Mozilla Security Blog

This week the Pwn2Own competition took place as part of the CanSecWest security conference. The Pwn2Own competition provides cash rewards for individuals that are able to demonstrate a security vulnerability in browsers or the browser plugins Flash and Java.

Researchers successfully demonstrated new security vulnerabilities in all three browsers tested - Firefox, Chrome and IE. At the conclusion of the event we received technical details about the exploit so we could issue a fix.

We received the technical details on Wednesday evening and within less than 24 hours diagnosed the issue, built a patch, validated the fix and the resulting builds, and deployed the patch to users. Our fast turn around time on this security issue is a reflection of the priority and focus we place on security. Security is more than a side item for us, it’s part of our core principles.

We encourage community research within security and started the first major bug bounty program in 2004 for Firefox. Since then we’ve worked closely with experts around the world to help grow and mature security research. All security research and corresponding discoveries are used to proactively protect Firefox users as part of our larger security assurance program.

Find out more about how to get involved in Mozilla’s bug bounty program – http://www.mozilla.org/security/bug-bounty.html

Michael Coates
Director of Security Assurance

Announcing Version 2.1 of Mozilla CA Certificate Policy

Feb 15 2013

mcoates

Mozilla released version 2.1 of the Mozilla CA Certificate Policy. This version adds a requirement for either the technical constraint or the audit of subordinate CA certificates, and requires CAs who issue SSL certificates to comply with the CA/Browser Forum Baseline Requirements.

Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident. Version 2.1 of Mozilla’s CA Certificate Policy encourages CAs to technically constrain subordinate CA certificates using RFC 5280 extensions that are specified directly in the intermediate certificate and controlled by crypto code (e.g. NSS). We recognize that technically constraining subordinate CA certificates in this manner may not be practical in some cases, so the subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla’s CA Certificate Policy.

All subordinate CA certificates that are issued after May 15, 2013 must comply with version 2.1 of Mozilla’s CA Certificate Policy, and all pre-existing subordinate CA certificates must be updated to comply with version 2.1 of Mozilla’s CA Certificate Policy for new certificate issuance by May 15, 2014. This time frame takes into account the impact that the new requirements might have on large enterprise subordinate CAs who may need to plan and budget for new infrastructure and audits.

Audit criteria have recently been released for the CA/Browser Forum’s “Baseline Requirements for the Issuance and Management of Publicly Trusted Certificates” (BRs). Therefore, Version 2.1 of Mozilla’s CA Certificate Policy requires CAs to update their operations and SSL certificate issuance to comply with version 1.1 of the BRs. The BRs provide clear standards for CAs on important subjects including verification of identity, certificate content and profiles, CA security, revocation mechanisms, and use of algorithms and key sizes. As of February 2013, SSL certificate issuance must be audited according to the BR criteria, but initial BR audits for each CA and subCA that include a reasonable list of exceptions will be considered and potentially accepted.

Mozilla sent a CA Communication in January requesting that CAs review the draft of version 2.1 of Mozilla’s CA Certificate Policy and evaluate their current operations in regards to the Baseline Requirements. Responses to this communication are publicly posted and discussed in the mozilla.dev.security.policy forum. CAs are planning to complete their necessary system and documentation upgrades according to the grace periods that Mozilla provided. Many CAs continue to diligently work towards compliance with the BRs, the most common effort being to implement OCSP. Additionally, we asked CAs to scan their certificate databases to identify and revoke certificates that were not issued in accordance with certain recommended practices.

With these updates to Mozilla’s CA Certificate Policy, we re-iterate our belief that each root is ultimately accountable for every certificate it signs, directly or through its subordinates. Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them. Nevertheless, we believe that security is best served when browsers and CAs can work together; we hope that frank communication and clear expectations can resolve these issues before any such action is required. We must also be diligent in looking for new ways to improve the security systems of the web. Those systems are built on the trust of web users, and we all have a responsibility to be strong stewards of that trust.

Mozilla Security Team

Using CryptoStick as an HSM

Feb 13 2013

gdestuynder

Mozilla maintains a wide range of services which are secured using different solutions. For internal repositories, our Operations Security team has chosen to use the low-cost, open source and open hardware CryptoStick from the German Privacy Foundation.

