Throughout 2020, Firefox users have been seeing fewer secure connection errors while browsing the Web. We’ve been improving connection errors overall for some time, and a new feature called Intermediate & Read more

The post Preloading Intermediate CA Certificates into Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/11/13/preloading-intermediate-ca-certificates-into-firefox/

A little over a year ago we enabled Enhanced Tracking Protection (ETP) by default in Firefox. We did so because we recognize that tracking poses a threat to society, user & Read more

The post Firefox 79 includes protections against redirect tracking appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/08/04/firefox-79-includes-protections-against-redirect-tracking/

We intend to update Mozilla’s Root Store Policy to reduce the maximum lifetime of TLS certificates from 825 days to 398 days, with the aim of protecting our users HTTPS & Read more

The post Reducing TLS Certificate Lifespans to 398 Days appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/

Cryptographic primitives, while extremely complex and difficult to implement, audit, and validate, are critical for security on the web. To ensure that NSS (Network Security Services, the cryptography library behind & Read more

The post Performance Improvements via Formally-Verified Cryptography in Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/07/06/performance-improvements-via-formally-verified-cryptography-in-firefox/

Mozilla has sent a CA Communication and Survey to inform Certification Authorities (CAs) who have root certificates included in Mozilla’s program about current expectations. Additionally this survey will collect input & Read more

The post May 2020 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/05/08/may-2020-ca-communication/

Firefox has one of the oldest security bug bounties on the internet, dating back to 2004. From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775  but as you can see in the & Continue reading

The post Firefoxs Bug Bounty in 2019 and into the Future appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/04/23/bug-bounty-2019-and-future/

Starting in version 75, Firefox can be configured to use client certificates provided by the operating system on Windows and macOS. Background When Firefox negotiates a secure connection with a website, the web server sends a certificate to the browser & Continue reading

The post Expanding Client Certificates in Firefox 75 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/

Prior to being able to display a web page within a browser the rendering engine checks and verifies the MIME type of the document being loaded. In case of an html page, for example, the rendering engine expects a MIME & Continue reading

The post Firefox 75 will respect nosniff for Page Loads appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/04/07/firefox-75-will-respect-nosniff-for-page-loads/

The Multi-Account Containers Add-on will now sync your container configuration and site assignments. Firefox Multi-Account Containers allows users to separate their online identities into different tab types called Containers. Each Container has its own separate storage and cookies.  This way, & Continue reading

The post Multi-Account Containers Add-on Sync Feature appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/02/06/multi-account-containers-sync/

CRLite pushes bulk certificate revocation information to Firefox users, reducing the need to actively query such information one by one. Additionally this new technology eliminates the privacy leak that individual queries can bring, and does so for the whole Web, & Continue reading

The post CRLite: Speeding Up Secure Browsing appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/21/crlite-part-3-speeding-up-secure-browsing/

Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events relevant to their membership in our program and to remind them of upcoming deadlines. This CA Communication has & Continue reading

The post January 2020 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/13/january-2020-ca-communication/

CRLite is a technology to efficiently compress revocation information for the whole Web PKI into a format easily delivered to Web users. It addresses the performance and privacy pitfalls of the Online Certificate Status Protocol (OCSP) while avoiding a need & Continue reading

The post The End-to-End Design of CRLite appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/09/crlite-part-2-end-to-end-design/

CRLite is a technology proposed by a group of researchers at the IEEE Symposium on Security and Privacy 2017 that compresses revocation information so effectively that 300 megabytes of revocation data can become 1 megabyte. It accomplishes this by combining & Continue reading

The post Introducing CRLite: All of the Web PKI’s revocations, compressed appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/09/crlite-part-1-all-web-pki-revocations-compressed/

Privacy is a human right, and is core to Mozilla’s mission. However many companies on the web erode privacy when they collect a significant amount of personal information. Companies record our browsing history and the actions we take across websites. & Continue reading

The post Firefox 72 blocks third-party fingerprinting resources appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2020/01/07/firefox-72-fingerprinting/

After many months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certificate Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.7 has an effective date of January 1st, 2020. More than one & Continue reading

The post Announcing Version 2.7 of the Mozilla Root Store Policy appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/12/11/announcing-version-2-7-of-the-mozilla-root-store-policy/

Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs I recently gave a talk at OWASP Global AppSec in Amsterdam and summarized the presentation in a blog post about how to achieve critical-rated code execution vulnerabilities in Firefox & Continue reading

The post Help Test Firefox’s built-in HTML Sanitizer to protect against UXSS bugs appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/12/02/help-test-firefoxs-built-in-html-sanitizer-to-protect-against-uxss-bugs/

Mozilla was one of the first companies to establish a bug bounty program and we continually adjust it so that it stays as relevant now as it always has been. To celebrate the 15 years of the 1.0 release of & Continue reading

The post Updates to the Mozilla Web Security Bounty Program appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/19/updates-to-the-mozilla-web-security-bounty-program/

At Github Universe, Github announced the GitHub Security Lab, an initiative to help secure open source software alongside the community and an initial set of partners including Mozilla. As part of this announcement, Github is providing free access to CodeQL, & Continue reading

The post Adding CodeQL and clang to our Bug Bounty Program appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/14/adding-codeql-and-clang-to-our-bug-bounty-program/

At Mozilla we are well aware of how fragile the Web Public Key Infrastructure (PKI) can be. From fraudulent Certification Authorities (CAs) to implementation errors that leak private keys, users, often unknowingly, are put in a position where their ability & Continue reading

The post Validating Delegated Credentials for TLS in Firefox appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/11/01/validating-delegated-credentials-for-tls-in-firefox/

The upcoming Firefox 70 release will update the security and privacy indicators in the URL bar. In recent years we have seen a great increase in the number of websites that are delivered securely via HTTPS. At the same time, & Continue reading

The post Improved Security and Privacy Indicators in Firefox 70 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/