root store operators
   - Modernized the TLS Canary tool <> for
   performance and maintainability improvements including 2-3x perf
   improvement, better coverage for sites using redirects and support for

Security Blog Posts & Presentations

In case you missed them, here are some of the blog posts and speaker
presentations we gave over the last quarter:

   - New warnings shipping in Firefox to alarm users when passwords are
   sent over HTTP
   - Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored
   an academic paper
   Origin Attributes, the framework within Firefox that enables First Party
   Isolation of cookies (an important TOR feature
   <>) as well as a
   number of upcoming Firefox security features
   - Announced the deprecation of SHA-1 on the Public Web
   - Francois Marier lectured on how to adopt new browser security features
   - Julien Vehent presented Test Driven Security in Continuous Integration
   <> at Enigma, a technique we
   developed internally
   to increase the security of our websites and services.
   - Discussed the history and future of CSP
   in the Security Bytes podcast
   - Released version 2.4 of Mozilla’s CA Certificate Policy
dev-security mailing list
[hidden email]
Reply | Threaded
Open this post in threaded view

Re: Firefox Security Newsletter - Q1 2017

Paul Theriault
For reasons that escape me right now, this email was plaintext only, which makes this pretty unreadable. For an easier to read version (and archives of previous newsletters), see our wiki:


dev-security mailing list
[hidden email]