Firefox Security Newsletter - Q1 2017

Hey all,  its time for another quarterly newsletter from the Firefox
Security team - now including updates from our security operations team as
well. Read on below, or check out the version on the wiki at
https://wiki.mozilla.org/SecurityEngineering/Newsletter.
Firefox Security Team Newsletter

It was another busy quarter for the teams working tirelessly to keep
Firefox users safe online, and Firefox is now safer than ever. New
improvements that landed over the last quarter include:

   - Firefox now warns users
   <https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-=
of-non-secure-http/>
   when their passwords are being sent over HTTP
   - Firefox explicitly distrusts the use of SHA-1
   <https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-pu=
blic-web/>
   signatures in TLS certificates
   - Firefox Containers, an experimental privacy tool, is available to all
   users via test-pilot
   <https://testpilot.firefox.com/experiments/containers/>
   - We reached another milestone in the Security Sandbox
   <https://wiki.mozilla.org/Security/Sandbox> project, enabling content
   process sandboxing on release OS X in Firefox 52. (Windows was previousl=
y
   enabled in Firefox 50 and Linux is enabled in Firefox 54, which is targe=
ted
   for a June release)
   - In addition to support for Tor first-party isolation
   <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1299996> shipping in 52,
   we began prototyping
   <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1337647> for a project t=
o
   bring Tor support to Firefox for Android

And that=E2=80=99s just the highlights, read on to find out what=E2=80=99s =
new in Firefox
security.
Team HighlightsSecurity Engineering

   - New warnings
   <https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-=
of-non-secure-http/>
   are shipping in Firefox to alarm users when passwords are sent over HTTP
   - Continued our support for the TOR project
   <https://blog.torproject.org/blog/tor-heart-firefox>:
      - Shipped First Party Isolation in Firefox ESR 52 (behind the pref
      =E2=80=9Cprivacy.firstparty.isolate=E2=80=9D), which prevents third p=
arties from tracking
      users across multiple websites
      - Attended the Tor meeting in Amsterdam to discuss the collaboration
      between Mozilla and Tor in the future
      - Started a new mobile project "Fennec + Tor", which aims at bringing
      Orfox-like features into Fennec
      - Worked on efforts to port TOR anti-fingerprinting features to
      Firefox
   - Put the finishing touches on a =E2=80=98Security By Default=E2=80=99
   <https://blog.mozilla.org/security/2016/11/10/enforcing-content-security=
-by-default-within-firefox/>
   project; this multi-year effort centralised the network security logic t=
hat
   was previously scattered through the Gecko codebase in a single
   maintainable place
   - We implemented a preference to change the origin inheritance behavior
   for data: URIs in support of animportant spec change
   <https://github.com/whatwg/html/issues/1753>.
   - Support for the Content Security Policy <code>strict-dynamic</code>
   directive landed in Firefox 52
   <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1299483>
   - The next phase of the Containers
   <https://wiki.mozilla.org/Security/Contextual_Identity_Project/Container=
s>
   project continues with the feature launched in a Firefox Test Pilot
   experiment
   <https://hacks.mozilla.org/2017/03/containers-come-to-test-pilot>.
   - This quarter saw several new features added to Firefox Web Extensions
   in support of privacy add-ons:
      - We help the Web Extension team ship privacy AP
      <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1312802>I which can b=
e
      used to make Privacy add-ons (Firefox 54)
      - We also added the =E2=80=98cookieStoreId=E2=80=99 to WebExtension A=
PIs
      <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1302697>so that Web
      Extension authors can leverage Containers feature in their own add-on=
s
      (Firefox 52)
   - Sandbox hardening project continues, mainly focusing on hardening our
   IPC layer in support of the upcoming lockdown of file system access
   (targeted for Firefox 55)
      - Code auditing continues to find IPC bugs so we are experimenting
      withIPDL helper classes
      <https://bugzilla.mozilla.org/show_bug.cgi?id=3D1325647>to avoid comm=
on
      IPDL bugs
      - Landed a fuzzer
      <https://bugzilla.mozilla.org/show_bug.cgi?id=3D777600> for Message
      Manager messages
      - Completed two handwritten IPC fuzzers (PHttpChannel/PCameras) as a
      case study for future IPC fuzzer hardening
   - The Tracking Protection experiment graduated from Firefox Test Pilot
   <https://testpilot.firefox.com/experiments/tracking-protection>

Crypto Engineering

   - The end of SHA-1 certificates: Following a phased deprecation of SHA-1
   in Firefox 51, Firefox 52 explicitly distrusts the use of SHA-1 signatur=
es
   in certificates used for HTTPS.
   - We=E2=80=99ve begun fuzzing the TLS client and server side of the NSS =
library,
   raising our confidence in the network-facing code used by all Firefoxes
   - Mozilla now runs the tier 1 continuous integration tests for the NSS
   library internally, without external reliance on RedHat. We=E2=80=99ve a=
lso moved
   our ARM builds and testing off of local machines and into more stable
   cloud-hosted hardware.

