Jump to content

User:Sohom Datta/ffx

From Wikipedia, the free encyclopedia

Security[edit]

See also: Browser security

From its inception, Firefox was positioned as a security-focused browser. At the time, Internet Explorer, the dominant browser, was facing a security crisis. Multiple vulnerabilities had been found, and malware like Download.Ject could be installed simply by visiting a compromised website. The situation was so bad that the US Government issued a warning against using Internet Explorer.[1] Firefox, being less integrated with the operating system, was considered a safer alternative since it was less likely to have issues that could completely compromise a computer. This led to a significant increase in Firefox's popularity during the early 2000s as more secure alternative.[2][3] Moreover, Firefox was considered to have fewer actively exploitable security vulnerabilities compared to its competitors. In 2006, The Washington Post reported that exploit code for known security vulnerabilities in Internet Explorer were available for 284 days compared to only nine days for Firefox before the problem was fixed.[4] A Symantec study around the same period showed that even though Firefox had a higher number of vulnerabilities, on average vulnerabilities were fixed faster in Firefox than in other browsers during that period.[5]

During this period, Firefox used a monolithic architecture, like most browsers at the time. This meant all browser components ran in a single process with access to all system resources. This setup had multiple security issues. If a web page used too many resources, the entire Firefox process would hang or crash, affecting all tabs. Additionally, any exploit could easily access system resources, including user files. Between 2008 and 2012, most browsers shifted to a multiprocess architecture, isolating high-risk processes like rendering, media, GPU, and networking.[6] However, Firefox was slower to adopt this change. It wasn't until 2015 that Firefox started its Electrolysis (e10s) project to implement sandboxing across multiple components. This rewrite relied on interprocess communication using Chromium's interprocess communication library and placed various component including the rendering component in its own sandbox.[7] Firefox released this rewrite in to beta in August 2016, noting a 10-20% increase in memory usage, which was lower than Chrome's at the time.[8] However, the rewrite caused issues with their legacy extension API, which was not designed for cross-process communication and required cross-process shim code to function correctly.[8] After over a year in beta, the rewrite was enabled by default all users of Firefox in November 2017.[9]

In 2012, Mozilla launched a new project called Servo to write a completely new and experimental browser engine utilizing memory safe techniques written in Rust.[10] In 2018, Mozilla opted to integrate parts of the Servo project into the Gecko engine in a project codenamed the Quantum project.[11] The project completely overhauled Firefox's page rendering code resulting in performance and stability gains while also improving the security of existing components.[12] Additionally, the older incompatible extension API was removed in favour of a WebExtension API that more closely resembled Google Chrome's extension system. This broke compatibility with older extensions but resulted in lesser vulnerabilities and a much more maintainable extension system.[13] While the Servo project was intended to replace more parts of the Gecko Engine,[14] however this plan never came to fruition since in 2020, Mozilla laid of all developers on the Servo team transferring ownership of the project to the Linux Foundation.[15]

Firefox limits scripts from accessing data from other websites based on the same-origin policy.[16] It also provides support for smart cards to web applications, for authentication purposes.[17] It uses TLS to protect communications with web servers using strong cryptography when using the HTTPS protocol.[18] The freely available HTTPS Everywhere add-on enforces HTTPS, even if a regular HTTP URL is entered. Firefox now supports HTTP/2.[19]

The Mozilla Foundation offers a "bug bounty" (US$3,000 to US$7,500 cash reward) to researchers who discover severe security holes in Firefox.[20] Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.[21]

On January 28, 2013, Mozilla was recognized as the most trusted internet company for privacy in 2012.[22] This study was performed by the Ponemon Institute and was a result of a survey from more than 100,000 consumers in the United States.[citation needed]

In February 2013, plans were announced for Firefox 22 to disable third-party cookies by default. However, the introduction of the feature was then delayed so Mozilla developers could "collect and analyze data on the effect of blocking some third-party cookies." Mozilla also collaborated with Stanford University's "Cookie Clearinghouse" project to develop a blacklist and whitelist of sites that will be used in the filter.[23][24]

Version 23, released in August 2013, followed the lead of its competitors by blocking iframe, stylesheet, and script resources served from non-HTTPS servers embedded on HTTPS pages by default. Additionally, JavaScript could also no longer be disabled through Firefox's preferences, and JavaScript was automatically re-enabled for users who upgraded to 23 or higher with it disabled. The change was made due to its use across the majority of websites, the potential repercussions on inexperienced users who are unaware of its impact, along with the availability of extensions such as NoScript, which can disable JavaScript in a more controlled fashion. The following release added the ability to disable JavaScript through the developer tools for testing purposes.[25][26][27]

Beginning with Firefox 48, all extensions must be signed by Mozilla to be used in release and beta versions of Firefox. Firefox 43 blocked unsigned extensions but allowed enforcement of extension signing to be disabled. All extensions must be submitted to Mozilla Add-ons and be subject to code analysis in order to be signed, although extensions do not have to be listed on the service to be signed.[28][29] On May 2, 2019, Mozilla announced that it would be strengthening the signature enforcement with methods that included the retroactive disabling of old extensions now deemed to be insecure. A Firefox update on May 3 led to bug reports about all extensions being disabled. This was found to be the result of an overlooked certificate and not the policy change set to go into effect on June 10.[30]

In Firefox versions prior to 7.0, an information bar appears on the browser's first start asking users whether they would like to send performance statistics, or "telemetry", to Mozilla. It is enabled by default in development versions of Firefox, but not in release versions.[31] According to Mozilla's privacy policy,[32] these statistics are stored only in aggregate format, and the only personally identifiable information transmitted is the user's IP address.

Since version 60 Firefox includes the option to use DNS over HTTPS (DoH), which causes DNS lookup requests to be sent encrypted over the HTTPS protocol. To use this feature the user must set certain preferences beginning with "network.trr" (Trusted Recursive Resolver) in about:config: if network.trr.mode is 0, DoH is disabled; 1 activates DoH in addition to unencrypted DNS; 2 causes DoH to be used before unencrypted DNS; to use only DoH, the value must be 3. By setting network.trr.uri to the URL, special Cloudflare servers will be activated.[33][34] Mozilla has a privacy agreement with this server host that restricts their collection of information about incoming DNS requests.[35]

On May 21, 2019, Firefox was updated to include the ability to block scripts that used a computer's CPU to mine cryptocurrency without a user's permission, in Firefox version 67.0. The update also allowed users to block known fingerprinting scripts that track their activity across the web, however it does not resist fingerprinting on its own.[36]

On July 2, 2019, Mozilla introduced a mechanism to allow Firefox to automatically trust OS-installed certificates to prevent TLS errors.[37]

In October 2019, ZDNet reported Firefox version 68 ESR passed all minimum requirements for mandatory security features during an exam by the Federal Office for Information Security of Germany.[38]

In March 2021, Firefox launched SmartBlock in version 87 to offer protection against cross-site tracking, without breaking the websites users visit.[39] Also known as state partitioning or "total cookie protection", works via a feature in the browser that isolates data from each site visited by the user to ensure that cross-site scripting is very difficult if not impossible. The feature also isolates local storage, service workers and other common ways for sites to store data.[40]

  1. ^ Captain, Sean (11 August 2019). "Firefox at 15: its rise, fall, and privacy-first renaissance". Fast Company. Retrieved 6 June 2024.
  2. ^ Mossberg, Walter S. (September 16, 2004). "How to Protect Yourself From Vandals, Viruses If You Use Windows". The Wall Street Journal. Archived from the original on February 21, 2007. Retrieved October 17, 2006. I suggest dumping Microsoft's Internet Explorer Web browser, which has a history of security breaches. I recommend instead Mozilla Firefox, which is free at mozilla.org. It's not only more secure but also more modern and advanced, with tabbed browsing, which allows multiple pages to be open on one screen, and a better pop-up ad blocker than the belated one Microsoft recently added to IE.
  3. ^ Costa, Dan (March 24, 2005). Vamosi, Scott (ed.). "Mozilla Firefox Browser [sic] review". CNET. Archived from the original on December 26, 2007.
  4. ^ Krebs, Brian (January 4, 2007). "Internet Explorer Unsafe for 284 Days in 2006". The Washington Post. Archived from the original on April 24, 2011. Retrieved January 24, 2007.
  5. ^ Keizer, Gregg (September 25, 2006). "Firefox Sports More Bugs, But IE Takes 9 Times Longer To Patch". TechWeb. Archived from the original on February 7, 2008. Retrieved January 24, 2007.
  6. ^ "The Security Architecture of the Chromium Browser". seclab.stanford.edu. Retrieved 2024-06-06.
  7. ^ "Technical Overview of Multiprocess Firefox". Mozilla Developer Network. 26 November 2020. Archived from the original on 26 November 2020. Retrieved 6 June 2024.
  8. ^ a b Callahan, Dan (2016-04-11). "The "Why" of Electrolysis". Mozilla Add-ons Community Blog. Retrieved 2024-06-06.
  9. ^ Bright, Peter (December 21, 2016). "Firefox takes the next step toward rolling out multi-process to everyone". Ars Technica. Archived from the original on December 24, 2016. Retrieved December 25, 2016.
  10. ^ Anderson, Tim. "Mozilla will emit 'first version' of Servo-based Rust browser in June". www.theregister.com. Retrieved 2024-06-07.
  11. ^ "Fearless Concurrency in Firefox Quantum | Rust Blog". blog.rust-lang.org. Retrieved 2024-06-07.
  12. ^ "Entering the Quantum Era—How Firefox got fast again and where it's going to get faster – Mozilla Hacks - the Web developer blog". Mozilla Hacks – the Web developer blog. Retrieved 2024-06-07.
  13. ^ Ellis, Cat (2017-11-14). "Firefox Quantum is here, and it wants to win you back". TechRadar. Retrieved 2024-06-07.
  14. ^ "Firefox will get overhaul in bid to get you interested again". CNET. Retrieved 2024-06-07.
  15. ^ Proven, Liam. "Rusty revenant Servo returns to render once more". www.theregister.com. Retrieved 2024-06-07.
  16. ^ "The Same Origin Policy". Mozilla Developer Network. June 8, 2001. Archived from the original on October 14, 2008. Retrieved November 12, 2007.
  17. ^ Developer documentation Archived December 4, 2008, at the Wayback Machine on using PKCS 11 modules (primarily smart cards) for cryptographic purposes
  18. ^ "Privacy & Security Preferences – SSL". Mozilla. August 31, 2001. Archived from the original on February 7, 2007. Retrieved January 24, 2007.
  19. ^ B, Rahul (February 26, 2021). "Why You Should Use Firefox: 7 Reasons – BrowserMentor". Archived from the original on August 13, 2021. Retrieved February 26, 2021.
  20. ^ "Mozilla Security Bug Bounty Program". Mozilla. Archived from the original on November 12, 2020. Retrieved July 20, 2016.
  21. ^ "Handling Mozilla Security Bugs". Mozilla. February 11, 2003. Archived from the original on February 18, 2007. Retrieved January 24, 2007.
  22. ^ Anderson, Harvey (January 28, 2013). "Mozilla Recognized as Most Trusted Internet Company for Privacy". The Mozilla Blog. Mozilla. Archived from the original on March 22, 2013. Retrieved March 23, 2013.
  23. ^ Murphy, David (February 24, 2013). "Firefox 22 to Disable Third-Party Cookies by Default". PC Magazine. Archived from the original on September 26, 2013. Retrieved September 21, 2013.
  24. ^ Keizer, Gregg (June 20, 2013). "Mozilla again postpones Firefox third-party cookie-blocking, this time for months". Computerworld. Archived from the original on September 26, 2013. Retrieved September 21, 2013.
  25. ^ "Firefox 23 Release Notes". Mozilla.org. August 6, 2013. Archived from the original on March 28, 2014. Retrieved March 14, 2014.
  26. ^ Bright, Peter (August 6, 2013). "Firefox 23 lands with a new logo and mixed content blocking". Ars Technica. Archived from the original on February 18, 2014. Retrieved March 14, 2014.
  27. ^ Anthony, Sebastian (August 7, 2013). "Firefox 23 finally kills the blink tag, removes ability to turn off JavaScript, introduces new logo". ExtremeTech. Archived from the original on March 29, 2014. Retrieved March 14, 2014.
  28. ^ "Addons/Extension Signing". Mozilla wiki. Archived from the original on October 10, 2019. Retrieved November 23, 2019.
  29. ^ Villalobos, Jorge (February 10, 2015). "Introducing Extension Signing: A Safer Add-on Experience". Mozilla Add-ons Blog. Archived from the original on October 29, 2019. Retrieved November 23, 2019.
  30. ^ Song, Victoria (May 6, 2019). "Firefox fixes borked extensions for everyone but legacy users". Gizmodo. Archived from the original on May 6, 2019. Retrieved May 6, 2019.
  31. ^ "FAQ – Why is Telemetry enabled by default on the Firefox pre-release channels?". MozillaWiki. Mozilla. Archived from the original on August 10, 2014. Retrieved July 26, 2014.
  32. ^ "Mozilla Firefox Privacy Policy". Mozilla Corporation, a subsidiary of the Mozilla Foundation. Archived from the original on June 14, 2018. Retrieved June 18, 2018.
  33. ^ "Private Auskunft – DNS mit Privacy und Security vor dem Durchbruch". C't (in German). 2018 (14): 176–179. June 22, 2018. Archived from the original on November 12, 2020. Retrieved July 25, 2018.
  34. ^ "About Encrypted DNS by Carsten Strotmann & Jürgen Schmidt". C't (in German). 2018 (14): 176–179. June 22, 2018. Archived from the original on November 12, 2020. Retrieved July 25, 2018. This is the English Translation of Previous Citation.
  35. ^ "Cloudflare Resolver for Firefox". cloudflare.com. Archived from the original on July 22, 2018. Retrieved July 25, 2018.
  36. ^ Wood, Marissa. "Latest Firefox Release is Faster than Ever". The Mozilla Blog. Archived from the original on May 21, 2019. Retrieved May 22, 2019.
  37. ^ "Firefox Update to Trusts OS-Installed Certificates to Prevent TLS Errors". Hack Hex. July 2, 2019. Archived from the original on July 2, 2019. Retrieved July 2, 2019.
  38. ^ Cimpanu, Catalin (October 17, 2019). "Germany's cyber-security agency recommends Firefox as most secure browser". ZDNet. Archived from the original on October 24, 2019. Retrieved October 24, 2019.
  39. ^ "What is Firefox SmartBlock? Mozilla's 'best of both worlds' browsing explained". Trusted Reviews. March 25, 2021. Archived from the original on March 25, 2021. Retrieved March 30, 2021.
  40. ^ "Firefox Now Blocks Cross-Site Cookie Tracking Everywhere". How To Geek. June 14, 2022. Archived from the original on June 14, 2022. Retrieved May 15, 2022.
Retrieved from "https://en.wikipedia.org/w/index.php?title=User:Sohom_Datta/ffx&oldid=1227673081"