Bitslicing with Quine-McCluskey

Data Orthogonalization for Cryptography

Part one gave a short introduction of bitslicing as a concept, talked about its use cases, truth tables, software multiplexers, LUTs, and manual optimization. The second covered Karnaugh mapping, a visual method to simplify Boolean algebra expressions that takes advantage of humans’ pattern- … » READ MORE «

Bitslicing with Karnaugh maps

Data Orthogonalization for Cryptography

Bitslicing, in cryptography, is the technique of converting arbitrary functions into logic circuits, thereby enabling fast, constant-time implementations of cryptographic algorithms immune to cache and timing-related side channel attacks. My last post Bitslicing, An Introduction showed how to … » READ MORE «

Bitslicing, An Introduction

Data Orthogonalization for Cryptography

Bitslicing (in software) is an implementation strategy enabling fast, constant-time implementations of cryptographic algorithms immune to cache and timing-related side channel attacks. This post intends to give a brief overview of the general technique, not requiring much of a cryptographic … » READ MORE «

Verified binary multiplication for GHASH

Exploring formal verification (part 3)

Previously I introduced some very basic Cryptol and SAWScript, and explained how to reason about the correctness of constant-time integer multiplication written in C/C++. In this post I will touch on using formal verification as part of the code review process, in particular show how, by using the … » READ MORE «

The future of session resumption

Forward secure PSK key agreement in TLS 1.3

A while ago I wrote about the state of server-side session resumption implementations in popular web servers using OpenSSL. Neither Apache, nor Nginx or HAproxy purged stale entries from the session cache or rotated session tickets automatically, potentially harming forward secrecy of resumed TLS … » READ MORE «

Simple Cryptol specifications

Exploring formal verification (part 2)

In the previous post I showed how to prove equivalence of two different implementations of the same algorithm. This post will cover writing an algorithm specification in Cryptol to prove the correctness of a constant-time C/C++ implementation. Apart from rather simple Cryptol I’m also going … » READ MORE «

Equivalence proofs with SAW

Exploring formal verification (part 1)

This is the first of a small series of posts that will scratch the surface of the world of formal verification. I will mainly use SAW, the Software Analysis Workbench, and Cryptol, a DSL for specifying crypto algorithms. Both are powerful tools for verifying C, C++, and even Rust code, i.e. almost … » READ MORE «

Notes on HACS 2017

The High Assurance Crypto Software workshop

Real World Crypto is probably one of my favorite conferences. It’s a fine mix of practical and theoretical talks, plus a bunch of great hallway, lunch, and dinner conversations. It was broadcasted live for the first time this year, and the talks are available online. But I’m not going … » READ MORE «

TLS version intolerance

Working around bugs in legacy TLS stacks

A few weeks ago I listened to Hanno Böck talk about TLS version intolerance at the Berlin AppSec & Crypto Meetup. He explained how with TLS 1.3 just around the corner there again are growing concerns about faulty TLS stacks found in HTTP servers, load balancers, routers, firewalls, and similar … » READ MORE «

Continuous Integration for NSS

Automating builds and tests with Mozilla’s Taskcluster framework

The following image shows our TreeHerder dashboard after pushing a changeset to the NSS repository. It is the result of only a few weeks of work (on our side): Based on my experience from building a Taskcluster CI for NSS over the last weeks, I want to share a rough outline of the process of … » READ MORE «

The Evolution of Signatures in TLS

Signature algorithms and schemes in TLS 1.0 - 1.3

This post will take a look at the evolution of signature algorithms and schemes in the TLS protocol since version 1.0. I at first started taking notes for myself but then decided to polish and publish them, hoping that others will benefit as well. (Let’s ignore client authentication for … » READ MORE «

Six months as a Security Engineer

My work on Mozilla’s Security Engineering team

It’s been a little more than six months since I officially switched to the Security Engineering team here at Mozilla to work on NSS and related code. I thought this might be a good time to share what I’ve been up to in a short status update: Removed SSLv2 code from NSS NSS contained … » READ MORE «

