Firefox Security Newsletter - 2019 in Recap

Johann Hofmann jhofmann at mozilla.com
Wed Apr 15 19:15:00 UTC 2020


Hello everyone,

Tom Ritter, Freddy Braun and I have been working on increasing visibility
into all the things that are going on in Firefox Security Engineering.
Starting with Q1 2020, we are crafting a quarterly newsletter summarizing
Firefox security work across various teams. While we're still editing the
Q1 edition, we figured you might enjoy a "2019 in Recap" we put together in
the meantime.

You can find it either in the remainder of this email or on
https://wiki.mozilla.org/Firefox_Security_Newsletter/FSN-2019, whichever
you prefer.

If you notice that anything is missing or we didn't properly represent a
team, please let us know so that we can improve on that in the future.

Thank you,

Johann

*Firefox Security Newsletter - 2019 in Recap*

Maintaining and building a secure modern browser is one of the most
challenging tasks in software engineering. You’re up against sharp
competition from other browsers and an incredibly large ecosystem of
malicious actors and white-hat security researchers. To keep up you need
a great team. Working on Firefox, I pride myself with being surrounded
by some of the best browser security engineers in the world. In this
newsletter
we wanted to share what we all have been up to in 2019.

In the future we’ll be publishing this update quarterly, using a few
categories, with explanations for what they mean right below their
headlines. An archive of all newsletters will be permanently available
at https://wiki.mozilla.org/Firefox_Security_Newsletter.
<https://wiki.mozilla.org/Firefox_Security_Newsletter>

It is of course impossible to present the vast amount of work that went
into each of the highlighted projects in a single blog post, so I highly
recommend following the links to read more about the individual efforts.


  Privacy

/This is our work to deliver a more private experience on the web to all
Firefox users./

A big focus of 2019 was the *Anti-Tracking* project. With the 69 release
we shipped ETP (_Enhanced Tracking Protection_
<
https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
>)
to all Firefox users by default. This was a huge milestone for the team
and for privacy on the web overall.

In addition to our anti-tracking efforts, we also shipped *protections
from cryptomining, fingerprinting and social networks* that were
tracking users through the web.

To highlight these new features, the team built _an entirely new _
<https://blog.mozilla.org/firefox/firefox-privacy-protections/>_*Protections
UI*_ <https://blog.mozilla.org/firefox/firefox-privacy-protections/>,
that consists of a new panel in the address bar as well as the new
about:protections page that allows users to get an overview of their
active protections.

In addition to our default-on tracking protections, the privacy
engineering team also works with the _Tor Browser_
<https://www.torproject.org/> team to develop and integrate more
advanced origin isolation and _anti-fingerprinting techniques_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1329996> intended for
usage in the Tor Browser. Sometimes those techniques start in Tor
Browser and move to Firefox; other times they start in Firefox and move
to Tor Browser. The most prominent example of this work in 2019 was
_Letterboxing_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1407366>, a
way for the browser to shrink the content viewport to make it less unique.

In an effort to improve our coverage of Origin Attributes across the
code base, Paul Zühlcke added _support for handling OAs in the Firefox
permission manager_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1422056>. This means that
web permissions can now be scoped by private browsing window, per
container or using first party isolation.

Steven Englehardt _wrote a summary_
<
https://blog.mozilla.org/security/2019/06/06/next-steps-in-privacy-preserving-telemetry-with-prio/
>
of our progress on privacy-preserving telemetry with *Prio*. We landed
the necessary pieces to perform the privacy-preserving origin telemetry
in Nightly and will be testing it before deploying further to Release.

The Facebook Container team shipped _Facebook Container 2.0_
<https://blog.mozilla.org/firefox/facebook-container-for-firefox/>, with
significant improvements to our extension that keeps Facebook from
tracking you around the web for good.


  Core Security

/Core security, for us, means efforts to protect Firefox from
vulnerabilities and exploits. This work is usually not exposed to users,
but everyone benefits from having a rock-solid secure browser./


In 2019 we shipped *4 security-related “chemspill” releases*, meaning
urgent dot-versions of Firefox (e.g. 72.0.1) that contained especially
urgent security fixes. Each of these chemspills went out within a day!

Several teams concentrated their efforts on *Hardening the Firefox
Security Architecture, *with a particular focus on sandbox escapes.
Listed below are the main projects that were part of this effort.

We improved our protection against JavaScript code injection in browser
UI or other privileged areas of code (e.g. about: pages). To this end
Gijs _prevented untrusted pages from being loaded in the parent process_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1560178>. Christoph
Kerschbaumer _applied CSPs to all of our about: pages_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1492063>. Jonas Allman and
Tom Ritter removed and disallowed _usage of eval() in the parent process
and system privileged code_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1473549>. Freddy Braun
_disallowed non-internal resources_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1513445> do be loaded as
documents in privileged contexts. More efforts of this type are underway
in 2020.