Advantages of using an HSM
An HSM is a Hardware Security Module. It’s a hardware card, stick, device able to perform crypto operations. In general, it stores private keys which are used to sign, encrypt or authenticate.
The key itself never leaves the hardware, thus attackers cannot steal the key (i.e., if the hardware is disconnected, the key cannot be used anymore.)

Note: In the event the system is compromised, the connected key can still be used. Thus, the access to the system should be otherwise secured and the key should be removed when not in use.

Our use case
Internal package repositories, such as RPM or Deb. all use GnuPG for package signing.
Mozilla’s architecture is however broad and different teams use different platforms, at different places, in different networks.
We want to ensure that the packages they install are signed by us, and while we’re at it, have a good level of assurance that the key used for signing cannot be compromised or stolen.
We also need redundancy.

Many community-owned projects, such as Linux distributions have to deal with the exact same issue. Often, the signing machine has no HSM. This is one of the possible solutions.

About the CryptoStick
The choice was driven by:

The openness of the project
The size and connectivity (USB)
No real smart card, yet easy to physically disconnect
The integration with GnuPG (OpenPGP Smart card, ISO 7816-4)
Low price and ease of getting additional sticks
Speed, support and certifications were not a requirement

The major point being, that the CryptoStick operates without any smart card, but emulates one instead.

Note: while we focus here on using OpenPGP for signing, the stick also supports other standards, such as x509 certificates and SSH authentication.

Our setup
We use BL460c blade servers which have an internal USB port. Dimensions are perfect for the CryptoStick.

We have decided on having two repository machines for redundancy, signing with the same keys.
We also needed to be able to replace the hardware easily (both machines and the CryptoStick) in case of failure, which involves backing up the private key off-site. Finally, we needed the signing to happen automatically.

Some modifications were needed in order to make this work:

Custom PIN-entry program
As the OpenPGP smart card standard requires entering a user PIN upon signing, we needed this user PIN to be entered automatically. Consequently, we assume the user PIN adds no security in our setup.

A simple script is used as pinentry program: https://github.com/gdestuynder/pinentry-auto

Note: the non-enforcing user PIN option only allows for caching the user PIN upon successfully entering the user PIN a first time, which would defeat the purpose of automatic signing in case of system reboot, process restart, etc.

One private signing key, multiple sticks
The OpenPGP smart card standard also require the private keys generated on the HSM to contain the card’s serial number. While it allows for a software backup at creation time, the backup also contains the card’s serial number. The hardware will refuse to load those keys on a CryptoStick with a different serial number.

There is a different way to work around this issue. The stick also supports importing private keys. By using an offline machine, it is possible to generate the signing key in software using traditional GnuPG commands, and import it on the stick.
This allowed us to import the signing key on different sticks, and to keep an off-site backup.

This is also the most significant difference with traditional HSMs, which requires a set of smart cards to protect and import the key backup. In our use case, we decided that the trade-off was acceptable.

Note: when possible, it’s recommended to keep a master signing key offline, and create software signing GnuPG sub-keys. In the unlikely event of HSM compromise, it is then possible to revoke the sub-keys while retaining the trust of the master key, which then is simply used to issue new signing sub-keys. Not all package repositories support this feature.

Advanced usage, some commands
Here are some sample commands that are commonly used with the CryptoStick.

Note: it’s generally more convenient to have the gpg-agent running, for speed,and for PIN caching. General usage, such as encryption, signing and authentication work with the exact same commands as with a regular GnuPG or SSH key.

Get card info:
$ gpg –card-status

scdaemon[10692]: updating slot 0 status: 0x0000->0x0007 (0->1) Application ID ...: D2760001240102000005000014731337 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 00001478 Name of cardholder: Mozilla Language prefs ...: en Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: [not set] Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 16 Signature key ....: 067A A494 9B64 347D FA2E EEEE 9B3C 64F9 8006 EEEE created ....: 2013-01-17 22:40:53 Encryption key....: 3C00 DA66 554D 67FE 8607 1AAB AAAA C9F2 AAAA 1D67 created ....: 2013-01-17 22:40:53 Authentication key: 1AF9 988A 0EAB 6F10 D69C 2DFC EF3B CCCC 784E A733 created ....: 2013-01-17 22:40:53 General key info..: [none]

Set User and Admin PIN. Defaults are 123456 and 12345678 respectively:
$ gpg --card-edit Command> admin Admin commands are allowed Command> passwd

Generate keys (you need to have setup the PINs above first):
$ gpg --card-edit Command> admin Admin commands are allowed Command> generate

Import existing key (only recommended if the original keys were generated on a trusted machine, such as an offline machine that has never been connected to the network):
Note: this will erase the key from disk during the import. If necessary, make an extra backup of the key first.

