How quickly do Firefox derived browsers receive security updates
Mozilla released two security updates to their open source Firefox web browser just two days apart. This provided an excellent stress test and case study for how quickly Firefox derived web browsers ship security updates.
The two security vulnerabilities in question, CVE-2019-11707 (MFSA-2019-18) and CVE-2019-11708 (MFSA-2019-19), were both zero-day critical security vulnerabilities that were known to be actively exploited on the web. Mozilla released Firefox 67.0.3 and 67.0.4 two days apart to address each of these issues.
I’ll use the same Firefox derivatives I’ve featured before: Tor Browser, Cliqz, Waterfox, and Pale Moon.
Fixing Antivirus Errors
After the release of Firefox 65 in December, we detected a significant increase in a certain type of TLS error that is often triggered by the interaction of antivirus software with the browser. Today, we are announcing the results of our work to eliminate most of these issues, and explaining how we have done so without compromising security.
On Windows, about 60% of Firefox users run antivirus software and most of them have HTTPS scanning features enabled by default. Moreover, CloudFlare publishes statistics showing that a significant portion of TLS browser traffic is intercepted. In order to inspect the contents of encrypted HTTPS connections to websites, the antivirus software intercepts the data before it reaches the browser. TLS is designed to prevent this through the use of certificates issued by trusted Certificate Authorities (CAs). Because of this, Firefox will display an error when TLS connections are intercepted unless the antivirus software anticipates this problem.
Firefox is different than a number of other browsers in that we maintain our own list of trusted CAs, called a root store. In the past we’ve explained how this improves Firefox security. Other browsers often choose to rely on the root store provided by the operating system (OS) (e.g. Windows). This means that antivirus software has to properly reconfigure Firefox in addition to the OS, and if that fails for some reason, Firefox won’t be able to connect to any websites over HTTPS, even when other browsers on the same computer can.
Hansen: SKS Keyserver Network Under Attack [Ed: Of course corporate media pretends this is a "Linux" thing and did lots of FUD, scaremongering etc.]
This attack exploited a defect in the OpenPGP protocol itself in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways. Poisoned certificates are already on the SKS keyserver network. There is no reason to believe the attacker will stop at just poisoning two certificates. Further, given the ease of the attack and the highly publicized success of the attack, it is prudent to believe other certificates will soon be poisoned.
Cosmos Hub and Reproducible Builds
Open source software allows us to build trust in a distributed, collaborative software development process, to know that the software behaves as expected and is reasonably secure. But the benefits of open source are strongest for those who directly interact with the source code. These people can use a computer which they trust to compile the source code into an operational version for themselves. Distributing binaries of open source software breaks this trust model, and reproducible builds restores it.
Tendermint Inc is taking the first steps towards a trustworthy binary distribution process. Our investment in reproducible builds makes doing binary distributions of the gaia software a possibility. We envision that the Cosmos Hub community will be our partners in building trust in this process. The governance features of the Cosmos Hub will enable a novel collaboration between Tendermint and that validator community to release only binaries that can be trusted by anyone.
Here is our game plan.
The release of the cosmoshub-3 will support our new reproducible build process. Tendermint developers will make a governance proposal with the hashes of all supported binaries. We will ask ATOM holders to reproduce the builds on computers they control and vote YES if the hashes match.
Programming Leftovers
This is a new series highlighting best-of-breed utilities. We’ll be covering a wide range of utilities including tools that boost your productivity, help you manage your workflow, and lots more besides. Evernote is a proprietary cloud-based software service designed for creating, organizing and storing various of media files. It’s often used as a notetaking and archiving program. Evernote enables users to help remember everything important. When a file is uploaded or changed on a machine, Evernote syncs all changes across an account. This lets you work on the same document on different machines wherever they are located in the world. As the files are stored in the cloud, they don’t consume large amounts of storage space on your PC or mobile device. These days, we use computers at work, at home, and on the move. Accessing your files from each machine using Evernote is more convenient than having to email files or copying them to a USB key. And because it’s designed to be a complete virtual filing system that makes finding any individual note or file easily, you don’t need to remember where they are saved. Evernote can be used for something as basic as a shopping list. But it comes into its own for business purposes, by sharing files and collaborating on projects with coworkers.
