Hello everyone, Tom Ritter, Freddy Braun and I have been working on increasing visibility into all the things that are going on in Firefox Security Engineering. Starting with Q1 2020, we are crafting a quarterly newsletter summarizing Firefox security work across various teams. While we're still editing the Q1 edition, we figured you might enjoy a "2019 in Recap" we put together in the meantime.
You can find it either in the remainder of this email or on https://wiki.mozilla.org/Firefox_Security_Newsletter/FSN-2019, whichever you prefer. If you notice that anything is missing or we didn't properly represent a team, please let us know so that we can improve on that in the future. Thank you, Johann *Firefox Security Newsletter - 2019 in Recap* Maintaining and building a secure modern browser is one of the most challenging tasks in software engineering. You’re up against sharp competition from other browsers and an incredibly large ecosystem of malicious actors and white-hat security researchers. To keep up you need a great team. Working on Firefox, I pride myself with being surrounded by some of the best browser security engineers in the world. In this newsletter we wanted to share what we all have been up to in 2019. In the future we’ll be publishing this update quarterly, using a few categories, with explanations for what they mean right below their headlines. An archive of all newsletters will be permanently available at https://wiki.mozilla.org/Firefox_Security_Newsletter. <https://wiki.mozilla.org/Firefox_Security_Newsletter> It is of course impossible to present the vast amount of work that went into each of the highlighted projects in a single blog post, so I highly recommend following the links to read more about the individual efforts. Privacy /This is our work to deliver a more private experience on the web to all Firefox users./ A big focus of 2019 was the *Anti-Tracking* project. With the 69 release we shipped ETP (_Enhanced Tracking Protection_ < https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop >) to all Firefox users by default. This was a huge milestone for the team and for privacy on the web overall. In addition to our anti-tracking efforts, we also shipped *protections from cryptomining, fingerprinting and social networks* that were tracking users through the web. To highlight these new features, the team built _an entirely new _ <https://blog.mozilla.org/firefox/firefox-privacy-protections/>_*Protections UI*_ <https://blog.mozilla.org/firefox/firefox-privacy-protections/>, that consists of a new panel in the address bar as well as the new about:protections page that allows users to get an overview of their active protections. In addition to our default-on tracking protections, the privacy engineering team also works with the _Tor Browser_ <https://www.torproject.org/> team to develop and integrate more advanced origin isolation and _anti-fingerprinting techniques_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1329996> intended for usage in the Tor Browser. Sometimes those techniques start in Tor Browser and move to Firefox; other times they start in Firefox and move to Tor Browser. The most prominent example of this work in 2019 was _Letterboxing_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1407366>, a way for the browser to shrink the content viewport to make it less unique. In an effort to improve our coverage of Origin Attributes across the code base, Paul Zühlcke added _support for handling OAs in the Firefox permission manager_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1422056>. This means that web permissions can now be scoped by private browsing window, per container or using first party isolation. Steven Englehardt _wrote a summary_ < https://blog.mozilla.org/security/2019/06/06/next-steps-in-privacy-preserving-telemetry-with-prio/ > of our progress on privacy-preserving telemetry with *Prio*. We landed the necessary pieces to perform the privacy-preserving origin telemetry in Nightly and will be testing it before deploying further to Release. The Facebook Container team shipped _Facebook Container 2.0_ <https://blog.mozilla.org/firefox/facebook-container-for-firefox/>, with significant improvements to our extension that keeps Facebook from tracking you around the web for good. Core Security /Core security, for us, means efforts to protect Firefox from vulnerabilities and exploits. This work is usually not exposed to users, but everyone benefits from having a rock-solid secure browser./ In 2019 we shipped *4 security-related “chemspill” releases*, meaning urgent dot-versions of Firefox (e.g. 72.0.1) that contained especially urgent security fixes. Each of these chemspills went out within a day! Several teams concentrated their efforts on *Hardening the Firefox Security Architecture, *with a particular focus on sandbox escapes. Listed below are the main projects that were part of this effort. We improved our protection against JavaScript code injection in browser UI or other privileged areas of code (e.g. about: pages). To this end Gijs _prevented untrusted pages from being loaded in the parent process_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1560178>. Christoph Kerschbaumer _applied CSPs to all of our about: pages_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1492063>. Jonas Allman and Tom Ritter removed and disallowed _usage of eval() in the parent process and system privileged code_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1473549>. Freddy Braun _disallowed non-internal resources_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1513445> do