Mozilla Security Blog

Mitigating Logjam: Enforcing Stronger Diffie-Hellman Key Exchange

Jul 2 2015

In response to recent developments attacking Diffie-Hellman key exchange (https://weakdh.org/) and to protect the privacy of Firefox users, we have increased the minimum key size for TLS handshakes using Diffie-Hellman key exchange to 1023 bits. A small number of servers are not configured to use strong enough keys. If a user attempts to connect to such a server, they will encounter the error “ssl_error_weak_server_ephemeral_dh_key”.

Update 2016-10-03: this was accidentally re-published on September 30, 2016. There has been no change to the minimum accepted Diffie-Hellman key size since this mid-2015 announcement.

Dharma

Jun 29 2015

Christoph Diehl

As soon as a developer at Mozilla starts integrating a new WebAPI feature, the Mozilla Security team begins working to help secure that API. Subtle programming mistakes in new code can introduce annoying crashes and even serious security vulnerabilities that can be triggered by malformed input which can lead to headaches for the user and security exposure.

WebAPIs start life as a specification in the form of an Interface Description Language, or IDL. Since this is essentially a grammar, a grammar-based fuzzer becomes a valuable tool in finding security issues in new WebAPIs because it ensures that expected semantics are followed most of the time, while still exploring enough undefined behavior to produce interesting results.

We came across a grammar fuzzer Ben Hawkes released in 2011 called “Dharma.” Sadly, only one version was ever made public. We liked Ben’s approach, but Dharma was missing some features which were important for us and its wider use for API fuzzing. We decided to sit down with our fuzzing mates at BlackBerry and rebuild Dharma, giving the results back to the public, open source and licensed as MPL v2.

We redesigned how Dharma parses grammars and optimized the speed of parsing and the generating of fuzzed output, added new grammar features to the grammar specification, added support for serving testcases over a WebSocket server, and made it Python 3 ready. It comes with no dependencies and runs out of the box.

In theory Dharma can be used with any data that can be represented as a grammar. At Mozilla we typically use it for APIs like WebRTC, WebAudio, or WebCrypto.

Dharma has no integrated harness. Feel free to check out the Quokka project which provides an easy way for launching a target with Dharma, monitoring the process and bucketing any faults.

Dharma is actively in use and maintained at Mozilla and more features are planned for the future. Ideas for improvements are always greatly welcomed.

Dharma is available via GitHub (preferred and always up-to-date) or via PyPi by running “pip install dharma”.

References
– https://github.com/mozillasecurity/dharma
– https://github.com/mozillasecurity/quokka
– https://code.google.com/p/dharma/

Changes to the Firefox Bug Bounty Program

Jun 9 2015

rforbes@mozilla.com

The Bug Bounty Program is an important part of security here at Mozilla. This program has paid out close to 1.6 million dollars to date and we are very happy with the success of it. We have a great community of researchers who have really contributed to the security of Firefox and our other products.

Those of us on the Bug Bounty Committee did an evaluation of the Firefox bug bounty program as it stands and decided it was time for a change.

First, we looked at how much we award for a vulnerability. The amount awarded was increased to $3000 five years ago and it is definitely time for this to be increased again. We have dramatically increased the amount of money that a vulnerability is worth. On top of that, we took a look at how we decided how much we should pay out. Rather than just one amount that can be awarded, we are moving to a variable payout based on the quality of the bug report, the severity of the bug, and how clearly the vulnerability can be exploited.

Finally, we looked into how we decide what vulnerability is worth a bounty award. Historically we would award $3000 for vulnerabilities rated Critical and High. Issues would come up where a vulnerability was interesting but was ultimately rated as Moderate. From now on, we will officially be paying out on Moderate rated vulnerabilities. The amount that is paid out will be determined by the committee, but the general range is $500 to $2000. This doesn’t mean that all Moderate vulnerabilities will be awarded a bounty but some will.

All of these changes can be found on our website here: here

Another exciting announcement to make is the official release of our Firefox Security Bug Bounty Hall of Fame! This page has been up for a while but we haven’t announced it until now. This is a great place to find your name if you are a researcher who has found a vulnerability or if you want to see all the people who have helped make Firefox so secure.

We will be making a Web and Services Bug Bounty Hall of Fame page very soon. Keep an eye out for that!

https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/

Feel free to mail us at security@mozilla.com with any questions!

MozDef: The Mozilla Defense Platform v1.9

May 20 2015

Jeff Bryner

1 response

At Mozilla we’ve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay for ElasticSearch.

MozDef aims to bring real-time incident response and investigation to the defensive tool kits of security operations groups in the same way that Metasploit, LAIR and Armitage have revolutionized the capabilities of attackers.

We use MozDef to ingest security events, alert us to security issues, investigate suspicious activities, handle security incidents and to visualize and categorize threat actors. The real-time capabilities allow our security personnel all over the world to work collaboratively even though we may not sit in the same room together and see changes as they occur. The integration plugins allow us to have the system automatically respond to attacks in a preplanned fashion to mitigate threats as they occur.

