Protecting Firefox Data with Content Signatures

Explore a 19-minute conference talk from USENIX Enigma 2018 featuring Julien Vehent, Firefox Operations Security Lead at Mozilla, discussing the implementation of content signatures to protect Firefox data integrity. Delve into the challenges of securing data transmission between web services and Firefox, including the risks posed by transport intermediaries and potential web server compromises. Learn about the new signing protocol integrated into Firefox, designed to safeguard data exchanged between Mozilla and millions of Firefox installations worldwide. Discover key topics such as updating Firefox, industry best practices for HTTPS, internal Firefox PKI, content signature delivery and verification, operational security, and implementation complexities. Gain insights into specific issues like HTTPS interception, certificate validity checks, measuring validation failures, and emergency revocations.

Intro
Updating Firefox Updates
Updates Security
Serving data through web APIs Industry best practice: HTTPS and trust the backend. That has two problems
HTTPS Interception . 4% of Firefox Updates are being intercepted
Compromise of web API
Internal Firefox PKI
Delivering Content Signatures
Verifying Content Signatures
Operational Security
Some interesting problems
Checking certificate validity . Signature verification fails when client clock
Measuring validation failures . Firefox drops the data when the signature does not validate
Emergency revocations
Implementation complexity