$ gpg --edit-key gpg> toggle gpg> keytocard (say yes) gpg> save gpg> quit

Reset to factory defaults:
Make sure GnuPG agent is started, if not:
$ eval $(gpg-agent --daemon)

Send the reset commands:
$ gpg-connect-agent < file

Where “file” contains:
hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo Reset complete

Putting Users in Control of Plugins

Jan 29 2013

mcoates

Mozilla is changing the way Firefox loads third party plugins such as Flash, Java and Silverlight. This change will help increase Firefox performance and stability, and provide significant security benefits, while at the same time providing more control over plugins to our users.

Previously Firefox would automatically load any plugin requested by a website. Leveraging Click to Play Firefox will only load plugins when a user takes the action of clicking to make a particular plugin play or the user has previously configured Click To Play to always run plugins on the particular website.

More User Control
Users should have the choice of what software and plugins run on their machine. Click to Play allows users to easily choose if they wish to run a plugin on a particular site. Users can also configure sites to never run plugins or conversely always run plugins. This change puts the user in control.

Increased Performance & Stability
Poorly designed third party plugins are the number one cause of crashes in Firefox and can severely degrade a user’s experience on the Web. This is often seen in pauses while plugins are loaded and unloaded, high memory usage while browsing, and many unexpected crashes of Firefox. By only activating plugins that the user desires to load, we’re helping eliminate pauses, crashes and other consequences of unwanted plugins.

Significant Security Benefits
One of the most common exploitation vectors against users is drive by exploitation of vulnerable plugins. In this kind of attack, a user with outdated or vulnerable plugins installed in their browser can be infected with malware simply by browsing to any site that contains a plugin exploit kit. We’ve observed plugin exploit kits to be present on both malicious websites and also otherwise completely legitimate websites that have been compromised and are unknowingly infecting visitors with malware. In these situations the website doesn’t have any legitimate use of the plugin other than exploiting the user’s vulnerable plugin to install malware on the their machine. The Click to Play feature protects users in these scenarios since plugins are not automatically loaded simply by visiting a website.

In addition to the security benefits provided by Click to Play Mozilla also strongly recommends that users keep their plugins up to date. The following website can be used to determine if plugins are current.
https://www.mozilla.org/plugincheck/

Implementing this change
Our plan is to enable Click to Play for all versions of all plugins except the current version of Flash. Click to Play has already been enabled for many plugins that pose significant security or stability risks to our users. This includes vulnerable and outdated versions of Silverlight, Adobe Reader, and Java.

More specifically, our next steps are the following:
1. Click to Play old versions of Flash (versions <=10.2.*) and slowly add more recent insecure Flash versions to the Click to Play list. Note: The most current version of Flash will NOT have Click To Play.

After we complete final UI work:
2. Click to Play current versions of Silverlight, Java, and Acrobat Reader and all versions of all other Plugins.

During this change we will monitor the results and feedback of the new settings and UI to ensure we’re providing a quality experience and delivering the many benefits of Click to Play to Firefox users.

Michael Coates
Director of Security Assurance

Using Coverage Data for Security

Jan 22 2013

decoder

We recently started measuring C/C++ code coverage on mozilla-central again and documented the various efforts around it in a new MDN article. Continue reading …

Protecting Users Against Java Vulnerability

Jan 11 2013

mcoates

Update – January 18, 2013

Mozilla is extending Click to Play for Java 7u11 due to reports of exploit code available for 7u11 and information that all elements of the original Java bug have not been fully addressed by Oracle in the 7u11 patch.

Update – January 13, 2013

Oracle has released an update to address this vulnerability. Read more here and download updates here.

Issue

Mozilla is aware of a security vulnerability in the current version of Java (Java 7 Update 10) that is being actively exploited and affects any browser using the Java plugin. Firefox users may be vulnerable to this issue if they have the Java plugin installed in their browser. Information on how to check which plugins are installed can be found here.

