A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels. To make Firefox resilient against such code injection attacks, & Continue reading

The post Hardening Firefox against Injection Attacks appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/14/hardening-firefox-against-injection-attacks/

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the & Continue reading

The post Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/09/iterm2-critical-issue-moss-audit/

https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/

Firefox for Android (Fennec) now supports the Web Authentication API as of version 68. WebAuthn blends public-key cryptography into web application logins, and is our best technical response to credential phishing. Applications leveraging WebAuthn gain new  second factor and “passwordless” & Continue reading

The post Web Authentication in Firefox for Android appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/

At Mozilla, we rely heavily on automation to increase our ability to fuzz Firefox and the components from which it is built. Our fuzzing team is constantly developing tools to help integrate new and existing capabilities into our workflow with & Continue reading

The post Grizzly Browser Fuzzing Framework appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/07/10/grizzly/

After the release of Firefox 65 in December, we detected a significant increase in a certain type of TLS error that is often triggered by the interaction of antivirus software with the browser. Today, we are announcing the results of & Continue reading

The post Fixing Antivirus Errors appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/07/01/fixing-antivirus-errors/

The GPG key used to sign the Firefox release manifests is expiring soon, and so were going to be switching over to new key shortly. The new GPG subkeys fingerprint is 097B 3130 77AE 62A0 2F84 DA4D F1A6 668F BB7D & Continue reading

The post Updated GPG key for signing Firefox Releases appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/06/13/updated-firefox-gpg-key/

In late 2018 Mozilla conducted an experiment to collect browser Telemetry data with Prio, a privacy-preserving data collection system developed by Stanford Professor Dan Boneh and PhD candidate Henry Corrigan-Gibbs. That experiment was a success: it allowed us to validate & Continue reading

The post Next steps in privacy-preserving Telemetry with Prio appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/06/06/next-steps-in-privacy-preserving-telemetry-with-prio/

The Common CA Database (CCADB) is helping us protect individuals security and privacy on the internet and deliver on our commitment to use transparent community-based processes to promote participation, accountability and trust. It is a repository of information about Certificate & Continue reading

The post Mozilla’s Common CA Database (CCADB) promotes Transparency and Collaboration appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/04/15/common-ca-database-ccadb/

Over the past few months, we’ve been experimenting with DNS-over-HTTPS (DoH), a protocol which uses encryption to protect DNS requests and responses, with the goal of deploying DoH by default for our users. Our plan is to select a set & Continue reading

The post DNS-over-HTTPS Policy Requirements for Resolvers appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/04/09/dns-over-https-policy-requirements-for-resolvers/

Web Authentication (WebAuthn), a recent web standard blending public-key cryptography into website logins, is our best technical response to credential phishing. That’s why we’ve championed it as a technology. The FIDO U2F API is the spiritual ancestor of WebAuthn; to-date, & Continue reading

The post Backward-Compatibility FIDO U2F support shipping soon in Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox/

Firefox 66, being released this week, supports using the Windows Hello feature for Web Authentication on Windows 10, enabling a passwordless experience on the web that is hassle-free and more secure. Firefox has supported Web Authentication for all desktop platforms & Continue reading

The post Passwordless Web Authentication Support via Windows Hello appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/

Mozilla maintains a database containing a set of “root” certificates that we use as “trust anchors”. This database, commonly referred to as a “root store”, allows us to determine which Certificate Authorities (CAs) can issue SSL/TLS certificates that are trusted & Continue reading

The post Why Does Mozilla Maintain Our Own Root Certificate Store? appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/

For years, web users have endured major privacy violations. Their browsing continues to be routinely and silently tracked across the web. Tracking techniques have advanced to the point where users cannot meaningfully control how their personal data is used. At & Continue reading

The post Defining the tracking practices that will be blocked in Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/01/28/defining-the-tracking-practices-that-will-be-blocked-in-firefox/

Mozillas Position on Data Breaches Data breaches are common for online services. Humans make mistakes, and humans make the Internet. Some online services discover, mitigate, and disclose breaches quickly. Others go undetected for years. Recent breaches include “fresh” data, which & Continue reading

The post When does Firefox alert for breached sites? appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/11/14/when-does-firefox-alert-for-breached-sites/

As announced in August, Firefox is changing its approach to addressing tracking on the web. As part of that plan, we signaled our intent to prevent cross-site tracking for all Firefox users and made our initial prototype available for testing. & Continue reading

The post Firefox 63 Lets Users Block Tracking Cookies appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/23/firefox-63-lets-users-block-tracking-cookies/

As announced in August, Firefox is changing its approach to addressing tracking on the web. As part of that plan, we signaled our intent to prevent cross-site tracking for all Firefox users and made our initial prototype available for testing. & Continue reading

The post Firefox 63 Lets Users Block Tracking Cookies appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/23/firefox-63-lets-users-block-tracking-cookies/

As announced in August, Firefox is changing its approach to addressing tracking on the web. As part of that plan, we signaled our intent to prevent cross-site tracking for all Firefox users and made our initial prototype available for testing. & Continue reading

The post Firefox 63 Lets Users Block Tracking Cookies appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/23/firefox-63-lets-users-block-tracking-cookies/

TL;DR: Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and it will automatically work with any site that & Continue reading

The post Encrypted SNI Comes to Firefox Nightly appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox-nightly/

In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1. On the Internet, 20 years is an eternity.  TLS 1.0 will be 20 years old in January 2019.  In that time, TLS has protected billions  & Continue reading

The post Removing Old Versions of TLS appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/