Mozilla released version 52 of Firefox, which brings new security features, as well as support for WebAssembly, a low-level programming language for the web.
The new version of Firefox also coincides with a new Firefox Extended Support Release (ESR), which means the Tor Browser will soon benefit from all the security features that have been added to Firefox over the past year, including the browser’s new sandboxing architecture.
Firefox 52 New Features
Firefox 52 brought quite a few new features, especially in the security department.
WebAssembly
One of the most important features added to Firefox 52 is support for WebAssembly, a low-level programming language that can make web apps run at near-native speed.
This will make WebAssembly especially more useful for browser games, advanced web apps, and software libraries. Mozilla has been one of the primary developers of the language, as it wanted to offer a standardized alternative to Google’s Native Client API, which boasts similar performance. The organization seems to have succeeded in that goal, as WebAssembly should soon be adopted by all the major browsers.
Strict Secure Cookies
Firefox 52 also supports Strict Secure Cookies, a policy that forbids HTTP websites from setting cookies with the “secure” attribute.
(Non-) Security Warnings
Google and Mozilla have promised for many months a new “This connection is not secure” warning that will appear in login boxes on pages that use HTTP, rather than HTTPS.
Both Google and Mozilla will progressively ramp up their warnings until all HTTP web pages are greeted by big red notifications that they are not secure. However, for now, the two companies are only warning about pages that require passwords or credit card information.
An “Untrusted Connection” error will also appear when Firefox 52 users visit a website whose certificate is chained to a root certificate that still uses the SHA-1 algorithm (such as those imported by the user). All the major browser vendors have had plans to deprecate SHA-1 for a couple of years now. With Google researchers proving that a collision attack on SHA-1 is now practical, there are even more reasons to avoid connections based on SHA-1 algorithms. However, for now, Mozilla will still allow users to bypass this warning.
Improved Multi-process, Sync Support
The multi-process architecture has also been enabled for Windows users that use touchscreen devices. The browser also got an “enhanced sync” feature to enable users to send and open tabs from one device to another.
Dropping NPAPI, Battery Status API Support
Support for the Netscape Plugin API (NPAPI) has been removed for virtually all plugins with the exception of Flash. Mozilla also removed support for the Battery Status API, which could have been used by some services to fingerprint users, thus significantly reducing privacy on the web.
Firefox ESR And The Tor Browser
Along with the regular release of Firefox 52, Mozilla also announced a new Firefox ESR, which has caught up with the features of the latest mainstream version of Firefox.
The ESR version is a release of Firefox that only receives security patches for almost a year (seven Firefox releases, to be exact). That means it falls behind in supporting new features as they appear in the regular versions of Firefox. This is usually a good thing for enterprise users, but also for certain organizations such as the Tor Project, which build the Tor Browser on top of Firefox ESR.
New features tend to introduce new bugs and it also takes time to validate them and to make sure they don’t break anything. Therefore, something like Firefox ESR is more appealing to the Tor Project. However, sometimes staying almost a year behind is not that good, especially when the main browser introduces significant security improvements.
One of the major security improvements we’ve seen last year in Firefox is the switch to a better sandboxing architecture, which separates the UI and the content in a different process. That should make it harder for JavaScript exploits that may live inside a web page to make modifications to the browser itself.
As Firefox has kept seeing more and more exploits against it due to the fact that it doesn’t have as good of a sandboxing architecture as Chrome does, the Tor Project has started to build its own sandboxing. However, the hardened version of the Tor Browser is only available on Linux for now, and it’s still in the alpha stage. The Tor browser should still benefit from Mozilla’s own sandboxing, especially on Windows.
This year, Firefox should continue to receive security upgrades, but it won’t be until Firefox 59 (the next ESR version) that the Tor Browser will be able to implement them as well.