The introduction of this tool reinforces the importance of websites configuring themselves to require secure connections.

Not too long ago we announced HTTP Strict-Transport-Security that can be used to — among other things — ensure your Facebook or Twitter cookies can’t be sniffed by someone using a tool like Firesheep. In fact, it’s built into Firefox 4. To protect their users from the this attack, a site simply needs to set the Strict-Transport-Security HTTP header when they serve you a secure log-in page, and make the rest of their site available over HTTPS. Firefox will take care of the rest: automatically fetching that site over a secure connection and blocking any third parties from seeing the unencrypted traffic.

We recommend that website authors make use of this header in order to protect their users.

But this technology is new to Firefox 4. To get HTTP Strict-Transport-Security support in Firefox 3.6, you will need to install an add-on that implements it such as ForceTLS. ForceTLS also gives you a way to opt-in to this extra security for sites who haven’t yet started sending that helpful HTTP header; it provides a user interface to add and remove sites that should never be contacted insecurely. Both HSTS and the manual opt-in are also available as part of NoScript. However, manually opting-in to HSTS on a site which does not yet make itself fully available securely may break the site; not all sites are ready for secure access.

If you are already using Firefox 4 beta or nightly versions, you can enable the additional controls with the STS-UI add-on. While the core Strict-Transport-Security features are already built into Firefox 4, this UI gives advanced users the ability to further ensure the security of their connections.

Sid Stamm
Conspiracy Theorist

A website can choose to include the x-frame-options header to protect against malicious framing of web content by third parties. For example a malicious site might frame a website from another domain and surround the framed site with advertisements. Alternatively, a malicious site could use a CSS layer attack called ClickJacking to trick users into performing unintended actions within the framed website that is obscured by overlaid CSS layers.

The x-frame-options header supports the following values:
SAMEORIGIN – allows only sites from the same domain to frame the page
DENY – prevents any site from framing the page

Additional Reading:
Mozilla Developer Network article
Microsoft Developer Network article
OWASP Clickjacking Article

Michael Coates
Web Security

We’re close to landing some changes in the Firefox development tree that will fix a privacy leak that browsers have been struggling with for some time. We’re really excited about this fix, we hope other browsers will follow suit. It’s a tough problem to fix, though, so I’d like to describe how we ended up with this approach.

History Sniffing

Links can look different on web sites based on whether or not you’ve visited the page they reference. You’ve probably seen this before: in some cases, visited links are purple instead of blue. This is just one of the many features web designers use to make the web the best it can be, and for the most part that’s a good thing.

The problem is that appearance can be detected by the page showing you links, cluing the page into which of the presented pages you’ve been to. The result: not only can you see where you’ve been, but so can the web site!

Originally specified as a useful feature for the Web, visited link styling has been part of the web for… well, forever. So this is a pretty old problem, and resurfaces every once in a while to generate more paranoid netizens.

The most obvious fix is to disable different styles for visited versus unvisted links, but this would be employed at the expense of utility: while sites can no longer figure out which links you’ve clicked, neither can you. David Baron has implemented a way to help keep users’ data private while minimizing the effect on the web, and we are deploying it to protect our users. We think this represents the best solution to the problem, and we’ll be delighted if other browsers approach this the same way.

Technical Details.

The biggest threats here are the high-bandwidth techniques, or those that extract lots of information from users’ browsers quickly. These are particularly worrisome since they enable not only very focused attacks, but also the widespread brute-force attacks that are, in general, more useful to a variety of attackers (potentially including fingerprinting).

The JavaScript function getComputedStyle() and its related functions are fast and can be used to guess visitedness at hundreds of thousands of links per minute. To make it harder for web sites to figure out where you’ve been without radically changing the web, we’re approaching the way we style links in three fairly subtle ways:

Change 1: Layout-Based Attacks
First of all, we’re limiting what types of styling can be done to visited links to differentiate them from unvisited links. Visited links can only be different in color: foreground, background, outline, border, SVG stroke and fill colors. All other style changes either leak the visitedness of the link by loading a resource or changing position or size of the styled content in the document, which can be detected and used to identify visited links.

While we are changing what is allowed in CSS, the CSS 2.1 specification takes into consideration how visited links can be abused:

“UAs may therefore treat all links as unvisited links, or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.” [CSS 2 Specification]

Change 2: Some Timing Attacks
Next, we are changing some of the guts of our layout engine to provide a fairly uniform flow of execution to minimize differences in layout time for visited and unvisited links. The changes cause all styles to be resolved on all links for both visited and unvisited states, and it is stored; then, when the link is styled, the appropriate set of styles is chosen making the code paths for visited and unvisited links essentially the same length. This should eliminate some of the easy-to-mount timing attacks.

Change 3: Computed Style Attacks
JavaScript is not going to have access to the same style data it used to. When a web page tries to get the computed style of a link (or any of its sub-elements), Firefox will give it unvisited style values.

What does this mean for users?

