Firefox Security Newsletter - Q4 2017

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Firefox Security Newsletter - Q4 2017

Paul Theriault
(Text-format below, see online version at

Last quarter marked the milestone release of Firefox Quantum, the new
Firefox browser. While project Quantum was largely focused on performance,
Firefox 57 included a number of key security improvements:

- As of 57, all supported operating systems (Windows, Mac OS X, and Linux)
have file system access restricted by the sandbox which is a major
milestone in bringing a sandbox implementation to Firefox.

- Data URIs are now treated as unique opaque, rather than inheriting the
origin of the settings object responsible for the navigation - which acts
as an XSS mitigation.

- Experimental support for anti-phishing FIDO U2F “Security Key” USB
devices landed behind a preference in Firefox 57.

And we haven’t stopped there! Since 57, we’ve been busy continuing to make
Firefox more secure than ever, including:

- Added more formally verified crypto algorithms (ChaCha20, Poly1305) to
Firefox 59

- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now

- Media team completed the audio remoting work, allowing for tighter
lockdown of our sandbox

Team Highlights

Security Engineering

### Crypto Engineering

- We’ve implemented a formally-verified ChaCha20 and a verified Poly1305
into Firefox 59, joining our formally-verified Curve25519 implementation
from Firefox 57. (see also Real World Crypto talk: and Slides:

- The certificate and key databases for NSS have moved to a modern SQLite
format from the prior DBM format in Firefox 58.

- Our implementation of TLS 1.3 is updated to draft -23, which is expected
to have much improved behavior with legacy middlebox network equipment
(it’s both in Firefox Nightly and at

- Firefox 58 prints a warning to the browser console when encountering a
Symantec-issued website certificate which will be subject to our distrust
plan in Firefox 60. See the CA program's Additional Trust Changes
( page for details.

- Firefox 59 supports add-ons to be signed using PKCS7 SHA-256 signatures,
as well as a new COSE-based format (RFC 8152) with algorithm agility.
Add-ons will move to the new COSE signature format over time.

- Firefox 59 has preloaded Strict Transport Security support for top-level
domains now, via the list.

### Privacy and Content Security

- To mitigate phishing attempts we started to block top-level data URI

- To help prevent third party data leakage while browsing privately,
Firefox Private Browsing Mode will remove path information from referrers
sent to third parties starting in Firefox 59

- Added a preference to allow users disable FTP (network.ftp.enabled)

- Added CSP improvements in Firefox 58
- Support for worker-src directive landed in 58
- security policy violation events (previously behind a pref) were enabled
in Nightly starting in 58

- Continued our efforts to harden the web against attacks:
- Moved to deprecate AppCache from insecure contexts
- X-Frame-Options will now check all frame ancestors are the same origin
- Treating insecure flash requests as mixed active instead of mixed passive
behind a preference for now, will ship in future version
- Removal of legacy pcast: and feed: protocols (previously a source of
security issues).

- Hardening improvements
- FORTIFY\_SOURCE landed for Mac and Linux
- Initial testing of Control Flow Guard deployment

### Content Isolation

- Audio library remoting work completed by the (media team) allowed the
Content Isolation team to secure content process access to various audio
services (OSX) and networking related application programming interfaces

- A newly developed application programming interface (API) hooking
framework is currently being tested in the 64-bit Flash sandbox. For Flash,
the framework will handle better securing of networking related API access
and is planned to ship in 60.

- The alternative-desktop feature on Windows has been held up from shipping
due to various incompatibilities with 3rd party software running on the
same device. A dependent project involving elimination of native windowing
event dispatch in content processes is reaching completion. Completion
should facilitate alternative desktop rolling out in Firefox 60.

Operations Security
- With more of the Firefox continuous integration moving to [*Taskcluster*](, we looked into the security posture of the
platform. A number of hardening projects were spun off that will continue
throughout 2018.

- Signature verification of release artifacts now covers all Windows
builds. MacOS and MAR are next.

- We reviewed the security of repositories hosted in GitHub. Next step is
to finalize a security standard and write tools to check compliance.

- In Austin, we ran a Capture The Flag challenge to teach web security to
dozens of engineers. We used ZAP(, OWASP Juice Shop( and CTFd( to great success.

Cross-Team Initiatives
Mozilla sent a CA Communication() to inform [*Certificate Authorities
(CAs)* who have root certificates included in Mozilla’s program about
current events related to domain validation for SSL certificates and to
remind them of a number of upcoming deadlines.

Security Blog Posts & Presentations
dev-security mailing list
[hidden email]