We’ve been on a monthly release cycle since the launch, adding features and squashing bugs as we find them. You can find the release notes for this version here.

Notable changes include:

Support for Google API logs (login/logout/suspicious activity for Google Drive/Docs)
http://cymon.io api integration
myo armband integration

Using the Myo armband in a TLS environment may require some tweaking to allow the browser to connect to the local Myo agent. Here’s a quick config for proxying via nginx. Check out the docs for other tips.

Feel free to take it for a spin on the demo site. You can login by creating any test email/password combination you like. The demo site is rebuilt occasionally so don’t expect anything you put there to live for more than a couple days but feel free to test it out.

Development for the project takes place at mozdef.com and report any issues using the github issue tracker.

May 2015 CA Communication

May 12 2015

Kathleen Wilson

1 response

Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to support cross-platform development of security-enabled client and server applications. The NSS root certificate store is not only used in Mozilla products such as the Firefox browser, but is also used by other companies in a variety of applications.

The CA Communication has been emailed to the Primary Point of Contact (POC) for each CA in Mozilla’s program, and they have been asked to respond to 5 action items:

Confirm that they are the current Primary POC, or give alternative details;
Confirm that Mozilla has the correct link to their most recent Baseline Requirements audit statement;
Update us on their progress in eliminating use of SHA-1 as a certificate signature algorithm;
Inform us whether they are still issuing certificates with certain problems identified when we moved to mozilla::pkix; and
Tell us about their support for IPv6.

The full action items can be read here. Responses to the survey will be collated using Salesforce and the answers published in June.

With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve.

Mozilla Security Team

Deprecating Non-Secure HTTP

Apr 30 2015

Richard Barnes

288 responses

Today we are announcing our intent to phase out non-secure HTTP.

There’s pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and the US Government calling for universal use of encryption by Internet applications, which in the case of the web means HTTPS.

After a robust discussion on our community mailing list, Mozilla is committing to focus new development efforts on the secure web, and start removing capabilities from the non-secure web. There are two broad elements of this plan:

Setting a date after which all new features will be available only to secure websites
Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.

For the first of these steps, the community will need to agree on a date, and a definition for what features are considered “new”. For example, one definition of “new” could be “features that cannot be polyfilled”. That would allow things like CSS and other rendering features to still be used by insecure websites, since the page can draw effects on its own (e.g., using <canvas>). But it would still restrict qualitatively new features, such as access to new hardware capabilities.

The second element of the plan will need to be driven by trade-offs between security and web compatibility. Removing features from the non-secure web will likely cause some sites to break. So we will have to monitor the degree of breakage and balance it with the security benefit. We’re also already considering softer limitations that can be placed on features when used by non-secure sites. For example, Firefox already prevents persistent permissions for camera and microphone access when invoked from a non-secure website. There have also been some proposals to limit the scope of non-secure cookies.

It should be noted that this plan still allows for usage of the “http” URI scheme in legacy content. With HSTS and the upgrade-insecure-requests CSP attribute, the “http” scheme can be automatically translated to “https” by the browser, and thus run securely.

Since the goal of this effort is to send a message to the web developer community that they need to be secure, our work here will be most effective if coordinated across the web community. We expect to be making some proposals to the W3C WebAppSec Working Group soon.

Thanks to the many people who participated in the mailing list discussion of this proposal. Let’s get the web secured!

Richard Barnes, Firefox Security Lead

Update (2015-05-01): Since there are some common threads in the comments, we’ve put together a FAQ document with thoughts on free certificates, self-signed certificates, and more.

Removing e-Guven CA Certificate

Apr 27 2015

Kathleen Wilson

3 responses

The Certification Authority (CA) certificate owned by e-Guven Elektronik Bilgi Guvenligi A.S. will be removed in Firefox 38 due to insufficient and outdated audits.

The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a rigorous process and evaluation of the CA’s public-facing policy documentation and audit statements, in order to verify that the CA conforms to the criteria required by Mozilla’s CA Certificate Inclusion Policy.

The CA certificates included in the Mozilla list can be marked as trusted for various purposes, so that the software can use the CA certificates to verify certificates for (1) SSL/TLS servers, (2) S/MIME email users, and/or (3) digitally-signed code objects, without having to ask users for further permission or information. When a CA certificate is trusted for verifying certificates for SSL/TLS servers, Mozilla’s CA Certificate Inclusion Policy requires CAs to annually provide public-facing attestation from an independent party stating that they have audited the CA using one of the following two sets of criteria:

1) Clause 7, “Requirements on CA practice”, in ETSI TS 102 042 V2.3.1 or later version, Policy requirements for certification authorities issuing public key certificates (as applicable to the “EVCP” and “EVCP+” certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates – baseline requirements, and any of the “NCP”, “NCP+”, or “LCP” certificate policies);
OR
2) WebTrust “Principles and Criteria for Certification Authorities 2.0″ or later and “SSL Baseline Requirements Audit Criteria V1.1” (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities

Despite many requests for E-Guven to provide current public-facing audit statements that meet the requirements of Mozilla’s CA Certificate Inclusion Policy, the audit statement that Mozilla has for E-Guven indicates that the last supervision of E-Guven was held in 2013 and was not performed according to either of the above sets of criteria. Therefore, discussion about this CA was held in the mozilla.dev.security.policy forum, and the consensus was that E-Guven’s root certificate should be removed.