Impact
An attacker could exploit this vulnerability to execute malicious software on a victim’s machine. This vulnerability is being actively used in attacks and the malicious exploit code is also available in common exploit kits.

Status

~~There is no patch currently available for this issue from Oracle.~~ To protect Firefox users we have enabled Click To Play for recent versions of Java on all platforms (Java 7u9, 7u10, 6u37, 6u38). Firefox users with older versions of Java are already protected by existing plugin blocking or Click To Play defenses.

The Click To Play feature ensures that the Java plugin will not load unless a user specifically clicks to enable the plugin. This protects users against drive-by exploitation, one of the most common exploit techniques used to compromise vulnerable users. Click To Play also allows users to enable the Java plugin on a per-site basis if they absolutely need the Java plugin for the site.

Demo screenshot of Click To Play

Additional Information

We encourage users to always keep plugins up to date. Visit the plugin check website to update plugins now.

Information to fully disable the Java plugin can be found at the following page: http://support.mozilla.org/kb/How to turn off Java applets

Michael Coates
Director of Security Assurance

Revoking Trust in Two TurkTrust Certificates

Jan 3 2013

mcoates

Update: For clarification, the last sentence of this post references our actions to suspend inclusion of a TURKTRUST root certificate. There are currently two TURKTRUST root certificates included in Mozilla’s CA Certificate program. TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now.

Issue

TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.

This is not a Firefox-specific issue. Nevertheless, we are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.

Impact

An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.

Status

Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January.

We have also suspended inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review.

Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum.

Credit

This issue was initially reported to us by Google, Inc.

Michael Coates
Director of Security Assurance

HTTP Strict Transport Security

Dec 26 2012

mgoodwin

The lack of (or inconsistent use of) SSL puts users’ security and privacy at risk. Increasingly, popular sites require SSL not only for operations which are known to directly involve private data (login, etc) but for entire sessions. This is a good thing.

Unfortunately, there are a number of techniques an attacker can use to work around this. The most well known of these is SSL-Stripping in which an active man-in-the-middle can intercept traffic between the browser and the server, downgrading what should be an HTTPS connection to an unencrypted HTTP connection.

HSTS (HTTP Strict Transport Security) is designed to make attacks like this harder; it allows servers to specify that all subsequent connections must be made via HTTPS for a specified period of time. If a request is made over HTTP it will be automatically upgraded by the browser. Also, if the SSL certificate for an HSTS enabled site can’t be verified, the requested document won’t be loaded.

There’s a gap in this protection though; if your initial connection to a site is intercepted, not only could your connection still be downgraded but the attacker could also stop the browser from seeing the HSTS header too. This can be resolved for popular sites that use HSTS by means of an in-browser preload list (coming soon in Firefox 17 – currently in Beta). You can read more about preloading HSTS in our earlier post on the subject.

Firefox has supported HSTS since version 4; we think it’s about time your site did too. You can learn more about HSTS and how to implement it in this article on MDN.

Rebooting Security Engagement at Mozilla

Dec 20 2012

Curtisk

We recently announced a reboot of our efforts to engage with security contributors at Mozilla. Today our strongest and most lasting contributor relationships are with individuals searching for bug bounties. While this program has been very successful, this model sets up a relationship where the only tangible contribution is a bug that may or may not result in a bounty. Instead we want to encourage growth in knowledge from those willing to learn, the creation of open source tools for security work and recognize the natural asymmetric challenges of an open source project that competes with closed source offerings.

In order to do this we have to recognize some unique challenges that security work has in an open project. The first issue being one of trust, as the information that is available in the normal course of our work could harm users in the wrong hands. Secondly that access to security knowledge is not conveyed simply by employment at Mozilla Corporation but by membership in the Security Group (which isn’t changing in any way). To date there has not been a clear path to get involved with security at Mozilla, and this new program aims to change that.

Contributor & Security Contributor
All contributors, individuals who contribute code to the various projects are already important participants in existing security review processes. However, we want to encourage security-minded contributors into providing more active involvement in the Mozilla security community.

The title “Security Contributor” is how we differentiate those contributors who provide security related content including (but not limited to): Brown Bag Presentations, Conference Talks, MDN documentation Security Review Documentation, Security Tool contributions, Vulnerability Defence Documentation.They file security bugs, but not necessarily in pursuit of bug bounties and they contribute patches for security bugs. They may over time also gain increased access to security bugs as needed for the work they are doing.

