Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events relevant to their membership in our program and to remind them of upcoming deadlines. This CA Communication has & Continue reading

The post January 2020 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/13/january-2020-ca-communication/

CRLite is a technology to efficiently compress revocation information for the whole Web PKI into a format easily delivered to Web users. It addresses the performance and privacy pitfalls of the Online Certificate Status Protocol (OCSP) while avoiding a need & Continue reading

The post The End-to-End Design of CRLite appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/

CRLite is a technology proposed by a group of researchers at the IEEE Symposium on Security and Privacy 2017 that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte. It accomplishes this by combining & Continue reading

The post Introducing CRLite: All of the Web PKI’s revocations, compressed appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/

Privacy is a human right, and is core to Mozilla’s mission. However many companies on the web erode privacy when they collect a significant amount of personal information. Companies record our browsing history and the actions we take across websites. & Continue reading

The post Firefox 72 blocks third-party fingerprinting resources appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/

After many months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certificate Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.7 has an effective date of January 1st, 2020. More than one & Continue reading

The post Announcing Version 2.7 of the Mozilla Root Store Policy appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/12/11/announcing-version-2-7-of-the-mozilla-root-store-policy/

Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs I recently gave a talk at OWASP Global AppSec in Amsterdam and summarized the presentation in a blog post about how to achieve critical-rated code execution vulnerabilities in Firefox & Continue reading

The post Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/12/02/help-test-firefoxs-built-in-html-sanitizer-to-protect-against-uxss-bugs/

Mozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been. To celebrate the 15 years of the 1.0 release of & Continue reading

The post Updates to the Mozilla Web Security Bounty Program appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/

At Github Universe, Github announced the GitHub Security Lab, an initiative to help secure open source software alongside the community and an initial set of partners including Mozilla. As part of this announcement, Github is providing free access to CodeQL, & Continue reading

The post Adding CodeQL and clang to our Bug Bounty Program appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/

At Mozilla we are well aware of how fragile the Web Public Key Infrastructure (PKI) can be. From fraudulent Certification Authorities (CAs) to implementation errors that leak private keys, users, often unknowingly, are put in a position where their ability & Continue reading

The post Validating Delegated Credentials for TLS in Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/

The upcoming Firefox 70 release will update the security and privacy indicators in the URL bar. In recent years we have seen a great increase in the number of websites that are delivered securely via HTTPS. At the same time, & Continue reading

The post Improved Security and Privacy Indicators in Firefox 70 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/

A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, & Continue reading

The post Hardening Firefox against Injection Attacks appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/14/hardening-firefox-against-injection-attacks/

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the & Continue reading

The post Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/

https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/

Firefox for Android (Fennec) now supports the Web Authentication API as of version 68. WebAuthn blends public-key cryptography into web application logins, and is our best technical response to credential phishing. Applications leveraging WebAuthn gain new  second factor and “passwordless” & Continue reading

The post Web Authentication in Firefox for Android appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/

At Mozilla, we rely heavily on automation to increase our ability to fuzz Firefox and the components from which it is built. Our fuzzing team is constantly developing tools to help integrate new and existing capabilities into our workflow with & Continue reading

The post Grizzly Browser Fuzzing Framework appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/07/10/grizzly/

After the release of Firefox 65 in December, we detected a significant increase in a certain type of TLS error that is often triggered by the interaction of antivirus software with the browser. Today, we are announcing the results of & Continue reading

The post Fixing Antivirus Errors appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/07/01/fixing-antivirus-errors/

The GPG key used to sign the Firefox release manifests is expiring soon, and so were going to be switching over to new key shortly. The new GPG subkeys fingerprint is 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D & Continue reading

The post Updated GPG key for signing Firefox Releases appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/06/13/updated-firefox-gpg-key/

In late 2018 Mozilla conducted an experiment to collect browser Telemetry data with Prio, a privacy-preserving data collection system developed by Stanford Professor Dan Boneh and PhD candidate Henry Corrigan-Gibbs. That experiment was a success: it allowed us to validate & Continue reading

The post Next steps in privacy-preserving Telemetry with Prio appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/06/06/next-steps-in-privacy-preserving-telemetry-with-prio/

The Common CA Database (CCADB) is helping us protect individuals security and privacy on the internet and deliver on our commitment to use transparent community-based processes to promote participation, accountability and trust. It is a repository of information about Certificate & Continue reading

The post Mozilla’s Common CA Database (CCADB) promotes Transparency and Collaboration appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/

Over the past few months, we’ve been experimenting with DNS-over-HTTPS (DoH), a protocol which uses encryption to protect DNS requests and responses, with the goal of deploying DoH by default for our users. Our plan is to select a set & Continue reading

The post DNS-over-HTTPS Policy Requirements for Resolvers appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/04/09/dns-over-https-policy-requirements-for-resolvers/