Zombie reduced the possibility of sandbox escapes through malicious IPC
messages by _ensuring_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1604058> that IPC messages
claiming to come from the extension process do, in fact, come from an
actual web extension.

The Hardening team, in conjunction with the Low Level Tools team,
deployed _memory partitioning_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1052575>, isolating
particularly powerful attacker-controlled objects like Strings and
ArrayBuffers from other DOM objects, as well as additional guard pages
around certain types of memory structures.

Jed Davis gave us the ability to share memory with a content process,
but _freezing_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1479960> it
so the content process cannot write to it.

A big effort in 2019 and also in 2020 is the _*Fission*_
<https://wiki.mozilla.org/Project_Fission>_project_
<https://wiki.mozilla.org/Project_Fission>, that aims to achieve true
process isolation per site. This is a very extensive project that
involves rewriting large parts of the browser and engine code. In 2019
we achieved a number of milestones for Fission progress, such as
implementing DocumentChannel (a refactoring of how navigation occurs),
building a _multiprocess browser toolbox_
<https://groups.google.com/forum/#!topic/mozilla.dev.platform/daAfrjkYs0c>,
burning down _a lot of test failures_ <https://arewefissionyet.com/>.
Fission will continue in 2020 where we expect to have something everyone
can turn on and report any issues with.

The Browser Architecture team was able to remove the last traces of
_XBL_ <https://developer.mozilla.org/en-US/docs/Archive/Mozilla/XBL>
from Firefox code, eliminating a lot of old code and some obvious attack
surfaces for sandbox escapes along the way.

Jonas _integrated_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1508659> _Project
Wycheproof_ <https://github.com/google/wycheproof> for testing our NSS
cryptography library.

The Fuzzing team added new targets this year, such as _Necko_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1526258> (the Gecko
networking stack) and _IndexedDB_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1499097> and published the
_Grizzly Browser Fuzzing Framework_
<https://blog.mozilla.org/security/2019/07/10/grizzly/>.

The Platform Security team deployed our most restrictive sandbox yet in
the Media Decoder process on _Windows and OSX_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1498624>, and made
considerable progress on our multi-year effort to remove win32k from the
content process on Windows.

With considerable help from :dmajor, the Platform Security team
_deployed a limited form of Control Flow Guard_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1485016> support for
Windows, with hopes of expanding it in 2020.

Haik _spent a considerable amount of time_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1471004> to support
Catalina’s new required software notarization scheme and hardened
runtime support.

Aaron Klotz and Toshihito Kikuchi _worked to improve our telemetry_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1435773> and insight into
third party modules that inject in our process on Windows.

With the help of a UCSD research team, _we compiled the graphite font
rendering_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1562797>
library as wasm, enclosing it in a sandbox with data validation.
Currently in Beta on Linux x64, this allows us to turn a C library into
a memory safe language and firewalling it from the rest of the process.
Future expansion to new libraries and OSX and Windows are underway.


  Firefox Security

/Firefox Security means user-exposed security features that allow you to
have a safe experience on the web./

The *Firefox Lockwise* team significantly revamped the desktop password
manager experience, bringing Lockwise to desktop. New features include a
new password management UI (about:logins), _secure password generation,
integration with Firefox Monitor_
<https://blog.mozilla.org/firefox/password-security-features/> and _more
improvements and bugfixes_
<
https://matthew.noorenberghe.com/blog/2019/05/password-manager-improvements-firefox-67
>.

We released the Beta version of an entirely new product in the Firefox
family: _*Firefox Private Network*_ <https://fpn.firefox.com/>, a VPN
and Proxy solution by Mozilla.

Our interns Carolina and Danielle built an entirely new *Certificate
Viewer *(about:certificate) for Firefox, modeled after the popular
_Certainly Something_
<https://addons.mozilla.org/en-US/firefox/addon/certainly-something/>
browser extension which itself was developed by April King, another
Mozilla engineer.

The *DNS-over-HTTPS* project aims to improve the problematic privacy and
security properties of DNS for our users. In 2019, the DoH team _ran
experiments and added a way for parental controls providers to disable
DoH_
<
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
>,
in preparation for the upcoming launch.

The Firefox 70 release brought us _new improved security UI indicators_
<
https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/
>,
with a new indicator for insecure HTTP connections, as well as a reduced
level of presentation for Extended Validation certificates.


We shipped an updated design for our_certificate error pages_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1530327> (built by our
Outreachy intern Trisha Gupta) including a brand new error page
highlighting when the local system time being off is likely at fault for
the error.