be loaded as documents in privileged contexts. More efforts of this type are underway in 2020. Zombie reduced the possibility of sandbox escapes through malicious IPC messages by _ensuring_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1604058> that IPC messages claiming to come from the extension process do, in fact, come from an actual web extension. The Hardening team, in conjunction with the Low Level Tools team, deployed _memory partitioning_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1052575>, isolating particularly powerful attacker-controlled objects like Strings and ArrayBuffers from other DOM objects, as well as additional guard pages around certain types of memory structures. Jed Davis gave us the ability to share memory with a content process, but _freezing_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1479960> it so the content process cannot write to it. A big effort in 2019 and also in 2020 is the _*Fission*_ <https://wiki.mozilla.org/Project_Fission>_project_ <https://wiki.mozilla.org/Project_Fission>, that aims to achieve true process isolation per site. This is a very extensive project that involves rewriting large parts of the browser and engine code. In 2019 we achieved a number of milestones for Fission progress, such as implementing DocumentChannel (a refactoring of how navigation occurs), building a _multiprocess browser toolbox_ <https://groups.google.com/forum/#!topic/mozilla.dev.platform/daAfrjkYs0c>, burning down _a lot of test failures_ <https://arewefissionyet.com/>. Fission will continue in 2020 where we expect to have something everyone can turn on and report any issues with. The Browser Architecture team was able to remove the last traces of _XBL_ <https://developer.mozilla.org/en-US/docs/Archive/Mozilla/XBL> from Firefox code, eliminating a lot of old code and some obvious attack surfaces for sandbox escapes along the way. Jonas _integrated_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1508659> _Project Wycheproof_ <https://github.com/google/wycheproof> for testing our NSS cryptography library. The Fuzzing team added new targets this year, such as _Necko_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1526258> (the Gecko networking stack) and _IndexedDB_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1499097> and published the _Grizzly Browser Fuzzing Framework_ <https://blog.mozilla.org/security/2019/07/10/grizzly/>. The Platform Security team deployed our most restrictive sandbox yet in the Media Decoder process on _Windows and OSX_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1498624>, and made considerable progress on our multi-year effort to remove win32k from the content process on Windows. With considerable help from :dmajor, the Platform Security team _deployed a limited form of Control Flow Guard_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1485016> support for Windows, with hopes of expanding it in 2020. Haik _spent a considerable amount of time_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1471004> to support Catalina’s new required software notarization scheme and hardened runtime support. Aaron Klotz and Toshihito Kikuchi _worked to improve our telemetry_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1435773> and insight into third party modules that inject in our process on Windows. With the help of a UCSD research team, _we compiled the graphite font rendering_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1562797> library as wasm, enclosing it in a sandbox with data validation. Currently in Beta on Linux x64, this allows us to turn a C library into a memory safe language and firewalling it from the rest of the process. Future expansion to new libraries and OSX and Windows are underway. Firefox Security /Firefox Security means user-exposed security features that allow you to have a safe experience on the web./ The *Firefox Lockwise* team significantly revamped the desktop password manager experience, bringing Lockwise to desktop. New features include a new password management UI (about:logins), _secure password generation, integration with Firefox Monitor_ <https://blog.mozilla.org/firefox/password-security-features/> and _more improvements and bugfixes_ < https://matthew.noorenberghe.com/blog/2019/05/password-manager-improvements-firefox-67 >. We released the Beta version of an entirely new product in the Firefox family: _*Firefox Private Network*_ <https://fpn.firefox.com/>, a VPN and Proxy solution by Mozilla. Our interns Carolina and Danielle built an entirely new *Certificate Viewer *(about:certificate) for Firefox, modeled after the popular _Certainly Something_ <https://addons.mozilla.org/en-US/firefox/addon/certainly-something/> browser extension which itself was developed by April King, another Mozilla engineer. The *DNS-over-HTTPS* project aims to improve the problematic privacy and security properties of DNS for our users. In 2019, the DoH team _ran experiments and added a way for parental controls providers to disable DoH_ < https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/ >, in preparation for the upcoming launch. The Firefox 70 release brought us _new improved security UI indicators_ < https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/ >, with a new indicator for insecure HTTP connections, as well as a reduced level of presentation for Extended Validation certificates. We shipped an updated design for our_certificate error pages_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1530327> (built by our Outreachy intern Trisha Gupta) including a brand new error page