For the most part, users shouldn’t notice a change in how the web works. A few web sites may look a little different, but visited links will still show up differently colored. A few sites that use more than color to differentiate visited links may look slightly broken at first while they adjust to these changes, but we think it’s the right trade-off to be sure we protect our users’ privacy. This is a troubling and well-understood attack; as much as we hate to break any portion of the web, we need to shut the attack down to the extent we can.

We have to be realistic, though: there are many ways all browsers leak information about you, and fixing CSS history sniffing will not block all of these leaks. But we believe it’s important to stop the scariest, most effective history attacks any way we can since it will be a big win for users’ privacy.

If the remaining attacks worry you, or you can’t wait for us to ship this fix, version 3.5 and newer versions of Firefox already allow you to disable all visited styling (immediately stops this attack) by setting the layout.css.visited_links_enabled option in about:config to false. While this will plug the history leak, you’ll no longer see any visited styling anywhere.

Enhancing Privacy on the Web.

We want to bridge the gap between our users’ expectations of privacy and what actually happens on the web. Sometimes users have an expectation that we preserve their privacy a certain way, and if we can, we want to live up to it. Privacy isn’t a feature that can simply be added to a browser, though; it often comes at the expense of utility. We think we’ve found a fix that will balance flexibility for web developers while providing a safer experience for our users on the web.

Sid Stamm, Mozilla Security

HTTP Man-In-The-Middle (MITM) attacks

Consider your typical online banking session:  you type “www.mybank.com” into the address bar, hit enter, and wait for the site to load.  When it shows up, you enter your password, do your banking, then log out.  This process is more-or-less automatic for many people, and the subtleties of the process disappear in the background.  More specifically, these are the steps for logging into the bank’s site:

1.   You type “www.mybank.com” into the address bar and hit enter.
2.   The browser assumes “www.mybank.com” should be requested over HTTP by default, so the initial request is unencrypted.
3.   The server at “http://www.mybank.com” responds with an HTTP redirect to “https://www.mybank.com”
4.   The secure connection is established, and a login page is served via HTTPS.
5.   You enter your password and do your banking.

It is only after the first few swift (and often unnoticed) steps that the user is presented with a secure connection.  In a rogue hotspot, “www.mybank.com” might resolve to an attacker’s server (instead of the real thing) and the HTTPS connection may never happen.  Many users might not notice this and end up logging into an attacker’s website.

HTTPS is intended for both channel encryption, to thwart eavesdroppers, and for server authentication.  In the hotspot banking MITM situation, you may simply assume that no errors indicates a safe connection but in all reality the server has not been authenticated!   After all, you’re not presented with any warnings or UI indicators saying the site is an attack site.  If you’re a diligent user, you can always click Firefox’s site identity button to find out whether or not the site has authenticated itself and whether it’s encrypting to prevent eavesdropping, of course.  It’s hard to remember (and time consuming) to do that every time, especially when you’re used to logging into certain trustworthy sites automatically.  And in fact, a fake bank’s site may even have a little lock icon next to the login box that assures the user he is logging into a secure site –  many legitimate banking sites unfortunately do the same thing.

Asking the Browser to use HTTPS Only

To stop this kind of man-in-the-middle attack, where an HTTPS site is mimicked over HTTP, Collin Jackson and Adam Barth proposed something called ForceHTTPS in 2008.  This is a browser feature that allows web sites to tell a browser to always request it via HTTPS, and never unencrypted HTTP.  It was intended to help eliminate the redirect from HTTP to HTTPS and minimize the chance of an insecure attack as described above.

We like the idea of ForceHTTPS and are working on implementing it as “ForceTLS” in Firefox with hopes it will reduce occurrences of MITM attacks and generally improve user security.  We built an add-on as a first step prototype of the feature that works in a similar fashion to the original design by Jackson and Barth.  Instead of using cookies, however, we’re asking sites to send an HTTP header “X-Force-TLS” with any securely-transmitted response.  The name of this header will change in the future, but for now we’re using “X-Force-TLS” as the experimental header that, when present, means:

1. The browser should only attempt to access that domain via HTTPS
2. How long this requirement should last. For example, a server can ask the HTTPS-only request to expire after three days.  This expiration timer can be reset or changed every time data is served to the client by providing a new HTTP header.
3. Whether or not subdomains of the requested site (images.mybank.com, or login.mybank.com for example) should also be forced into HTTPS

ForceTLS can be used for more than just protection against evil hotspots; it can also be used to harden web applications against accidental unencrypted requests.  Many popular web apps can be used over both secure HTTPS and insecure HTTP connections; while you’re given the choice to pick HTTPS instead of HTTP, it’s possible that a large web app might have a HTTP URI referenced from some subtle corner of its code (by accident of course), and with Force TLS employed, this would quietly get upgraded to HTTPS and prevent exposing any unencrypted data on the network.

Check out our prototype, and tell us what you think!  The browser extension and source code are available on AMO (https://addons.mozilla.org/en-US/firefox/addon/12714).

Sid Stamm
Securinator