A fast, constant-time AEAD for TLS

ChaCha20/Poly1305 cipher suites in Firefox 47

The only TLS v1.2+ cipher suites with a dedicated AEAD scheme are the ones using AES-GCM, a block cipher mode that turns AES into an authenticated cipher. From a cryptographic point of view these are preferable to non-AEAD-based cipher suites (e.g. the ones with AES-CBC) because getting … » READ MORE «

Build your own Signal Desktop

Packaging the Signal Private Messenger and NW.js into a standalone app

The Signal Private Messenger is great. Use it. It’s probably the best secure messenger on the market. When recently a desktop app was announced people were eager to join the beta and even happier when an invite finally showed up in their inbox. So was I, it’s a great app and works … » READ MORE «

More Privacy, Less Latency

Improved Handshakes in TLS version 1.3

Please note that this post is about draft-11 of the TLS v1.3 standard. TLS must be fast. Adoption will greatly benefit from speeding up the initial handshake that authenticates and secures the connection. You want to get the protocol out of the way and start delivering data to visitors as soon as … » READ MORE «

A Firefox OS password storage

PBKDF2 and the WebCrypto API in the wild

My esteemed colleague Frederik Braun recently took on to rewrite the module responsible for storing and checking passcodes that unlock Firefox OS phones. While we are still working on actually landing it in Gaia I wanted to seize the chance to talk about this great use case of the WebCrypto API in … » READ MORE «

Botching Forward Secrecy

The sad state of server-side TLS Session Resumption implementations

After you finished reading this one, please also read the follow-up post that covers session resumption changes in TLS 1.3. The probably oldest complaint about TLS is that its handshake is slow and together with the transport encryption has a lot of CPU overhead. This certainly is not true anymore … » READ MORE «

Generating .onion names for Tor hidden services

Tinkering with the WebCrypto API

You have probably read that Facebook unveiled its hidden service that lets users access their website more safely via Tor. While there are lots of opinions about whether this is good or bad I think that the Tor project described best why that is not as crazy as it seems. The most interesting part … » READ MORE «

HTTP Public-Key-Pinning explained

The what, why, and how of RFC 7469

In my last post “Deploying TLS the hard way” I explained how TLS and its extensions (as well as a few HTTP extensions) work and what to watch out for when enabling TLS for your server. One of the HTTP extensions mentioned is HTTP Public-Key-Pinning (HPKP). As a short reminder, the … » READ MORE «

Deploying TLS the hard way

Configuring HTTPS for your domain(s)

How does TLS work? The certificate (Perfect) Forward Secrecy Choosing the right cipher suites HTTP Strict Transport Security HSTS Preload List OCSP Stapling HTTP Public Key Pinning Known attacks Last weekend I finally deployed TLS for and decided to write up what I learned on the way … » READ MORE «

The Mozilla build VM

A virtual build environment for Firefox

Note: This post might be outdated as it has been turned into an MDN page. Please refer to the MDN page for the latest information about the Firefox Developer VM. It will also tell you the correct checksum to compare to after downloading. … » READ MORE «

Scotland.JS 2013 in Edinburgh

I got to spend Wednesday through Friday in Edinburgh last week to attend Scotland.JS. Edinburgh is a lovely city and I will definitely return to get to know it better. It has great people, beers, food and even a castle - what could one want more? I arrived on Wednesday, just in time for the … » READ MORE «

Infinite Sequences in JavaScript

Experiments with ES6 generators

JavaScript comes with most of the little functional tools you need to work on finite sequences that are usually implemented using Arrays. Array.prototype includes a number of methods like map() and filter() that apply a given function to all items of the Array and return the resulting new Array. [1 … » READ MORE «

Stop. Iteration time!

Implementing ES6 generators and iterators

You have probably already heard of generators and iterators coming to a browser near you. They have been available in Firefox for a long time and are used extensively all over the Mozilla code base. The V8 team will implement iterators and generators once ES6 has been finalized. This post describes … » READ MORE «

getUserMedia() part #3

Simple motion detection in a live video

Now that you should already know how to build a live green screen and an EyeToy-like mini-game using nothing but plain JavaScript and a modern browser supporting WebRTC, let us move on to another interesting example: simple motion detection in a live video. The initialization code To detect motion … » READ MORE «

getUserMedia() part #2

Building an EyeToy-like mini-game

This post is a follow-up to my previous one about building a live green screen with getUserMedia() and MediaStreams. If you have not read it yet, this might be a good time. We will extend the small example to build an EyeToy-like mini-game. Some additions var video, width, height, context; var … » READ MORE «

getUserMedia() part #1

Building a live green screen

While recently watching a talk about the new WebRTC features I was reminded of Paul Rouget’s great green screen demo and thought that this would be a cool thing to have for live video as well. Let us build a live green screen! The markup <body> <video id="v" width="320 … » READ MORE «

Fixing new tab page performance regressions

As you probably already know, Firefox 13 introduced a neat new feature - the new tab page. We replaced the old blank page with a list of thumbnails of recently visited sites. While the feature itself works great for many people it has definitely made opening new tabs a little more noisy. Do not … » READ MORE «

Are we small, yet?

A histogram of Firefox download sizes

Lately, Asa Dotzler posted to dev.apps.firefox regarding the download size of Firefox: This evening I noticed that my full win32 mar update for Firefox was 21MB. That caused me to look at what our full win32 installer size was. I was a bit surprised to see it’s up to 17MB. When we shipped Firefox 1 … » READ MORE «

One year at Mozilla

You may already know the story of how I became a Firefox contributor. Back in early April of 2011, having volunteered full-time for three months (a rather short time compared to other core contributors), I was given the opportunity to start as a paid contributor working for Mozilla. Over the year I … » READ MORE «

Fighting DocShell and DOMWindow leaks

In my post Leak hunting in browser-chrome mochitests I wrote about the measures we were considering to prevent regressing efforts to get rid of leaks in Firefox. Now that bug 683953 has landed we finally have a way to detect the leakage of whole DocShells and DOMWindows for the lifetime of the … » READ MORE «

Help us test the New Tab Page!

Over the last weeks we worked hard on getting the New Tab Page into Firefox. It’s not quite ready yet but we need your help testing it. We enabled it by default on Nightly and decided to give it a week on Aurora to get feedback from those users as well. Nightly: Aurora: … » READ MORE «

How I became a Firefox contributor

December 2009. I’ve been a freelancer for quite some time now and decided to dedicate some weeks to something that always fascinated me: contributing to a big open source project. I started some smaller open source projects in the past (like Video4Linux.Net and ViGedit+) and contributed every so … » READ MORE «

Leak hunting in browser-chrome mochitests

Some weeks (even months) ago Dão Gottwald started the hunt for leaked DOMWindows and DocShells while running our browser-chrome mochitest suite (see bug 658738). That means that there are some expensive objects whose lifetimes are longer than they should be – they are kept alive until the test … » READ MORE «

Firefox Electrolysis 101

Writing code for multi-process Firefox

You probably have all heard of this weird new thing called Electrolysis (a.k.a. e10s). Basically it’s all about running the browser UI and its tabs in separated processes. I recently rewrote a part of Panorama to be e10s-future-proof and thought I should share what I’ve learned so far… (If you don’ … » READ MORE «

Deferred loading of inactive tab groups

Starting with tomorrow’s Nightly hidden tabs are not anymore restored by default when starting Firefox. That means tabs from inactive Panorama groups will not load until these groups/tabs are shown. Finally we have a part of the behavior everyone actually expects when using Panorama. If you have … » READ MORE «

Customizable Shortcuts

A Firefox Add-on

As you probably know, in Firefox there is unfortunately no way to configure existing shortcuts. All I found is the keyconfig add-on, that seems really old and very hard to configure (there is no UI, only about:config). That’s why I finally decided to write an add-on with a neat UI (not only) for … » READ MORE «