Firefox Security Newsletter - Q2 2017

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Firefox Security Newsletter - Q2 2017

Paul Theriault
(Email hard to read? Check out the online version here:
https://wiki.mozilla.org/SecurityEngineering/Newsletter )


Firefox 55 is out the door, so there’s time now to put together our
quarterly newsletter. In addition to the security changes
<https://developer.mozilla.org/en-US/Firefox/Releases/55#Security>which hit
release last week, there has been a number of important security
improvements land over the last quarter:

   -

   We’ve made significant improvement of our security sandbox, with file
   system restrictions shipping for Windows and macOS on beta (Firefox 56) and
   Linux on nightly (Firefox 57)
   -

   Firefox 56 has a significant speedup for the most common cryptographic
   algorithm used in secure websites, AES-GCM
   <https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/>
   (an official Mozilla blog post still to come).
   -

   We have continued the Tor Uplift work and entered the second phase to
   implement browser fingerprinting resistance
   <https://wiki.mozilla.org/Security/Fingerprinting> starting from Firefox
   55.


Read on for more details of the important work the Firefox security team is
doing to keep our users safe online.
Team HighlightsSecurity EngineeringCrypto Engineering

   -

   Firefox 56 has a significant speedup for the most common cryptographic
   algorithm used in secure websites, AES-GCM
   <https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-nss/>
   (an official Mozilla blog post still to come).
   -

   A regression from e10s where CORS error messages weren’t logged properly
   in the console is fixed in Firefox 56.

Privacy and Content Security

   -

   We have continued the Tor Uplift work and entered the second phase to
   implement browser fingerprinting resistance
   <https://www.torproject.org/projects/torbrowser/design/#fingerprinting-linkability>
   starting from Firefox 55.
   -

      Landed 18 bugs <https://wiki.mozilla.org/Security/Fingerprinting> for
      anti-fingerprinting in Firefox 55 and 56.
      -

   Converted hundreds of test cases to obey the origin inheritance behavior
   for data: URIs in support of an important spec change
   <https://github.com/whatwg/html/issues/1753>.  Intent to ship in Firefox
   57.
   -

   Made significant performance improvement on security components in
   support of Quantum Flow project.

Content Isolation

   -

   Shipping file system user token restriction for Windows content in 56
   -

   Shipping 3rd party legacy extension blocking for Windows content in 56
   -

   Shipping file system read access restrictions for OSX content in 56
   -

   Linux content sandboxing (“level 2”: write restrictions, some syscalls,
   probably escapable) released in 54. Work to enable read restrictions
   (enabled at time of writing in Nightly 56 targeting 57 rollout) also
   completed.

Operations Security

   -

   The security audit of Firefox Accounts performed by Cure53 last
year was publicly
   released
   <https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/>
   .
   -

   We completed the implementation of API Scanning with ZAP
   <https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html>, to
   automate vulnerability scanning of our services by leveraging OpenAPI
   definitions.
   -

   The signing of add-ons has been ported to the Autograph
   <https://github.com/mozilla-services/autograph> service, where support
   for SHA-256 PKCS7 signatures will be added.
   -

   TLS Observatory accelerated the loading of CT logs, with currently ~70M
   certificates recorded. It should reach 200M in Q3.

Security Assurance

   -

   New team created to focus on Firefox security assurance
   -

   Working on adding security checks to our build tools to help our
   developer avoid landing security bugs. First outcome of this project was
   landing ESLint plugin
   <https://github.com/mozilla/eslint-plugin-no-unsanitized> to prevent the
   unsafe usage of eval, innerHTML etc. in Firefox.

Cross-Team Initiatives

   -

   The TLS Canary project has seen the feature release 3.1
   <https://github.com/mozilla/tls-canary/releases/tag/v3.1.0>. NSS team is
   working on treeherder integration.
   -

   Common CA Database (CCADB) <http://ccadb.org/>access has been granted to
   the rest of the CAs in Microsoft’s root store (those that are also in
   Mozilla’s root store already had CA Community licenses/access).

Security Blog Posts & Presentations

   -


   https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-4-ca-certificate-policy/
   (Kathleen)
   -


   https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-program/
   (April from Enterprise Infosec)
   -

   https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites/
   (April from Enterprise Infosec)
   -


   https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-accounts/
   (Greg from Services Security)
   -

   Francois Marier gave a talk on security and privacy settings for Firefox
   power users
   <https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-settings-firefox-power-users>
   at LinuxFest Northwest.
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Firefox Security Newsletter - Q2 2017

Paul Theriault
So it turn's out this list is plaintext only, my bad. Please just refer to the online version:

https://wiki.mozilla.org/SecurityEngineering/Newsletter

Regards,
Paul Theriault
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Firefox Security Newsletter - Q2 2017

Kevin Chadwick
In reply to this post by Paul Theriault
Chrome doesn't support r^x on OpenBSD but Firefox does with it's more
secure jit etc. However Chrome does have the nice and simple pledge
sandboxing on OpenBSD but not sure if those pledge calls are upstreamed. I
imagine if sandboxed for the other OS that Firefox is structured in such a
way that pledge calls can be added easily. If that were true, Firefox on
OpenBSD would become the only browser with enforced r^x without
functionality breakage and sandboxing by default not to mention optional
decent security plugins. Put that in your pipe and smoke it, those that
excluded firefox from the google sec testing event due to a reported lack
of security improvements. :D
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: Firefox Security Newsletter - Q2 2017

Alex Gaynor-2
pledge is not in upstream-Chromium, it's a patch applied by OpenBSD.

Alex

On Tue, Aug 8, 2017 at 4:57 AM, Kevin Chadwick <[hidden email]> wrote:

> Chrome doesn't support r^x on OpenBSD but Firefox does with it's more
> secure jit etc. However Chrome does have the nice and simple pledge
> sandboxing on OpenBSD but not sure if those pledge calls are upstreamed. I
> imagine if sandboxed for the other OS that Firefox is structured in such a
> way that pledge calls can be added easily. If that were true, Firefox on
> OpenBSD would become the only browser with enforced r^x without
> functionality breakage and sandboxing by default not to mention optional
> decent security plugins. Put that in your pipe and smoke it, those that
> excluded firefox from the google sec testing event due to a reported lack
> of security improvements. :D
> _______________________________________________
> dev-security mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-security
>
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security