mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-27 14:12:09 +00:00
Compare commits
3 commits
8ed8a405f4
...
1345e19d68
Author | SHA1 | Date | |
---|---|---|---|
|
1345e19d68 | ||
|
5a40b240aa | ||
|
88fd0b81ae |
3 changed files with 27 additions and 1 deletions
|
@ -46,5 +46,5 @@ validate-feeds: .validate-feed-main .validate-feed-posts .validate-feed-notes
|
|||
.PHONY: validate-feeds .validate-feed-main .validate-feed-posts .validate-feed-notes
|
||||
|
||||
.PHONY: all-extra
|
||||
all-extra: axe htmltest validate-json equal-access htmlproofer lint-css validate-feeds
|
||||
all-extra: axe-ff htmltest validate-json equal-access htmlproofer lint-css validate-feeds
|
||||
|
||||
|
|
|
@ -36,7 +36,17 @@ This site is featured in some cool directories.
|
|||
- [Webrings Fanlisting](https://fanlistings.nickifaulk.com/webrings/)
|
||||
- [Gossip's Web](https://gossipsweb.net/personal-websites)
|
||||
- [Nixers](https://github.com/nixers-projects/sites/wiki/List-of-nixers.net-user-sites)
|
||||
|
||||
<details>
|
||||
<summary>Pending directories</summary>
|
||||
|
||||
- [Nerd Listings](https://nerdlistings.info/category/personalsites/) (pending)
|
||||
- [Ye Olde Blogroll](https://blogroll.org/) (pending)
|
||||
- [LinkLane](https://www.linklane.net/) (pending)
|
||||
- [Blog Surf](https://blogsurf.io/) (pending)
|
||||
- [Smooth Sailing](https://smoothsailing.asclaria.org/) (pending)
|
||||
- [Moonshot](https://www.moonshot.forbiddenl0ve.net/) (pending)
|
||||
- [Yesterlinks](https://links.yesterweb.org/) (pending)
|
||||
|
||||
</details>
|
||||
|
||||
|
|
16
content/notes/firefox-hardening-progress.md
Normal file
16
content/notes/firefox-hardening-progress.md
Normal file
|
@ -0,0 +1,16 @@
|
|||
---
|
||||
title: "Firefox hardening progress"
|
||||
date: 2022-07-12T09:33:40-07:00
|
||||
---
|
||||
In the past couple of years, Firefox made significant security-related progress.
|
||||
|
||||
Firefox's multi-process architecture was overhauled, starting with a [utility process overhaul](https://bugzilla.mozilla.org/show_bug.cgi?id=1722051). This has improved privilege separation by moving networking, audio, and other ancillary functions to a separate process. They also enable Arbitrary Code Guard (<abbr title="Arbitrary Code Guard">ACG</abbr>) for the utility process on Windows, and plan to do something similar on macOS. They don't (yet) emulate ACG on Linux.
|
||||
|
||||
They've rolled out a separate GPU process on some platforms; the roll-out will likely finish this year.
|
||||
|
||||
Regarding toolchain hardening: Chromium official builds use [Clang's CFI sanitizer](https://clang.llvm.org/docs/ControlFlowIntegrity.html); Firefox doesn't. However, a subset of Firefox's libraries support [RLBox sandboxing](https://docs.rlbox.dev/). This isn't a complete solution, but is still a welcome change. [The Tor Browser disables libgraphite on the "safer" security level](https://gitweb.torproject.org/torbutton.git/tree/modules/security-prefs.js?id=c8f7cd3fec5d5845179fcf71ad46888f2d14c8b0) due to security concerns which RLBox may have addressed.
|
||||
|
||||
I'm looking forward to seeing [PID namespace isolation](https://bugzilla.mozilla.org/show_bug.cgi?id=1151624) at some point.
|
||||
|
||||
Regarding JIT-related exploit mitigations, Firefox is still quite far behind; I recommend Firefox users to disable JIT in `about:config` (see note 25 of <cite>[Best practices for inclusive textual websites]({{<relref "/posts/website-best-practices">}})</cite>). This is partly related to malloc differences: JavaScriptCore has a malloc with a virtual memory cage, and V8 is currently working on one. As long as Firefox users are better served by disabling JIT: I'd like to see ACG enabled in the JIT-less content process (Chromium does this), and emulated on Linux (Edge does this, and [so did Hexavalent](https://github.com/Hexavalent-Browser/Hexavalent-Archive/tree/08d7b2952f87896e0279969041c149c4300a73cf/patches/linux)).
|
||||
|
Loading…
Reference in a new issue