Due to a long list of documented issues, Mozilla previously announced our intent to distrust TLS certificates issued by the Symantec Certification Authority, which is now a part of DigiCert. On August 13th, the next phase of distrust was enabled & Continue reading

The post Delaying Further Symantec TLS Certificate Distrust appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/10/delaying-further-symantec-tls-certificate-distrust/

Providing a web browser that you can depend on year after year is one of the core tenet of the Firefox security strategy. We put a lot of time and energy into making sure that the software you run has & Continue reading

The post Trusting the delivery of Firefox Updates appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/09/trusting-the-delivery-of-firefox-updates/

The HTTP Referrer Value Navigating from one webpage to another or requesting a sub-resource within a webpage causes a web browser to send the top-level URL in the HTTP referrer field. Inspecting that HTTP header field on the receiving end & Continue reading

The post Supporting Referrer Policy for CSS in Firefox 64 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/02/supporting-referrer-policy-for-css-in-firefox-64/

Mozilla has sent a CA Communication to inform Certification Authorities (CAs) who have root certificates included in Mozilla’s program about current events relevant to their membership in our program and to remind them of upcoming deadlines. This CA Communication has & Continue reading

The post September 2018 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/17/september-2018-ca-communication/

Mozilla has sent a CA Communication to inform Certification Authorities (CAs) who have root certificates included in Mozilla’s program about current events relevant to their membership in our program and to remind them of upcoming deadlines. This CA Communication has & Continue reading

The post September 2018 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/17/september-2018-ca-communication/

At Mozilla, we’ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident demonstrated, such attacks are possible. Mozilla’s original usage of GitHub was an alternative way to provide access to & Continue reading

The post Protecting Mozilla’s GitHub Repositories from Malicious Modification appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/11/protecting-mozillas-github-repositories-from-malicious-modification/

At Mozilla, we’ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident demonstrated, such attacks are possible. Mozilla’s original usage of GitHub was an alternative way to provide access to & Continue reading

The post Protecting Mozilla’s GitHub Repositories from Malicious Modification appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/11/protecting-mozillas-github-repositories-from-malicious-modification/

At Mozilla, we’ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident demonstrated, such attacks are possible. Mozilla’s original usage of GitHub was an alternative way to provide access to & Continue reading

The post Protecting Mozilla’s GitHub Repositories from Malicious Modification appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/11/protecting-mozillas-github-repositories-from-malicious-modification/

Mozilla has recently announced a change in our approach to protecting users against tracking. This announcement came as a result of extensive research, both internally and externally, that shows that users are not in control of how their data is & Continue reading

The post Why we need better tracking protection appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/09/05/why-we-need-better-tracking-protection/

On friday the IETF published TLS 1.3 as RFC 8446. It’s already shipping in Firefox and you can use it today. This version of TLS incorporates significant improvements in both security and speed. Transport Layer Security (TLS) is the protocol & Continue reading

The post TLS 1.3 Published: in Firefox Today appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/08/13/tls-1-3-published-in-firefox-today/

Mozilla established one of the first modern security bug bounty programs back in 2004. Since that time, much of the technology industry has followed our lead and bounty programs have become a critical tool for finding security flaws in the & Continue reading

The post Safe Harbor for Security Bug Bounty Participants appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/08/01/safe-harbor-for-security-bug-bounty-participants/

Firefox 60 (the current release) displays an “untrusted connection” error for any website using a TLS/SSL certificate issued before June 1, 2016 that chains up to a Symantec root certificate. This is part of the consensus proposal for removing trust & Continue reading

The post Update on the Distrust of Symantec TLS Certificates appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/07/30/update-on-the-distrust-of-symantec-tls-certificates/

Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading

The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/

Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading

The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/

Every day, countless Mozillians spend numerous hours testing Firefox to ensure that Firefox users get a stable and secure product. However, no product is bug free and, despite all of our testing efforts, browsers still crash sometimes. When we investigate & Continue reading

The post Introducing the ASan Nightly Project appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/07/19/introducing-the-asan-nightly-project/

After several months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certification Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.6 has an effective date of July 1st, 2018. More than one & Continue reading

The post Root Store Policy Updated appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/07/02/root-store-policy-updated/

The new Firefox Monitor service will use anonymized range query API endpoints from Have I Been Pwned (HIBP). This new Firefox feature allows users to check for compromised online accounts while preserving their privacy. Anonymizing Account Identifiers Operations like ‘search’ & Continue reading

The post Scanning for breached accounts with k-Anonymity appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/

Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading

The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/05/07/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61/

Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading

The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/05/07/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61/

Firefox 61 will block subresource loads that rely on the insecure FTP protocol unless the document itself is an FTP document. For example, Firefox will block FTP subresource loads within HTTP(S) pages. The File Transfer Protocol (FTP) enables file exchange & Continue reading

The post Blocking FTP subresource loads within non-FTP documents in Firefox 61 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/05/07/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61/