Mozilla established one of the first modern security bug bounty programs back in 2004. Since that time, much of the technology industry has followed our lead and bounty programs have become a critical tool for finding security flaws in the & Continue reading
The post Safe Harbor for Security Bug Bounty Participants appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/08/01/safe-harbor-for-security-bug-bounty-participants/
Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust & Continue reading
The post Update on the Distrust of Symantec TLS Certificates appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/
Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading
The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/
Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading
The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/
Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading
The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/
After several months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certification Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.6 has an effective date of July 1st, 2018. More than one & Continue reading
The post Root Store Policy Updated appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/07/02/root-store-policy-updated/
The new Firefox Monitor service will use anonymized range query API endpoints from Have I Been Pwned (HIBP). This new Firefox feature allows users to check for compromised online accounts while preserving their privacy. Anonymizing Account Identifiers Operations like ‘search’ & Continue reading
The post Scanning for breached accounts with k-Anonymity appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/
Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading
The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.
Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading
The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.
Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading
The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.
Firefox 60 will introduce support for the same-site cookie attribute, which allows developers to gain more control over cookies. Since browsers will include cookies with every request to a website, most sites rely on this mechanism to determine whether users & Continue reading
The post Supporting Same-Site Cookies in Firefox 60 appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The & Continue reading
The post Distrust of Symantec TLS Certificates appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/
Prior to the release of the Mozilla Observatory in June of 2016, I ran a scan of the Alexa Top 1M websites. Despite being available for years, the usage rates of modern defensive security technologies was frustratingly low. A lack & Continue reading
The post Analysis of the Alexa Top 1M Sites appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/02/28/analysis-alexa-top-1m-sites-2/
The Application Cache (AppCache) interface provides a caching mechanism that allows websites to run offline. Using this API, developers can specify resources that the browser should cache and make available to users offline. Unfortunately, AppCache has limitations in revalidating its & Continue reading
The post Restricting AppCache to Secure Contexts appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/
To help prevent third party data leakage while browsing privately, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59. Referrers can leak sensitive data When you click a link in your & Continue reading
The post Preventing data leaks by stripping path information in HTTP Referrers appeared first on Mozilla Security Blog.
Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events related to domain validation for SSL certificates and to remind them of a number of upcoming deadlines. This & Continue reading
The post January 2018 CA Communication appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/01/29/january-2018-ca-communication/
Since Let’s Encrypt launched, secure contexts have become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features & Continue reading
The post Secure Contexts Everywhere appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/
Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs. Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between & Continue reading
The post Mitigations landing for new class of timing attack appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
End users rely on the address bar of a web browser to identify what web page they are on. However, most end users are not aware of the concept of a data URL which can contain a legitimate address string & Continue reading
The post Blocking Top-Level Navigations to data URLs for Firefox 59 appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/
Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about Mozilla’s expectations regarding version 2.5 of Mozilla’s Root Store Policy, annual CA updates, and actions the CAs need to take. & Continue reading
The post November 2017 CA Communication appeared first on Mozilla Security Blog.
https://blog.mozilla.org/security/2017/11/16/november-2017-ca-communication/