firefox

39 Articles

This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild

October 11, 2024 by 7 Comments

The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Continue reading “This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild”

Ask Hackaday: Has Firefox Finally Gone Too Far?

July 14, 2024 by 122 Comments

In a world where so much of our lives depend on the use of online services, the web browser used to access those services becomes of crucial importance. It becomes a question of whether we trust the huge corporate interests which control this software with such access to our daily lives, and it is vital that the browser world remains a playing field with many players in the game.

The mantle has traditionally fallen upon Mozilla’s Firefox browser to represent freedom from corporate ownership, but over the last couple of years even they have edged away from their open source ethos and morphed into an advertising company that happens to have a browser. We’re asking you: can we still trust Mozilla’s Firefox, when the latest version turns on ad measurement by default?

Such has been the dominance of Google’s Chromium in the browser world, that it becomes difficult to find alternatives which aren’t based on it. We can see the attraction for developers, instead of pursuing the extremely hard task of developing a new browser engine, just use one off-the-shelf upon which someone else has already done the work. As a result, once you have discounted browsers such as the venerable Netsurf or Dillo which are cool as heck but relatively useless for modern websites, the choices quickly descend into the esoteric. There are Ladybird and Servo which are both promising but still too rough around the edges for everyday use, so what’s left? Probably LibreWolf represents the best option, a version of Firefox with a focus on privacy and security.

We’re interested in your views on this topic, because we know you’ll have a lot to say about it. Meanwhile if you’re a Firefox user who’s upgraded to version 128 and you’re not sure what to do, don’t panic. Find the settings page, go to “Privacy and Security”, and un-check the “Website Advertising Preferences” checkbox.

Hackaday Links Column Banner

Hackaday Links: May 5, 2024

May 5, 2024 by 16 Comments

It may be hard to believe, but BASIC turned 60 this week. Opinions about the computer language vary, of course, but one thing everyone can agree on is that Professors Kemeny and Kurtz really stretched things with the acronym: “Beginner’s All-Purpose Symbolic Instruction Code” is pretty tortured, after all. BASIC seems to be the one language it’s universally cool to hate, at least in its current incarnations like Visual Basic and VBA. But back in 1964, the idea that you could plunk someone down in front of a terminal, or more likely a teletype, and have them bang out a working “Hello, world!” program with just a few minutes of instruction was pretty revolutionary. Yeah, line numbers and GOTO statements encouraged spaghetti code and engrained bad programming habits, but at least it got people coding. And perhaps most importantly, it served as a “gateway drug” into the culture for a lot of us. Many of us would have chosen other paths in life had it not been for those dopamine hits provided by getting that first BASIC program working. So happy birthday BASIC!

Continue reading “Hackaday Links: May 5, 2024”

This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

July 8, 2022 by 16 Comments

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result. Continue reading “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It”

Firefox logo displayed on screen

Firefox Brings The Fire: Shifting From GLX To EGL

November 23, 2021 by 55 Comments

You may (or may not) have heard that Firefox is moving from GLX to EGL for the Linux graphics stack. It’s an indicator of which way the tides are moving in the software world. Let’s look at what it means, why it matters, and why it’s cool.

A graphics stack is a complex system with many layers. But on Linux, there needs to be an interface between something like OpenGL and a windowing system like X11. X11 provides a fundamental framework for drawing and moving windows around a display, capturing user input, and determining focus, but little else. An X11 server is just a program that manages all the windows (clients). Each window in X11 is considered a client. A client connects to the server over a Unix process socket or the internet.

OpenGL focuses on what to draw within the confines of the screen space given by the window system. GLX (which stands for OpenGL Extension to the X window system) was originally developed by Silicon Graphics. It has changed over the years, gaining hardware acceleration support and DRI (Direct Rendering Interface). DRI is a way for OpenGL to talk directly to the graphical hardware if the server and the client are on the same computer. At its core, GLX provides OpenGL functions to X11, adds to the X protocol by allowing 3d rendering commands to be sent, and an extension that reads rendering commands and passes them to OpenGL.

EGL (Embedded-System Graphics Library) is a successor of GLX, but it started with a different environment in mind. Initially, the focus was embedded systems, and devices such as Android, Raspberry Pi, and Blackberry heavily lean on EGL for their graphical needs. Finally, however, Wayland decided to use EGL as GLX brought in X11 dependencies, and EGL offers closer access to hardware.

When Martin Stránský initially added Wayland support to Firefox, he used EGL instead of GLX. Additionally, the Wayland implementation had zero-copy GPU buffer sharing via DMABUF (a Linux kernel subsystem for sharing buffers). Unfortunately, Firefox couldn’t turn on this improved WebGL’s performance for X11 (it existed but was never stable enough). Nevertheless, features kept coming making Wayland (and consequently EGL) a more first-class citizen. Now EGL will be enabled by default in Firefox 94+ with Mesa 21+ drivers (Mesa is an implementation of OpenGL, Vulkan, and other specifications that translate commands into instructions the GPU can understand).

Continue reading “Firefox Brings The Fire: Shifting From GLX To EGL”

Porting Firefox To Apple Silicon: Tales From The Trenches

January 22, 2021 by 16 Comments

For any smaller and larger software product that aims to be compatible with Apple’s MacOS, the recent introduction of its ARM-based Apple Silicon processors and MacBooks to go with them came as a bit of a shock. Suddenly one of the major desktop platforms was going to shift processor architectures, and with it likely abandon and change a number of APIs. Over at Mozilla HQ, they assumed that based on past experiences, Apple’s announcement of ‘first Apple Silicon hardware’ would also mean that those systems would be available for sale.

Indeed, one week after the November 10th announcement Apple did in fact do so. By then, Mozilla had worked to ensure that the Firefox codebase could be built for Apple Silicon-based MacOS. Fortunately, through the experiences of running Firefox on Windows-on-ARM, they already had gained a codebase that was compatible with 64-bit ARM. Ultimately, the biggest snag here was the immature Rust language and dependency support for Apple Silicon, which set back the first release.

When it came to the distributing of Firefox on Intel- and ARM-based Macs, the decision was made to package both versions of the application into a so-called Universal Binary. While this pads out the size of the installer, it also means easier distribution and would not affect the built-in updater in Firefox. This also allowed for an easy fix for the Google Widevine DRM module, for which no Apple Silicon version was available at first, allowing the same module for Intel to be used with either Firefox version via the Rosetta 2 binary translator in MacOS (as we covered previously).

After this it was more or less smooth sailing, with some Rosetta 2-based glitches and MacOS Big Sur-related bugs that spoiled some of the fun. What this experience shows is that porting even a big codebase like Firefox to Apple’s new platform is fairly straightforward, with lack of support from toolchains and other dependencies the most likely things that may trip one up.

The Rosetta 2 feature, while helpful, also comes with its share of gotchas as the Firefox developers found out, and of course there is a lot more optimization that can (and should) be done for such a new platform.

Copy And Paste Deemed Insecure

June 18, 2020 by 23 Comments

Back when Windows NT was king, Microsoft was able to claim that it met the strict “Orange Book” C2 security certification. The catch? Don’t install networking and remove the floppy drives.  Turns out most of the things you want to do with your computer are the very things that are a security risk. Even copy and paste.

[Michal Benkowki] has a good summary of his research which boils down to the following attack scenario:

  1. Visit a malicious site.
  2. Copy something to the clipboard which allows the site to put in a dangerous payload.
  3. Visit another site with a browser-based visual editor (e.g., Gmail or WordPress)
  4. Paste the clipboard into the editor.

Continue reading “Copy And Paste Deemed Insecure”