Last year, we laid out a long-range plan for improving revocation support for Firefox. As of this week, weve completed most of the major elements of that plan. After adding OneCRL earlier this year, we have recently added support for & Continue reading

https://blog.mozilla.org/security/2015/11/23/improving-revocation-ocsp-must-staple-and-short-lived-certificates/

This article has been coauthored by Aislinn Grigas, Senior Interaction Designer, Firefox Desktop Over the past few months, Mozilla has been improving the user experience of our privacy and security features in Firefox. One specific initiative has focused on the & Continue reading

https://blog.mozilla.org/security/2015/11/03/updated-firefox-security-indicators-2/

In our previous blog post about phasing out certificates with SHA-1 based signature algorithms, we said that we planned to take a few actions with regard to SHA-1 certificates: Add a security warning to the Web Console to remind developers & Continue reading

https://blog.mozilla.org/security/2015/10/20/continuing-to-phase-out-sha-1-certificates/

As part of our commitment to protect the privacy of our users, Mozilla will disable the insecure RC4 cipher in Firefox in late January 2016, beginning with Firefox 44. Mozilla will be taking this action in coordination with the Chrome & Continue reading

https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/

The Bugzilla bug tracker is a major part of how we accomplish our mission of openness at Mozilla. It’s a tool for coordinating among our many contributors, and a focal point for community interactions. While most information in Bugzilla is & Continue reading

https://blog.mozilla.org/security/2015/09/04/improving-security-for-bugzilla/

As part of our commitment to help Firefox users stay safe online, we have recently expanded the malware detection features in Firefox. Thanks to new developments in Googles Safe Browsing service we are now able to identify malware downloads in & Continue reading

https://blog.mozilla.org/security/2015/08/11/expanded-malware-protection-in-firefox/

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. & Continue reading

https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/

Last year, we introduced the Mozilla Winter of Security (MWoS) to invite students to work on security projects with members of Mozilla’s security teams. Ten projects were proposed, and dozens of teams applied. A winter later, MWoS 2014 gave birth & Continue reading

https://blog.mozilla.org/security/2015/07/15/mozilla-winter-of-security-is-back/

As soon as a developer at Mozilla starts integrating a new WebAPI feature, the Mozilla Security team begins working to help secure that API. Subtle programming mistakes in new code can introduce annoying crashes and even serious security vulnerabilities that & Continue reading

https://blog.mozilla.org/security/2015/06/29/dharma/

The Bug Bounty Program is an important part of security here at Mozilla.  This program has paid out close to 1.6 million dollars to date and we are very happy with the success of it.  We have a great community & Continue reading

https://blog.mozilla.org/security/2015/06/09/upcoming-changes-to-the-firefox-bug-bounty-program/

At Mozilla weve been using The Mozilla Defense Platform (lovingly referred to as MozDef) for almost two years now and we are happy to release v1.9. If you are unfamiliar, MozDef is a Security Information and Event Management (SIEM) overlay & Continue reading

https://blog.mozilla.org/security/2015/05/20/mozdef-the-mozilla-defense-platform-v1-9/

Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to & Continue reading

https://blog.mozilla.org/security/2015/05/12/may-2015-ca-communication/

Today we are announcing our intent to phase out non-secure HTTP. Theres pretty broad agreement that HTTPS is the way forward for the web.  In recent months, there have been statements from IETF, IAB (even the other IAB), W3C, and & Continue reading

https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/

In the previous post about certificates with 1024-bit RSA keys we said that the changes for the second phase of migrating off of 1024-bit root certificates were planned to be released in Firefox in early 2015. These changes have been & Continue reading

https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/

The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. & Continue reading

https://blog.mozilla.org/security/2015/01/21/meta-referrer/

The Mozilla security team was proud to be part of Hack In The Box (HITB) 2014, held from 15-16 October 2014 in Kuala Lumpur (KL), Malaysia. Mozilla has been involved in HITB for several years now, and this years HackWEEKDAY & Continue reading

https://blog.mozilla.org/security/2014/11/10/mozilla-at-hitb-malaysia/

Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn & Continue reading

https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/

Introduction: Content Security Policy (CSP) is a good safety net against Cross Site Scripting (XSS). In fact, its the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can be a challenge & Continue reading

https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/

Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your & Continue reading

https://blog.mozilla.org/security/2014/09/24/rsa-signature-forgery-in-nss/

Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your & Continue reading

http://blog.mozilla.org/security/2014/09/24/rsa-signature-forgery-in-nss/