In an effort to reduce breakage from Anti-Virus and other software that
tries to intercept connections without installing their root certificate
in the Firefox cert store, the team built a mode where Firefox can
*automatically detect MitM-related certificate errors* that would be
fixed by importing certificates from the OS root store. In addition to
that, _there’s now a message shown in the identity popup when the site
is verified by an imported root certificate_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1549605>.

The Firefox Add-on Manager now includes an _integrated abuse report
mechanism_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1544928>, to
help users quickly report malicious add-ons.

We _improved our indicators for geolocation usage_
<https://bugzilla.mozilla.org/show_bug.cgi?id=630614> to include an
in-use indicator and show when geolocation was last accessed by the site.



  Web Security

/This encompasses efforts to build features that allow web developers to
build more secure sites. It sometimes also means restrictions made on
web developers to *force* them to build more secure sites./

The Crypto Engineering team released _Web Authentication in Firefox for
Android_
<
https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/
>.

We announced our plan to _remove support for TLS 1.0 and 1.1 in March
2020_
<https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/>. In
2019, we started rolling this change out to Nightly users and
implemented a temporary override to allow early testers to avoid breakage.

After a _series of experiments_
<
https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/
>,
we launched _strong restrictions_
<
https://blog.mozilla.org/futurereleases/2019/11/04/restricting-notification-permission-prompts-in-firefox/
>
on notification permission prompts that will reduce the massive
annoyance they presented to users of the web.

Johann Hofmann _put web push notifications behind secure context_
<https://groups.google.com/forum/#!topic/mozilla.dev.platform/FMPrIMGBNtg>.
Ehsan Akhgari _removed the ability_
<https://bugzilla.mozilla.org/show_bug.cgi?id=1560741> for third party
iframes to use web notifications.

In a cooperation with Cloudflare, the Crypto Engineering team started to
experiment with _Delegated Credentials for TLS_
<
https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/
>,
a mechanism which can alleviate trust concerns around distributing
private keys to CDNs, without any of the performance overhead from
alternative solutions.

Jonathan Kingston sent out an intent to _remove AppCache_
<
https://www.fxsitecompat.dev/en-CA/docs/2019/application-cache-storage-has-been-removed-in-nightly-and-early-beta/
>,
starting with Nightly and Beta in version 71 and to be unshipped in
Release in 2020.

In several cases, Paul Zühlcke limited the ability for websites to spam
_window-modal dialogs_
<https://bugzilla.mozilla.org/show_bug.cgi?id=616843>, which were abused
for DOS-style attacks to extort or confuse users.


  Security Ecosystem

Our *Bug Bounty program* is getting a lot of love in 2020, and we kicked
it off with two improvements in 2019: we significantly increased
_payments in the Mozilla Web Security Bounty Program_
<
https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/
>
and we created a static analysis bounty, _adding CodeQL and clang to our
Bug Bounty Program_
<
https://blog.mozilla.org/security/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/
>.

As part of encouraging more participation in the Bug Bounty program,
we’re also working to provide walkthroughs that help people get
involved. We published _two_
<https://frederik-braun.com/firefox-ui-xss-leading-to-rce.html> _blog
articles_
<
https://blog.mozilla.org/security/2019/12/02/help-test-firefoxs-built-in-html-sanitizer-to-protect-against-uxss-bugs/
>
specifically about the built-in HTML Sanitizer, where and how we rely on
it, and how to get set up for testing it for bypasses in an iterative
fashion in less than 30 seconds.

The _MOSS Program_ <https://www.mozilla.org/en-US/moss/> funds
development of open source software through grants; and also provides
funding for security audits. Typically these happen in the background
but every once in a while we discover something particularly impactful,
like _this Critical Security Issue identified in iTerm2._
<
https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/
>

The *Mozilla Security Engineering University Relationship Framework*
(_SURF_ <https://surf.mozilla.org/>) initiative hosted two conferences
in 2019, in _San Franscisco in May_
<https://surf.mozilla.org/events/2019/sf/> and in _Vienna in November_
<https://surf.mozilla.org/events/2019/vienna/>.

Steven Englehardt and Marshall Erwin _published the first release_
<
https://blog.mozilla.org/security/2019/01/28/defining-the-tracking-practices-that-will-be-blocked-in-firefox/
>
of our _anti-tracking policy_
<https://wiki.mozilla.org/Security/Anti_tracking_policy>.

Wayne Thayer announced _version 2.7 of the Mozilla Root Store Policy_
<
https://blog.mozilla.org/security/2019/12/11/announcing-version-2-7-of-the-mozilla-root-store-policy/
>.

As a reaction to the _MitM attacks by the Kazakhstan Government_
<https://censoredplanet.org/kazakhstan> using a custom root certificate,
Firefox, in joint action with Google Chrome, _blocked the use of the
Kazakhstan root certificate_
<
https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/
>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20200415/8a7958f6/attachment-0001.html>


More information about the firefox-dev mailing list