Frank Hecker writes, “Johnathan Nightingale recently addressed a very common question, namely why Firefox doesn’t automatically accept self-signed SSL certificates as being valid. I don’t have much to add to Johnathan’s discussion of the issues with self-signed certificates, but speaking on behalf of the Mozilla Foundation I do want to address some of the comments that I’ve seen people make with regard to SSL certificates, certification authorities (CAs), and Mozilla.” Frank’s blog post addresses some of the most common misconceptions related to Mozilla and CAs, debunking some of the more commonly repeated myths that come up in discussions on the topic.

A vulnerability in the way Firefox handles CSS allows an attacker to take advantage of an integer overflow and execute arbitrary code. In order for the attack to be successful, a user must browse to a malicious site. The security advisory is available here. This critical vulnerability was reported to Mozilla before details were available publicly. By keeping the details of the issue private until a fix was made available, TippingPoint and Mozilla were able to minimize the risk to users. For more information, please see the Mozilla Security Blog.