Firefox 60 will introduce support for the same-site cookie attribute, which allows developers to gain more control over cookies. Since browsers will include cookies with every request to a website, most sites rely on this mechanism to determine whether users & Continue reading

The post Supporting Same-Site Cookies in Firefox 60 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/

A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The & Continue reading

The post Distrust of Symantec TLS Certificates appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/

Prior to the release of the Mozilla Observatory in June of 2016, I ran a scan of the Alexa Top 1M websites. Despite being available for years, the usage rates of modern defensive security technologies was frustratingly low. A lack & Continue reading

The post Analysis of the Alexa Top 1M Sites appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/02/28/analysis-alexa-top-1m-sites-2/

The Application Cache (AppCache) interface provides a caching mechanism that allows websites to run offline. Using this API, developers can specify resources that the browser should cache and make available to users offline. Unfortunately, AppCache has limitations in revalidating its & Continue reading

The post Restricting AppCache to Secure Contexts appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/

To help prevent third party data leakage while browsing privately, Firefox Private Browsing Mode will remove path information from referrers sent to third parties starting in Firefox 59. Referrers can leak sensitive data When you click a link in your & Continue reading

The post Preventing data leaks by stripping path information in HTTP Referrers appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about current events related to domain validation for SSL certificates and to remind them of a number of upcoming deadlines. This & Continue reading

The post January 2018 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/01/29/january-2018-ca-communication/

Since Let’s Encrypt launched, secure contexts have become much more mature. We have witnessed the successful restriction of existing, as well as new features to secure contexts. The W3C TAG is about to drastically raise the bar to ship features & Continue reading

The post Secure Contexts Everywhere appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/01/15/secure-contexts-everywhere/

Several recently-published research articles have demonstrated a new class of timing attacks (Meltdown and Spectre) that work on modern CPUs.  Our internal experiments confirm that it is possible to use similar techniques from Web content to read private information between & Continue reading

The post Mitigations landing for new class of timing attack appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

End users rely on the address bar of a web browser to identify what web page they are on. However, most end users are not aware of the concept of a data URL which can contain a legitimate address string & Continue reading

The post Blocking Top-Level Navigations to data URLs for Firefox 59 appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/

Mozilla has sent a CA Communication to inform Certificate Authorities (CAs) who have root certificates included in Mozilla’s program about Mozilla’s expectations regarding version 2.5 of Mozilla’s Root Store Policy, annual CA updates, and actions the CAs need to take. & Continue reading

The post November 2017 CA Communication appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2017/11/16/november-2017-ca-communication/

Mozilla’s Root Store Program has taken the position that trust is not automatically transferable between organizations. This is specifically stated in section 8 of our Root Store Policy v2.5, which details how Mozilla handles transfers of root certificates between organizations. & Continue reading

The post Statement on DigiCert’s Proposed Purchase of Symantecs CA appeared first on Mozilla Security Blog.

https://blog.mozilla.org/security/2017/10/31/statement-digicerts-proposed-purchase-symantec/

This is a short announcement for all security researchers working on Firefox that use our pre-built AddressSanitzer (ASan) builds. Until recently, you could download these ASan builds from our FTP servers. Due to changes to our internal build infrastructure, these & Continue reading

https://blog.mozilla.org/security/2016/09/09/firefox-addresssanitizer-builds-have-been-moved/

Scanning the content of a file allows web browsers to detect the format of a file regardless of the specified Content-Type by the web server. For example, if Firefox requests script from a web server and that web server sends & Continue reading

https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/

The Mozilla Winter of Security of 2015 has ended, and the participating teams of students are completing their projects. The Certificate Automation tooling for Lets Encrypt project wrapped up this month, having produced an experimental proof-of-concept patch for the Nginx & Continue reading

https://blog.mozilla.org/security/2016/08/08/mwos-2015-lets-encrypt-automation-tooling/

What security engineers do at Mozilla is critical  not for just Firefox users, but for the whole Web. If you’ve ever used the OWASP Zed Attack Proxy, read our security guidelines on SSH and TLS or evaluated your website & Continue reading

https://blog.mozilla.org/security/2016/08/01/announcing-mwos-2016/

Protection against malicious downloads was added in Firefox 31 on Windows and in Firefox 39 on Mac and Linux. Thanks to Googles expansion of their Safe Browsing service, Firefox 48 now extends our existing protection to include two additional kinds & Continue reading

https://blog.mozilla.org/security/2016/08/01/enhancing-download-protection-in-firefox/

Mozilla has sent a Communication to the Certification Authorities (CAs) who have root certificates included in Mozilla’s program. Mozilla’s CA Certificate Program governs inclusion of root certificates in Network Security Services (NSS), a set of open source libraries designed to & Continue reading

https://blog.mozilla.org/security/2016/03/29/march-2016-ca-communication/

Part of how Mozilla protects the Web is by participating in the governance of the Web PKI, the system of security certificates that allows websites to authenticate themselves to browsers. Together with the other browsers and stakeholders in the Web, & Continue reading

https://blog.mozilla.org/security/2016/02/24/payment-processors-still-using-weak-crypto/

Mozilla runs Winter of Security (MWoS) every year to give folks an opportunity to contribute to ongoing security projects in flight. This year an ambitious group took on the task of creating a new visual interface in our SIEM overlay & Continue reading

https://blog.mozilla.org/security/2016/02/05/mozilla-winter-of-security-2015-mozdef-virtual-reality-interface/

According to the plan we published earlier for deprecating SHA-1, on January 1, 2016, Firefox 43 began rejecting new certificates signed with the SHA-1 digest algorithm.  For Firefox users with unfiltered access to the Internet, this change probably went unnoticed, & Continue reading

https://blog.mozilla.org/security/2016/01/06/man-in-the-middle-interfering-with-increased-security/