Mozilla on Tuesday announced that a years-long effort to harden Firefox’s defenses can now be previewed in the browser’s Nightly and Beta builds.
Debuting as “Project Fission” in February 2019, the project was also linked to the more descriptive “site isolation,” a defensive technology in which a browser devotes separate processes to each domain or even each website, and in some cases, assigns different processes to site components, such as iframes, so they are rendered separately from the process handling the overall site.
The idea is to isolate malicious sites and components — and the attack code they harbor — so one site cannot exploit an unknown vulnerability or one still unpatched, then plunder the browser, or the device, or a device’s memory of crucial information. That information could include authentication credentials, confidential data, and encryption keys.
“Site Isolation builds upon a new security architecture that extends current protection mechanisms by separating (web) content and loading each site in its own operating system process,” senior platform engineer Anny Gakhokidze wrote in a May 18 post to Mozilla’s Hacks site. “To fully protect your private information, a modern web browser not only needs to provide protections on the application layer but also needs to entirely separate the memory space of different sites,” she continued.
Remember Spectre? How about Meltdown?
Site Isolation wasn’t new when Mozilla brought it up two years ago.
The term had been used by Google in late 2017, when it began talking about new defensive features it would add to Chrome and implementing the first iteration of the technology. Although the Mountain View, Calif. company had been working on site isolation for much of that decade, it added the technology to Chrome in late 2017 and waited until mid-2018 to switch it on for most users.
Fortuitously, site isolation was an answer to Spectre and Meltdown, entirely new classes of vulnerabilities that went public in early 2018. The flaws, which were found in a vast array of hardware, notably PC and server processors, as well as in software — particularly browsers — caused an instant sensation and an industry-wide mitigation effort on the part of everyone from Intel and Lenovo to Microsoft and Google, whose engineers had been the ones to uncover Spectre.
Mozilla, like other browsers not crafted by Google, was forced instead to create ad hoc defenses against Spectre and Meltdown. But it also pledged to follow Chrome’s lead to site isolation, even though that work would require it to “revamp the architecture of Firefox,” obviously a major undertaking.
Currently, Firefox launches a fixed number of processes, including a parent process for the browser, eight to manage web contents and another four designated for utility purposes, such as browser add-ons and GPU (graphics processor unit) operations. With Site Isolation enabled, however, each site is allocated its own process and in some cases, elements of a page — in one case in Firefox it was Amazon’s advertising platform — are given separate processes, too.
(When site isolation is active, users can view the active processes by typing about:processes in Firefox’s address bar.)
Two years ago, Mozilla declined to set a timetable for releasing Firefox with Fission (aka Site Isolation), only implying that the work would be arduous and perhaps long. “We need to revamp the architecture of Firefox,” said Nika Layzell, the project tech lead of the Fission team, at the time. “Fission is a massive project.”
The picture is a bit clearer now.
An uncertain timetable
Mozilla has baked Fission into the Beta of Firefox 89 (as well as the much less polished Nightly build). It’s even enabled Site Isolation on “a subset of users” of Firefox 89 Beta in an effort to collect feedback on the technology’s functionality. That doesn’t mean Site Isolation is imminent (the production-grade Firefox 89 is slated to launch June 1, just two weeks away).
Mozilla’s Gakhokidze left Firefox users hanging, saying the firm “plan[s] a roll out to more of our users later this year.” Note what she did not say, that all Firefox users would have Fission in hand before the end of December.
For those not lucky enough to have Fission switched on by Mozilla, there is a way to manually enable the technology. Type about:config in the address bar, accept the warning and in the search field on the resulting page, type fission.autostart and press Enter or Return. The Boolean entry should read false. Turn it to true by clicking the two-way arrow icon at the far right, which is a simple toggle.
More information about Firefox’s Fission can be found on Mozilla’s website.
Copyright © 2021 IDG Communications, Inc.
200302 30563Aw, this was a very nice post. In concept I wish to put in writing like this moreover ?taking time and precise effort to make an superb post?but what can I say?I procrastinate alot and undoubtedly not appear to get one thing done. 956265
206659 90377I observe there is actually a lot of spam on this weblog. Do you want aid cleaning them up? I may well aid in between courses! 353924
808755 665736Awesome weblog, Im going to spend a lot more time researching this topic 505685
327049 91127Im so happy to read this. This really is the type of manual that needs to be given and not the accidental misinformation thats at the other blogs. Appreciate your sharing this greatest doc. 6033
694664 283787I discovered your weblog web site on google and check several of your early posts. Proceed to keep up the excellent operate. I just extra up your RSS feed to my MSN News Reader. In search of ahead to studying extra from you in a while! 334410
283114 594Undoubtedly,Chilly spot! We stumbled on the cover and Im your personal representative. limewire limewire 881377
769456 136031hi, your web site is wonderful. I truly do numerous thanks for operate 217539
629149 129146A thoughtful insight and suggestions I will use on my site. Youve naturally spent some time on this. Congratulations! 837408
551974 835706Most reliable human being messages, nicely toasts. are already provided gradually during the entire wedding celebration and therefore are anticipated to be quite laid back, humorous and as nicely as new all at once. greatest man speech 700262