Security Champions
Champions are active members of a team that help to make decisions about when to engage others from the Security Team. They are recognized as an expert on a product or area as well as having security knowledge and expertise. Champions continue to do the work they do today but take on some added responsibility for guiding security decisions and verifying the security direction of the team they are already with.

One of those tasks would be helping to triage bugs in that component or area and get them into the hands of people who can make a difference in fixing and prioritizing them. As part of this program each champion has a direct contact in the Security Assurance team that they can ask questions of and get guidance when needed. This program has already begun and is actively looking for more people that want to be a part of it. As well our commitment to the success of this means we will be providing training and tools to ensure success.

Security Mentors
Our last group of contributors is one designed to maximize the impact of special knowledge for everyone. Mentors have expertise in a domain area, such as cryptography, JavaScript, memory models, or fuzzing etc. This group also is willing to mentor those that have questions or need guidance in a more general way. They don’t take on the extra work of our champions but are willing to work one on one to help others gain knowledge while working on a specific task. The program for this is also just getting started. We’ve lined up a group of people from the Security Assurance team and made some contacts with academic institutions to help drive some specific actions that we think will be rewarding for both parties.

This journey is just beginning, we hope that those of you reading this will find a place where you can engage with the project, grow in skill and become a part of our community.

Preloading HSTS

Nov 1 2012

dkeeler

HSTS (HTTP Strict Transport Security [1][2]) is a mechanism by which a server can indicate that the browser must use a secure connection when communicating with it. It can be an effective tool for protecting the privacy and security of users and their data.

However, when connecting to an HSTS host for the first time, the browser won’t know whether or not to use a secure connection, because it has never received an HSTS header from that host. Consequently, an active network attacker could prevent the browser from ever connecting securely (and even worse, the user may never realize something is amiss). To mitigate this attack, we have added to Firefox a list of hosts that want HSTS enforced by default. When a user connects to one of these hosts for the first time, the browser will know that it must use a secure connection. If a network attacker prevents secure connections to the server, the browser will not attempt to connect over an insecure protocol, thus maintaining the user’s security.

Our “preload list” has been seeded with entries from Chrome’s list of a similar function. To build our preload list, a request is sent to every host with ‘mode: “force-https”‘ on Chrome’s list. Only if a host responds with a valid HSTS header with an appropriately large max-age value (currently greater than or equal to 10886400, which is eighteen weeks) do we include it in our list. We also see if the includeSubdomains value for the entry on Chrome’s list is the same as what we receive in the response header (if they do not match, we use the one we receive).

We limit the list to hosts that send a large max-age under the assumption that these sites will not revert to non-HSTS status. However, this may become necessary. Suppose ownership of a domain on the preload list is transferred and the new owner decides to no longer use HSTS. The HSTS spec allows the site to send a header with the directive “max-age=0″. This indicates that HSTS should not be enforced for that host, and the browser would honor this. The preload list must replicate this behavior.

To accomplish this task, we introduce the concept of “knockout” entries in our HSTS implementation. When the browser receives an HSTS header with “max-age=0″, a knockout entry is stored that overrides the corresponding entry in the preload list. The knockout entry essentially says, “We have no HSTS information regarding this host.” As a result, the browser behaves as if the host were not on the preload list.

However, the normal rules of the “includeSubdomains” directive still apply. This can result in non-intuitive behavior. Suppose child.example.com is on the preload list, but has delivered a header with the directive “max-age=0″. Further suppose that example.com has sent a header with “includeSubdomains” and a non-expired max-age. The knockout value means the preload list will not be consulted for “child.example.com”. However, since we do have an entry for “example.com” where includeSubdomains is true, child.example.com is still an HSTS host (as is any other subdomain of example.com). Hence the browser will only connect to child.example.com over a secure connection, despite the fact that it has a knockout entry.

In short, HSTS in combination with a preloaded list of sites can be a great tool for increasing the security of users, but care must be taken with the includeSubdomains directive. This feature is currently in Firefox Beta, so download a recent build and give it a spin.

Updated on Nov. 5th, 2012 to clarify the minimum max-age value and to change some formatting.