Security Patches
These patches tweak or enhance security-related settings and features, such as enabling HTTPS-only mode, securing PDF handling, and reducing exposure to potentially dangerous web content.
Patches
Section titled “Patches”- Certificate Pinning
- Harden PDF.js
- Enable HTTPS-Only Mode
- Prevent Extensions From Changing Browser Settings
- Increase Update Frequency
- Enable Encrypted Storage
- Enable Memory Tagging
Certificate Pinning
Section titled “Certificate Pinning”Updates and expands the list of domains supported by Mozilla’s built-in certificate pinning.
Reason
To protect against MITM attacks by restricting which certificate authorities can issue valid certificates for included websites. Example of a real-world attack that this protects against: https://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/.
Effect
Users are provided with a more secure browsing experience.
Reason To protect against MITM attacks by restricting which certificate authorities can issue valid certificates for included websites. Example of a real-world attack that this protects against: https://blog.mozilla.org/security/2011/08/29/fraudulent-google-com-certificate/. | Effect Users are provided with a more secure browsing experience. |
Harden PDF.js
Section titled “Harden PDF.js”Hardens Firefox’s built-in PDF Viewer (PDF.js).
Reason
To reduce attack surface and protect users from various attacks, with changes inspired by GrapheneOS’s PDF Viewer: https://github.com/GrapheneOS/PdfViewer.
Effect
Users are provided with a more secure PDF viewing experience, while still enjoying it from the comfort of their browser.
Reason To reduce attack surface and protect users from various attacks, with changes inspired by GrapheneOS’s PDF Viewer: https://github.com/GrapheneOS/PdfViewer. | Effect Users are provided with a more secure PDF viewing experience, while still enjoying it from the comfort of their browser. |
Enable HTTPS-Only Mode
Section titled “Enable HTTPS-Only Mode”Enables HTTPS-only mode by default.
Reason
To encrypt connections whenever possible.
Effect
Improves privacy and security by preventing unencrypted HTTP connections.
Reason To encrypt connections whenever possible. | Effect Improves privacy and security by preventing unencrypted HTTP connections. |
Prevent Extensions From Changing Browser Settings
Section titled “Prevent Extensions From Changing Browser Settings”Prevents extensions from changing various browser settings.
Reason
To prevent extensions from making unauthorized changes to browser settings.
Effect
Ensures browser settings aren’t changed without explicit user consent.
Reason To prevent extensions from making unauthorized changes to browser settings. | Effect Ensures browser settings aren’t changed without explicit user consent. |
Increase Update Frequency
Section titled “Increase Update Frequency”Increases the rate at which Firefox syncs with Remote Settings, from every 24 hours to hourly, and the rate at which Firefox checks for add-on updates, from every 12 hours to hourly.
Reason
To improve security for users, by ensuring they are kept up to date as fast as possible.
Effect
Protects users against security vulnerabilities and other potential threats, by ensuring their add-ons and Remote Settings are always up to date.
Reason To improve security for users, by ensuring they are kept up to date as fast as possible. | Effect Protects users against security vulnerabilities and other potential threats, by ensuring their add-ons and Remote Settings are always up to date. |
Enable Encrypted Storage
Section titled “Enable Encrypted Storage”Enables encrypted storage (via Android’s Keystore system: https://developer.android.com/privacy-and-security/keystore) for Firefox account state.
Reason
To improve privacy and security for users, by adding extra protection for sensitive data.
Effect
Protects users against unauthorized access/compromise to sensitive data.
Reason To improve privacy and security for users, by adding extra protection for sensitive data. | Effect Protects users against unauthorized access/compromise to sensitive data. |
Enable Memory Tagging
Section titled “Enable Memory Tagging”Enables memory tagging (via Android’s Arm Memory Tagging Extension: https://developer.android.com/ndk/guides/arm-mte).
Reason
To improve security for users, by improving memory safety.
Effect
Protects users against memory safety bugs.
Reason To improve security for users, by improving memory safety. | Effect Protects users against memory safety bugs. |