Firefox Security Newsletter - Q2 2017

(Email hard to read? Check out the online version here:
https://wiki.mozilla.org/SecurityEngineering/Newsletter )


Firefox 55 is out the door, so there=E2=80=99s time now to put together our
quarterly newsletter. In addition to the security changes
<https://developer.mozilla.org/en-US/Firefox/Releases/55#Security>which hit
release last week, there has been a number of important security
improvements land over the last quarter:

   -

   We=E2=80=99ve made significant improvement of our security sandbox, with=
 file
   system restrictions shipping for Windows and macOS on beta (Firefox 56) =
and
   Linux on nightly (Firefox 57)
   -

   Firefox 56 has a significant speedup for the most common cryptographic
   algorithm used in secure websites, AES-GCM
   <https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-ns=
s/>
   (an official Mozilla blog post still to come).
   -

   We have continued the Tor Uplift work and entered the second phase to
   implement browser fingerprinting resistance
   <https://wiki.mozilla.org/Security/Fingerprinting> starting from Firefox
   55.


Read on for more details of the important work the Firefox security team is
doing to keep our users safe online.
Team HighlightsSecurity EngineeringCrypto Engineering

   -

   Firefox 56 has a significant speedup for the most common cryptographic
   algorithm used in secure websites, AES-GCM
   <https://www.franziskuskiefer.de/web/improving-aes-gcm-performance-in-ns=
s/>
   (an official Mozilla blog post still to come).
   -

   A regression from e10s where CORS error messages weren=E2=80=99t logged =
properly
   in the console is fixed in Firefox 56.

Privacy and Content Security

   -

   We have continued the Tor Uplift work and entered the second phase to
   implement browser fingerprinting resistance
   <https://www.torproject.org/projects/torbrowser/design/#fingerprinting-l=
inkability>
   starting from Firefox 55.
   -

      Landed 18 bugs <https://wiki.mozilla.org/Security/Fingerprinting> for
      anti-fingerprinting in Firefox 55 and 56.
      -

   Converted hundreds of test cases to obey the origin inheritance behavior
   for data: URIs in support of an important spec change
   <https://github.com/whatwg/html/issues/1753>.  Intent to ship in Firefox
   57.
   -

   Made significant performance improvement on security components in
   support of Quantum Flow project.

Content Isolation

   -

   Shipping file system user token restriction for Windows content in 56
   -

   Shipping 3rd party legacy extension blocking for Windows content in 56
   -

   Shipping file system read access restrictions for OSX content in 56
   -

   Linux content sandboxing (=E2=80=9Clevel 2=E2=80=9D: write restrictions,=
 some syscalls,
   probably escapable) released in 54. Work to enable read restrictions
   (enabled at time of writing in Nightly 56 targeting 57 rollout) also
   completed.

Operations Security

   -

   The security audit of Firefox Accounts performed by Cure53 last
year was publicly
   released
   <https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox=
-accounts/>
   .
   -

   We completed the implementation of API Scanning with ZAP
   <https://zaproxy.blogspot.co.uk/2017/06/scanning-apis-with-zap.html>, to
   automate vulnerability scanning of our services by leveraging OpenAPI
   definitions.
   -

   The signing of add-ons has been ported to the Autograph
   <https://github.com/mozilla-services/autograph> service, where support
   for SHA-256 PKCS7 signatures will be added.
   -

   TLS Observatory accelerated the loading of CT logs, with currently ~70M
   certificates recorded. It should reach 200M in Q3.

Security Assurance

   -

   New team created to focus on Firefox security assurance
   -

   Working on adding security checks to our build tools to help our
   developer avoid landing security bugs. First outcome of this project was
   landing ESLint plugin
   <https://github.com/mozilla/eslint-plugin-no-unsanitized> to prevent the
   unsafe usage of eval, innerHTML etc. in Firefox.

Cross-Team Initiatives

   -

   The TLS Canary project has seen the feature release 3.1
   <https://github.com/mozilla/tls-canary/releases/tag/v3.1.0>. NSS team is
   working on treeherder integration.
   -

   Common CA Database (CCADB) <http://ccadb.org/>access has been granted to
   the rest of the CAs in Microsoft=E2=80=99s root store (those that are al=
so in
   Mozilla=E2=80=99s root store already had CA Community licenses/access).

Security Blog Posts & Presentations

   -


   https://blog.mozilla.org/security/2017/04/04/mozilla-releases-version-2-=
4-ca-certificate-policy/
   (Kathleen)
   -


   https://blog.mozilla.org/security/2017/05/11/relaunching-web-bug-bounty-=
program/
   (April from Enterprise Infosec)
   -

   https://blog.mozilla.org/security/2017/06/28/analysis-alexa-top-1m-sites=
/
   (April from Enterprise Infosec)
   -


   https://blog.mozilla.org/security/2017/07/18/web-service-audits-firefox-=
accounts/
   (Greg from Services Security)
   -

   Francois Marier gave a talk on security and privacy settings for Firefox
   power users
   <https://www.linuxfestnorthwest.org/2017/sessions/security-and-privacy-s=
ettings-firefox-power-users>
   at LinuxFest Northwest.
0
Paul
8/8/2017 3:59:53 AM
mozilla.dev.security 618 articles. 0 followers. Post Follow

1 Replies
25 Views

Similar Articles

[PageSpeed] 5

So it turn's out this list is plaintext only, my bad. Please just refer to the online version:

https://wiki.mozilla.org/SecurityEngineering/Newsletter

Regards,
Paul Theriault
0
ptheriault
8/8/2017 4:05:59 AM
Reply: