'Site quarantine' function appeared in Firefox, as a fundamental measure against 'Specter' and 'Meltdown'

Mozilla announced on May 18, 2021 that it has included a 'site quarantine' feature in Firefox for desktop. With this feature, it is possible to take drastic measures against the vulnerable 'Specter' and 'Meltdown' that were discovered in 2018 but were previously limited to first aid measures. Mozilla says.

Introducing Site Isolation in Firefox --Mozilla Security Blog


Introducing Firefox's new Site Isolation Security Architecture --Mozilla Hacks --the Web developer blog

In January 2018, the vulnerabilities 'Specter' and 'Meltdown' lurking in the hardware level of many CPUs on the market were discovered. In response, Mozilla and other IT companies took countermeasures all at once, but according to Mozilla, the measures implemented at that time were only urgent measures.

It is pointed out that the root of the vulnerability problem inherent in Intel CPUs is deeply 'all processors have a problem that both safety and high speed cannot be achieved' --GIGAZINE

Mozilla, which was undertaking a radical overhaul of Firefox's security, said on May 18 that it would separate the process of processing the site you're browsing from other processes, making 'site quarantine' difficult to read private data. Announced that it was introduced in Firefox.

According to Mozilla software engineer Anny Gakhokidze, traditional browsers used the same process for sites with malicious code and sites that handle important personal information such as Internet banking.

Therefore, if an advanced attack such as Specter is carried out from a site containing malicious code, there is a risk that bank login data stored in memory may be stolen.

This is also the case with Firefox. In the case of Firefox, a process with the highest authority called 'parent process' is created at startup, and a content process that processes sites etc. is created under it. In the past, Firefox could take over the parent process through the content process because different sites could be processed by the same process.

On the other hand, in Firefox where site quarantine is implemented, individual sites are processed in a separate process, so users will be able to browse safely.

Also, for site quarantine, 'Since the site is processed by individual processes, opening a heavy site does not reduce the responsiveness of other pages.' 'Even if one tab crashes, it is processed by another process. There are also secondary benefits such as 'the page you are on is not affected' and 'because multiple processes are used to load the site, the work is distributed to more CPU cores and the performance of the hardware can be used more efficiently'. There is.

Mozilla is currently pre-delivering the site quarantine feature in Firefox Beta and Firefox Nightly , which test experimental features, and plans to officially implement it in the regular version of Firefox in late 2021.

Here are the steps to try quarantining your site in Firefox Nightly. First, enter 'about: preferences # experimental' in the URL field of Firefox Nightly, check 'Fission' and restart.

Also, in the normal version of Firefox, enter 'about: config' in the URL field and click 'Use with awareness of danger' ...

It is enabled by setting the value of 'fission.autostart' to 'true' and then restarting.

in Software,   Security, Posted by log1l_ks