Mozilla has made some sweeping security announcements this week: On Monday, the company announced it is testing a new security tool called Firefox Monitor, which the firm said securely checks to see if users’ accounts have been hacked. That news came just as the browser giant released Firefox 61 for Windows, Mac, Linux and Android.
The testing of Firefox Monitor also comes on the heels of Mozilla’s partnership with Cloudflare and Have I Been Pwned (HIBP).
Similar to the existing function of HIBP, founded by security researcher Troy Hunt, Firefox Monitor allows users to enter their email addresses to check if they’re part of hacker databases that have been publicly released.
“In order to help keep personal information and accounts safe, we will be testing user interest in a security tool that lets users check if one of their accounts has been compromised in a data breach,” Peter Dolanjski, product manager for Firefox, said in a post. “We decided to address a growing need for account security by developing Firefox Monitor, a proposed security tool that is designed for everyone, but offers additional features for Firefox users.”
Firefox Monitor users can see the details on sites and other sources of breaches and the types of personal data exposed in each breach, and receive recommendations on what to do in the case of a data breach.
Mozilla said it is also considering a service to notify people when new breaches include their personal data.
“This is major, because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream,” Hunt said in a blog post. “I’m really happy to see Firefox integrating with HIBP in this fashion, not just to get it in front of as many people as possible, but because I have a great deal of respect for their contributions to the technology community.”
At a technical level, the Firefox Monitor service will use anonymized range query API endpoints from HIBP – allowing users to preserve their privacy while they check for compromised accounts. These API endpoints were designed and implemented by Cloudflare as an additional layer of security for those consuming the API that is visible to the end users.
“This contribution allows for Pwned Passwords clients to use range queries to search for breached passwords, without having to disclose a complete unsalted password hash to the service,” said Cloudflare’s Junade Ali, in a post.
Mozilla said currently it is testing initial designs of the Firefox Monitor tool – but beginning next week, the company will invite approximately 250,000 users, mainly U.S.-based, to try it out.
“Once we’re satisfied with user testing, we will work on making the service available to all Firefox users,” said Dolanjski in the post. “Once a release schedule has been established, it will be announced in a follow-up blog post.”
Firefox 61 Launch
Mozilla on Tuesday also released Firefox 61 for Windows, Mac, Linux and Android, with new security features.
Most notably, the new Firefox version will block sub-resource loads that rely on the insecure File Transfer Protocol (FTP), unless the document itself is an FTP document.
“The fundamental underlying problem with FTP is that any data transferred will be unencrypted and hence sent across networks in plain text, allowing attackers to steal, spoof and even modify the data transmitted,” said Christoph Kerschbaumer, content security tech lead at Mozilla in a post.
“Following through to our intent to deprecate non-secure HTTP and aligning with Mozilla’s effort to improve adoption of HTTPS Firefox will block subresource loads, like images, scripts and iframes, relying on the insecure FTP protocol,” he continued.
The new version of Firefox also offers default support for the latest draft of the Transport Layer Security specification.
The new version will support TLS 1.3, which succeeds the Secure Socks Layer (SSL) protocol as the new standard for enabling two networked applications or devices to exchange information privately. It was first drafted more than four years ago, in April 2014, by the Internet Engineering Task Force.
Users can view the release notes on Mozilla’s homepage.
Source: ThreatPost