Mozilla on Tuesday announced that a years-long effort to harden Firefox’s defenses can now be previewed in the browser’s Nightly and Beta builds.
Debuting as “Project Fission” in February 2019, the project was also linked to the more descriptive “site isolation,” a defensive technology in which a browser devotes separate processes to each domain or even each website, and in some cases, assigns different processes to site components, such as iframes, so they are rendered separately from the process handling the overall site.
The idea is to isolate malicious sites and components — and the attack code they harbor — so one site cannot exploit an unknown vulnerability or one still unpatched, then plunder the browser, or the device, or a device’s memory of crucial information. That information could include authentication credentials, confidential data, and encryption keys.
“Site Isolation builds upon a new security architecture that extends current protection mechanisms by separating (web) content and loading each site in its own operating system process,” senior platform engineer Anny Gakhokidze wrote in a May 18 post to Mozilla’s Hacks site. “To fully protect your private information, a modern web browser not only needs to provide protections on the application layer but also needs to entirely separate the memory space of different sites,” she continued.
Remember Spectre? How about Meltdown?
Site Isolation wasn’t new when Mozilla brought it up two years ago.
The term had been used by Google in late 2017, when it began talking about new defensive features it would add to Chrome and implementing the first iteration of the technology. Although the Mountain View, Calif. company had been working on site isolation for much of that decade, it added the technology to Chrome in late 2017 and waited until mid-2018 to switch it on for most users.
Fortuitously, site isolation was an answer to Spectre and Meltdown, entirely new classes of vulnerabilities that went public in early 2018. The flaws, which were found in a vast array of hardware, notably PC and server processors, as well as in software — particularly browsers — caused an instant sensation and an industry-wide mitigation effort on the part of everyone from Intel and Lenovo to Microsoft and Google, whose engineers had been the ones to uncover Spectre.
Mozilla, like other browsers not crafted by Google, was forced instead to create ad hoc defenses against Spectre and Meltdown. But it also pledged to follow Chrome’s lead to site isolation, even though that work would require it to “revamp the architecture of Firefox,” obviously a major undertaking.
Currently, Firefox launches a fixed number of processes, including a parent process for the browser, eight to manage web contents and another four designated for utility purposes, such as browser add-ons and GPU (graphics processor unit) operations. With Site Isolation enabled, however, each site is allocated its own process and in some cases, elements of a page — in one case in Firefox it was Amazon’s advertising platform — are given separate processes, too.
(When site isolation is active, users can view the active processes by typing about:processes in Firefox’s address bar.)
Two years ago, Mozilla declined to set a timetable for releasing Firefox with Fission (aka Site Isolation), only implying that the work would be arduous and perhaps long. “We need to revamp the architecture of Firefox,” said Nika Layzell, the project tech lead of the Fission team, at the time. “Fission is a massive project.”
The picture is a bit clearer now.
An uncertain timetable
Mozilla has baked Fission into the Beta of Firefox 89 (as well as the much less polished Nightly build). It’s even enabled Site Isolation on “a subset of users” of Firefox 89 Beta in an effort to collect feedback on the technology’s functionality. That doesn’t mean Site Isolation is imminent (the production-grade Firefox 89 is slated to launch June 1, just two weeks away).
Mozilla’s Gakhokidze left Firefox users hanging, saying the firm “plan[s] a roll out to more of our users later this year.” Note what she did not say, that all Firefox users would have Fission in hand before the end of December.
For those not lucky enough to have Fission switched on by Mozilla, there is a way to manually enable the technology. Type about:config in the address bar, accept the warning and in the search field on the resulting page, type fission.autostart and press Enter or Return. The Boolean entry should read false. Turn it to true by clicking the two-way arrow icon at the far right, which is a simple toggle.
More information about Firefox’s Fission can be found on Mozilla’s website.