For anyone who clicked the link and was confused, NOW the wiki has the latest newsletter. Apologies for that.
https://wiki.mozilla.org/SecurityEngineering/Newsletter On Thu, Nov 2, 2017 at 9:26 PM, <ptheria...@mozilla.com> wrote: > [ See formatted version here: https://wiki.mozilla.org/ > SecurityEngineering/Newsletter ] > > = Firefox Security Team Newsletter Q3 17 = > > Firefox Quantum is almost here, and contains several important security > improvements. Improved sandboxing, web platform hardening, crypto > performance improvements and much more. Read on to find out all the > security goodness coming through the Firefox pipeline. > > - Sandbox work is seeing great progress. As of 57, Windows, Mac OS X, and > Linux all have file system access restricted by the sandbox which is a > major milestone reached. Further restrictions are enabled for Windows in > Firefox 58. > > - Firefox 57 treats now data URLs as unique origins, reducing the risk of > Cross-Site Scripting (XSS). > > - The Firefox Multi-Account Containers Add-on shipped, allowing users to > juggle multiple identities in a single browsing session. > > - Increased AES-GCM performance in Firefox 56, and support for Curve25519 > in Firefox 57 (the first formally verified cryptographic algorithm in a web > browser) > > - Experimental support for anti-phishing FIDO U2F “Security Key” USB > devices landed behind a preference in Firefox 57. This feature is a > forerunner to W3C Web Authentication, which will bring this anti-phishing > technology to a wider market. > > - The privacy WebExtension API can now be used to control the > privacy.resistFingerprinting preference and first party isolation > > > > = Team Highlights = > > > = Security Engineering = > == Crypto Engineering == > - AES-GCM performance is increased across the board, making large > transfers more efficient in Firefox 56. > - Our implementation of Curve25519 in Firefox 57 is the first formally > verified cryptographic algorithm in a web browser. > - Experimental support for anti-phishing FIDO U2F “Security Key” USB > devices landed behind a preference in Firefox 57. This feature is a > forerunner to W3C - - Web Authentication, which will bring this > anti-phishing technology to a wider market. > > > == Privacy and Content Security== > - The privacy WebExtension API can now be used to control the > privacy.resistFingerprinting preference and first party isolation > - Containers launched as an extension available from AMO > - Containers have had a few improvements for web extensions: > Containers now enabled when installing a contextual identity extension, > Events to monitor container changes, Ability to get icon urls for > containers along with hex colour codes, Cleaner APIs > - Lightbeam was remade as a web extension. > - Firefox 57 treats data URLs as unique origins which mitigates the risk > of XSS, make Firefox standard-compliant and consistent with the behavior of > other browsers. > - Shipped version 4 of the Safe Browsing protocol. > > == Firefox and Tor Integration == > -Continue the Tor patch uplift work focusing on browser fingerprinting > resistance > - Landed 12 more anti-fingerprinting patches in 57 > - The MinGW build has landed in mozilla-central and is available in > treeherder > > ==Content Isolation== > - Various Windows content process security features enabled over the > quarter including disabling of legacy extension points (56), image load > policy improvements (57), increased restrictions on job objects (58), and > finally we've enabled the alternate desktop feature in Nightly after > battling various problems with anti-virus software interfering with child > process startup. > - The new 'default deny' read access policy for the Linux file access > broker is now enabled by default for content processes and is rolling out > in Firefox 57. The broker forwards content process file access requests to > the parent process for approval, severely restricting what a compromised > content process could do within the local file system. > - Numerous access rules associated with file system, operating system > services, and device access have been removed from the OSX content process > sandbox. In terms of file system access, we've reached parity with Chrome's > renderer. Remaining print server access will be removed in Q4, removal of > graphics and audio access is currently in planning. > - We continue to invest in cleaning up various areas of the code that have > accumulated technical debt. > - We’ve completed our research on the scope of enabling the Win32k System > Call Disable Policy feature. This feature will isolate content processes > from a large class of Win32k kernel APIs commonly used to gain sandbox > escape and privilege escalation. Planning for this long term project is > currently underway with work expected to commence in Q4. > - As a result of the stability and process startup problems encountered > due to 3rd party code injection, a new internal initiative has formed to > better address problems associated with unstable software injected into > Firefox. This cross-team group will explore and improve policy revolving > around outreach and blocking, data collection and research, and improved > injection mitigation techniques within Firefox. > > > = Operations Security = > - addons.mozilla.org and Firefox Screenshots went through external > security audits. The reports will be released soon. > - Internal audits of Crash Reports and Phabricator were completed and have > found no maximum or high risk issues. > - addons.mozilla.org, Crash Reports, Telemetry, Pontoon, Push and > Tracking Protection backends have been connected to pyup.io to track > vulnerabilities in upstream Python dependencies. > - Verification of the signature of installer and update files has been > integrated to the product delivery pipeline, to prevent an attacker from > feeding an improperly signed file to our download sites. > > > = Security Assurance = > - Developed new static analysis tool to detect sandbox-related flaws in > IPDL endpoints. > - Established mobile security review process to cover projects coming > through New Mobile Experience pipeline. > - Identified a number of warnings by building for Windows with gcc, and > resolved many of them. > > = Cross-Team Initiatives = > Google has become an official Root Store Member of the Common CA Database > (CCADB). > > > Security Blog Posts & Presentations > https://blog.mozilla.org/firefox/introducing-firefox- > multi-account-containers/ > https://blog.mozilla.org/security/2017/09/29/improving- > aes-gcm-performance/ > https://blog.mozilla.org/security/2017/09/13/verified- > cryptography-firefox-57/ > https://hacks.mozilla.org/2017/10/remaking-lightbeam-as- > a-browser-extension/ > https://blog.mozilla.org/security/2017/10/04/treating- > data-urls-unique-origins-firefox-57/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform