Firefox Quantum tightens browser security

The re-engineered version of Firefox called “Quantum” released last week not only claims to be twice as fast but it also packs some punch in the security department, according to Mozilla executives.

Probably the most unique and competitively aspect of Firefox Quantum is its use of the memory-safe language Rust to run parts of the layout engine.

“Browsers have traditionally been written in C++. When programming in C++, it’s rather easy for programmers to inadvertently introduce bugs or security vulnerabilities when they try creating complex algorithms. Rust has allowed Mozilla to code new algorithms that run super-fast and safe,” said Selena Deckelmann, director of engineering, Mozilla.

Jeff Griffiths, Mozilla’s director of product management of core browsers, added that Rust gives guarantees that the memory that has been allocated in the programming is secure and cannot be overwritten by an attacker.

“So, we have a much higher confidence that the code base in there is secure against that sort of vulnerability because it is built in Rust,” he added.Currently, there are roughly 350 million monthly active users of Firefox globally, majority of them are on desktops. Griffiths estimates that a little less than 9% of Firefox users are based in Hong Kong, which is tied to the number of local surfers using Internet Explorer.

Tracking Protection and sandboxing

Another new security feature in Quantum allows users to enable tracking protection in their regular browsing sessions, which was previously only available in private browsing mode.

“We’ve been using Tracking Protection in private browsing mode for the last two years and we have done a number of studies of turning on tracking protection in regular browsing mode. And we have seen a lot of benefits around malware prevention and privacy,” Griffith said.

“If you have tracking protection enabled, you are less likely to be hacked because the attack vector for a lot of malware is scripts that are loaded through ad networks. We usually get reports from people that are on major sites where an ad on those sites had a script loaded into it that tried to get the user to download a hacked version of whatever browser that they are using. And so a lot of people had their computer infected through malware that were injected into those ad networks. Tracking Protection blocks a lot of those scripts much more aggressively than any other browsers currently do,” he added.

Performance also gets a boost when tracking protection is turned on.With ‘Tracking Protection’ in private browsing mode, Firefox achieved a 67.5% reduction in the number of HTTP cookies set during a crawl of the Alexa top 200 news sites.

Since Firefox does not download and render content from tracking domains, ‘Tracking Protection’ also enjoys performance benefits of a 44% median reduction in page load time and a 39% reduction in data usage on the Alexa top 200 news sites.

Firefox Quantum is also the first time many Firefox users will be able take advantage of sandboxing.

“Sandboxing is another key feature that is not strictly new in Quantum -- it’s a complex job and we’ve been working on it for a long time. But Quantum marks the launch of our full sandbox on all platforms: Windows, Mac, and Linux,” Deckelmann said.

Strategy around HTTPS

The foundation of secure web browsing for users is HTTPS and Firefox continues to make improvements to HTTPS, according to Deckelmann.

“We are implementing TLS 1.3, which is live in Firefox Beta now and laying the foundation for its rollout to release hopefully in Q1 of 2018. We’ve also begun formal verification of crypto algorithms in Quantum, already resulting in speed and security improvements. We also continue to support Let’s Encrypt, which provides free SSL certificates and has contributed significantly to the adoption of HTTPS worldwide,” she said.

Mozilla has also been pushing HTTPS adoption and HTTP deprecation

“Earlier this year, we started using negative page indicators for HTTP sites that have login forms. We also worked with EFF to create Let’s Encrypt, making it easier for developers to set up HTTPS for their sites with free TLS Certificates. We plan to take more steps in this direction in 2018,” Deckelmann said.

In addition to working towards shifting the web from insecure HTTP to encrypted HTTPS, Mozilla has also been active in making HTTPS itself more secure.

 

“We have removed the use of older insecure technologies (the SSLv3 protocol, RC4 encryption, MD5 and SHA1 hash algorithms) and are the driving force behind the TLS1.3 standard which forbids the use of weaker or easily misused ciphersuites in favor of more efficient and safer ones,” Deckelmann said.

Read more on