As always, we recommend that all users upgrade to the latest version of Firefox. This particular change will be in Firefox 38 and future releases of Firefox.

Mozilla Security Team

Distrusting New CNNIC Certificates

Apr 2 2015

Kathleen Wilson

96 responses

Last week, Mozilla was notified that a Certificate Authority (CA) called CNNIC had issued an unconstrained intermediate certificate, which was subsequently used by the recipient to issue certificates for domain names the holder did not own or control (i.e., for MitM). We added the intermediate certificate in question to Firefox’s direct revocation system, called OneCRL, and have been further investigating the incident.

After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC’s behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an ‘egregious practice’ as per Mozilla’s CA Certificate Enforcement Policy. Therefore, after public discussion and consideration of the scope and impact of a range of options, we have decided to update our code so that Mozilla products will no longer trust any certificate issued by CNNIC’s roots with a notBefore date on or after 1st April 2015. We have put together a longer document with more details on the incident and how we arrived at the conclusion we did.

CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla’s inclusion process after completing additional steps that the Mozilla community may require as a result of this incident. This will be discussed in the mozilla.dev.security.policy forum.

The notBefore date that will be checked is inserted into the certificate by CNNIC. We will therefore be asking CNNIC for a comprehensive list of their currently-valid certificates, and publishing it. After the list has been provided, if a certificate not on the list, with a notBefore date before 1 April 2015, is detected on the public Internet by us or anyone else, we reserve the right to take further action.

We believe that this response is consistent with Mozilla policy and is one which we could apply to any other CA in the same situation.

Mozilla Security Team

Introducing Project Seasponge: Quick and Easy Threat Modeling

Apr 2 2015

Jeff Bryner

2 responses

Threat modeling is a crucial but often neglected part of developing, implementing and operating any system. If you have no mental model of a system or its strengths and weaknesses it is extremely difficult to secure it correctly.

In an effort to help make threat modeling easier a Mozilla Winter of Security (MWOS) team has developed Seasponge, a browser-based graphical threat modeling tool. Written specifically for the browser environment, the tool requires no special addons or plugins and allows one to quickly and easily diagram a system and its data flows and begin the important work of focusing on threats.

A demo is worth a thousand meetings and the team of Joel Kuntz, Sarah MacDonald, Glavin Wiechert, Mathew Kallada and professor Dr. Pawan Lingras from Saint Mary’s University in Halifax, Nova Scotia has been generous enough to put together a video explaining the project along with a quick demo:

The code for the project is available on github. A working client is continually posted here for you to try out. Have a look at it and if you spot a bug, or see a feature you’d like please contribute by filing a github issue or even better, by sending a pull request!

Revoking Trust in one CNNIC Intermediate Certificate

Mar 23 2015

Kathleen Wilson

96 responses

Mozilla was recently notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a firewall device that performed SSL man-in-the-middle (MITM) traffic management. It was then used, during the process of inspecting traffic, to generate certificates for domains the device owner does not legitimately own or control. The Certificate Authority (CA) has told us that this action was not permitted by their policies and practices and the agreement with their customer, and they have revoked the intermediate certificate that was loaded into the firewall device. While this is not a Firefox-specific issue, to protect our users we are adding the revoked certificate to OneCRL, our mechanism for directly sending revocation information to Firefox which will be shipping in Firefox 37.

Issue
China Internet Network Information Center (CNNIC), a non-profit organization administrated by Cyberspace Administration of China (CAC), operates the “CNNIC Root” and “China Internet Network Information Center EV Certificates Root” certificates that are included in NSS, and used to issue certificates to organizations and the general public. CNNIC issued an unconstrained intermediate certificate that was labeled as a test certificate and had a two week validity, expiring April 3, 2015. Their customer loaded this certificate into a firewall device which performed SSL MITM, and a user inside their network accessed other servers, causing the firewall to issue certificates for domains that this customer did not own or control. Mozilla’s CA Certificate Policy prohibits certificates from being used in this manner when they chain up to a root certificate in Mozilla’s CA program.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to CNNIC’s customer’s internal network.

Status
Mozilla is adding the revoked intermediate certificate that was mis-used in the firewall device to OneCRL which will be shipping in Firefox 37. Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum. When similar incidents have happened in the past, responses have included requiring additional audits to confirm that the CA updated their procedures, and using name constraints to constrain the CA’s hierarchy to certain domains.

End-user Action
We recommend that all users upgrade to the latest version of Firefox. Firefox 37 and future releases of Firefox (including Firefox 38 ESR) will contain OneCRL which will be used for this certificate revocation and for future certificate revocations of this type.

Credit
Thanks to Google for reporting this issue to us.

Mozilla Security Team