Operations Security

   - Addons.mozilla.org and Firefox Accounts have been brought to
   compliance with Operation Security=E2=80=99s security checklist
   <https://wiki.mozilla.org/Security/FoxSec>. These services now have
   strong CSP, HSTS, HPKP and various other security improvements.
   - Simon Bennetts released version 2.6.0
   <https://github.com/zaproxy/zap-core-help/wiki/HelpReleases2_6_0> of the
   ZAP web security scanner, with a long list of enhancements and bug fixes
   from the OWASP community. Noteworthy is the addition of an OpenAPI/Swagg=
er
   extension <https://github.com/zaproxy/zap-extensions/pull/765> to
   automate the discovery and scanning of REST APIs. We plan on using it to
   scan Firefox backend APIs.
   - Firefox Screenshots (formerly Pageshot) completed a security review
   <https://github.com/mozilla-services/screenshots/issues?utf8=3D%E2%9C%93=
&q=3Dis:issue%20label:secreview>
   as part of its graduation from the TestPilot program
   - TLS Observatory now has the ability to count end-entity certificates
   associated with a root or intermediate, and a lightweight web ui
   <https://tls-observatory.services.mozilla.com/static/certsplainer.html?i=
d=3D1820980>to
   visualize certs and their paths. We also started loading certificates fr=
om
   Google=E2=80=99s Aviator CT log, bringing the count of certs
   <https://tls-observatory.services.mozilla.com/api/v1/__stats__?format=3D=
text>
   over 12 million.
   - Will Kahn-Greene released Bleach v2.0
   <http://bluesock.org/%7Ewillkg/blog/dev/bleach_2_0.html>, a major new
   release of this popular Python library used to sanitize HTML in web
   applications.

Cross-Team Initiatives

   - Shipped pwn2own dot-release in less than 24 hours, great work with
   really dedicated engineers and release team
   - Shipped a hook
   <https://github.com/mozilla-services/third-party-library-alert> into
   build machinery to alert when a third party library is out of date
   - OneCRL nowhas entries <https://crt.sh/revoked-intermediates> for about
   250 revoked intermediate certs
   - Deployed mechanism <https://wiki.mozilla.org/CA:CommonCADatabase> for
   CAs to directly provide their annual updates to the Common CA Database, =
and
   have those updates become available to all member root store operators
   - Modernized the TLS Canary tool <https://tlscanary.mozilla.org/> for
   performance and maintainability improvements including 2-3x perf
   improvement, better coverage for sites using redirects and support for
   OneCRL

Security Blog Posts & Presentations

In case you missed them, here are some of the blog posts and speaker
presentations we gave over the last quarter:

   - New warnings shipping in Firefox to alarm users when passwords are
   sent over HTTP
   <https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-=
of-non-secure-http/>
   - Tanvi Vyas, Andrea Marchesini and Christoph Kerschbaumer co-authored
   an academic paper
   <http://www.scitepress.org/DigitalLibrary/PublicationsDetail.aspx?ID=3DU=
oE90ECay/Q=3D&t=3D1>about
   Origin Attributes, the framework within Firefox that enables First Party
   Isolation of cookies (an important TOR feature
   <https://blog.torproject.org/blog/tor-heart-firefox>) as well as a
   number of upcoming Firefox security features
   - Announced the deprecation of SHA-1 on the Public Web
   <https://blog.mozilla.org/security/2017/02/23/the-end-of-sha-1-on-the-pu=
blic-web/>
   - Francois Marier lectured on how to adopt new browser security features
   at
   <https://speakerdeck.com/fmarier/getting-browsers-to-improve-the-securit=
y-of-your-webapp>
   ConFoo
   - Julien Vehent presented Test Driven Security in Continuous Integration
   <https://www.youtube.com/watch?v=3De2axToBYD68> at Enigma, a technique w=
e
   developed internally
   <https://blog.mozilla.org/security/2017/01/25/setting-a-baseline-for-web=
-security-controls/>
   to increase the security of our websites and services.
   - Discussed the history and future of CSP
   <https://blog.mozilla.org/security/2017/01/29/mozilla-security-bytes-epi=
sode-1-csp/>
   in the Security Bytes podcast
   <https://github.com/mozilla/security-bytes-podcast>
   - Released version 2.4 of Mozilla=E2=80=99s CA Certificate Policy
   <https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2=
-4-ca-certificate-policy/>
0
Paul
4/28/2017 9:38:00 AM
mozilla.dev.security 618 articles. 0 followers. Post Follow

1 Replies
68 Views

Similar Articles

[PageSpeed] 20

For reasons that escape me right now, this email was plaintext only, which makes this pretty unreadable. For an easier to read version (and archives of previous newsletters), see our wiki: https://wiki.mozilla.org/SecurityEngineering/Newsletter

Regards,
Paul


0
ptheriault
5/1/2017 8:58:37 PM
Reply: