At Mozilla weve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay & Continue reading

https://blog.mozilla.org/security/2015/05/20/mozdef-the-mozilla-defense-platform-v1-9/

Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to & Continue reading

https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/

Today we are announcing our intent to phase out non-secure HTTP. Theres pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and & Continue reading

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

In the previous post about certificates with 1024-bit RSA keys we said that the changes for the second phase of migrating off of 1024-bit root certificates were planned to be released in Firefox in early 2015. These changes have been & Continue reading

https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/

The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. & Continue reading

https://blog.mozilla.org/security/2015/01/21/meta-referrer/

The Mozilla security team was proud to be part of Hack In The Box (HITB) 2014, held from 15-16 October 2014 in Kuala Lumpur (KL), Malaysia. Mozilla has been involved in HITB for several years now, and this years HackWEEKDAY & Continue reading

https://blog.mozilla.org/security/2014/11/10/mozilla-at-hitb-malaysia/

Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn & Continue reading

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Introduction: Content Security Policy (CSP) is a good safety net against Cross Site Scripting (XSS). In fact, its the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can be a challenge & Continue reading

https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/

Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your & Continue reading

https://blog.mozilla.org/security/2014/09/24/rsa-signature-forgery-in-nss/

Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your & Continue reading

http://blog.mozilla.org/security/2014/09/24/rsa-signature-forgery-in-nss/

Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the & Continue reading

https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is & Continue reading

https://blog.mozilla.org/security/2014/09/10/faster-csp/

For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA). We are actively working with CAs to & Continue reading

https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/

Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be & Continue reading

https://blog.mozilla.org/security/2014/09/02/public-key-pinning/

As we indicated in the post titled “MDN Disclosure”, we began several remediation measures, including a review of data practices surrounding user data. We have kicked off a larger project to better our practices around data, including with respect to & Continue reading

https://blog.mozilla.org/security/2014/08/27/update-on-reviewing-our-data-practices-and-bugzilla-development-database-disclosure/

In April, we announced an upcoming certificate verification library designed from the ground up to be fast and secure. A few weeks ago, this new library  known as mozilla::pkix  shipped with Firefox and is enabled by default. Please & Continue reading

https://blog.mozilla.org/security/2014/08/20/mozillapkix-ships-in-firefox/