highlighting when the local system time being off is likely at fault for the error. In an effort to reduce breakage from Anti-Virus and other software that tries to intercept connections without installing their root certificate in the Firefox cert store, the team built a mode where Firefox can *automatically detect MitM-related certificate errors* that would be fixed by importing certificates from the OS root store. In addition to that, _there’s now a message shown in the identity popup when the site is verified by an imported root certificate_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1549605>. The Firefox Add-on Manager now includes an _integrated abuse report mechanism_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1544928>, to help users quickly report malicious add-ons. We _improved our indicators for geolocation usage_ <https://bugzilla.mozilla.org/show_bug.cgi?id=630614> to include an in-use indicator and show when geolocation was last accessed by the site. Web Security /This encompasses efforts to build features that allow web developers to build more secure sites. It sometimes also means restrictions made on web developers to *force* them to build more secure sites./ The Crypto Engineering team released _Web Authentication in Firefox for Android_ < https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/ >. We announced our plan to _remove support for TLS 1.0 and 1.1 in March 2020_ <https://hacks.mozilla.org/2019/05/tls-1-0-and-1-1-removal-update/>. In 2019, we started rolling this change out to Nightly users and implemented a temporary override to allow early testers to avoid breakage. After a _series of experiments_ < https://blog.nightly.mozilla.org/2019/04/01/reducing-notification-permission-prompt-spam-in-firefox/ >, we launched _strong restrictions_ < https://blog.mozilla.org/futurereleases/2019/11/04/restricting-notification-permission-prompts-in-firefox/ > on notification permission prompts that will reduce the massive annoyance they presented to users of the web. Johann Hofmann _put web push notifications behind secure context_ <https://groups.google.com/forum/#!topic/mozilla.dev.platform/FMPrIMGBNtg>. Ehsan Akhgari _removed the ability_ <https://bugzilla.mozilla.org/show_bug.cgi?id=1560741> for third party iframes to use web notifications. In a cooperation with Cloudflare, the Crypto Engineering team started to experiment with _Delegated Credentials for TLS_ < https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/ >, a mechanism which can alleviate trust concerns around distributing private keys to CDNs, without any of the performance overhead from alternative solutions. Jonathan Kingston sent out an intent to _remove AppCache_ < https://www.fxsitecompat.dev/en-CA/docs/2019/application-cache-storage-has-been-removed-in-nightly-and-early-beta/ >, starting with Nightly and Beta in version 71 and to be unshipped in Release in 2020. In several cases, Paul Zühlcke limited the ability for websites to spam _window-modal dialogs_ <https://bugzilla.mozilla.org/show_bug.cgi?id=616843>, which were abused for DOS-style attacks to extort or confuse users. Security Ecosystem Our *Bug Bounty program* is getting a lot of love in 2020, and we kicked it off with two improvements in 2019: we significantly increased _payments in the Mozilla Web Security Bounty Program_ < https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/ > and we created a static analysis bounty, _adding CodeQL and clang to our Bug Bounty Program_ < https://blog.mozilla.org/security/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/ >. As part of encouraging more participation in the Bug Bounty program, we’re also working to provide walkthroughs that help people get involved. We published _two_ <https://frederik-braun.com/firefox-ui-xss-leading-to-rce.html> _blog articles_ < https://blog.mozilla.org/security/2019/12/02/help-test-firefoxs-built-in-html-sanitizer-to-protect-against-uxss-bugs/ > specifically about the built-in HTML Sanitizer, where and how we rely on it, and how to get set up for testing it for bypasses in an iterative fashion in less than 30 seconds. The _MOSS Program_ <https://www.mozilla.org/en-US/moss/> funds development of open source software through grants; and also provides funding for security audits. Typically these happen in the background but every once in a while we discover something particularly impactful, like _this Critical Security Issue identified in iTerm2._ < https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/ > The *Mozilla Security Engineering University Relationship Framework* (_SURF_ <https://surf.mozilla.org/>) initiative hosted two conferences in 2019, in _San Franscisco in May_ <https://surf.mozilla.org/events/2019/sf/> and in _Vienna in November_ <https://surf.mozilla.org/events/2019/vienna/>. Steven Englehardt and Marshall Erwin _published the first release_ < https://blog.mozilla.org/security/2019/01/28/defining-the-tracking-practices-that-will-be-blocked-in-firefox/ > of our _anti-tracking policy_ <https://wiki.mozilla.org/Security/Anti_tracking_policy>. Wayne Thayer announced _version 2.7 of the Mozilla Root Store Policy_ < https://blog.mozilla.org/security/2019/12/11/announcing-version-2-7-of-the-mozilla-root-store-policy/ >. As a reaction to the _MitM attacks by the Kazakhstan Government_ <https://censoredplanet.org/kazakhstan> using a custom root certificate, Firefox, in joint action with Google Chrome, _blocked the use of the Kazakhstan root certificate_ < https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/ >. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
