Protecting the security of the Internet requires everyone. We talked about this theme in a recent post, and in this post we’ll expand on the role Mozilla plays, and how our work supports and relies on the work of the other participants in the Web.
Building a secure browser
Firefox is a critical part of the Internet, and it’s Mozilla’s job to protect it. Hundreds of millions of people use Firefox to connect to the web. That’s a huge audience for the user-facing security features and protections we build into Firefox, but at the same time, a single security vulnerability can put all of our users at risk of having their computers or phones taken over by bad actors. So we put a lot of effort into finding and fixing vulnerabilities in Firefox as quickly as possible. In addition to our own team of expert bug-hunters, Mozilla runs one of the longest-standing bug bounty programs on the web in order to encourage security researchers to report security vulnerabilities. So far this year, independent researchers reported more than 130 serious vulnerabilities that we hadn’t found yet. Without our community of security researchers, every Firefox user would be more at risk.
Mozilla is also investing in fundamental technologies to prevent these security vulnerabilities from arising in the first place. The Rust programming language is specially designed to ensure that several major types of security vulnerability simply can’t happen, including the one that lead to the famous Heartbleed vulnerability. It is literally impossible to write a program in Rust that has one of these security vulnerabilities. Even though Rust started out at Mozilla, however, it wouldn’t have been possible for it to mature so quickly into a production-ready language without more than 1,500 contributors helping get it there. We’ve started using Rust in Firefox for a few things, but other members of the community have already used Rust to create a Doom renderer, a replacement for core Unix utilities, and even a whole operating system — all inherently safe from large classes of security vulnerabilities.
Another way we’re pushing the envelope on browser security is through our close collaboration with the Tor Project. The Tor Browser is a variant of Firefox that provides users with enhanced privacy features and the ability to browse the web anonymously. For example, the SecureDrop system uses Tor to let anonymous sources deliver documents to reporters without fear of being identified. We’re tremendously grateful for all the new ideas and good code that the Tor community is contributing to the web, and we’re working closely with the Tor Browser team to integrate their innovations into Firefox to give all users more privacy options.
Building a secure web
The web is not just Firefox, though — it’s a whole network of computers, people, and companies working together. Mozilla security engineers are constantly working with other players in the web ecosystem to upgrade the security of the fundamental technologies that make the web work.
Part of the way we do this is through standards organizations, like the Internet Engineering Task Force and the World Wide Web Consortium. Those organizations serve as a meeting point for web browser makers, web server operators, and other people who want to help make the web better. Mozilla staff are leading efforts to do things like upgrading the basic encryption systems for the web and enhancing security for web logins. But these efforts only succeed when we do them in collaboration with lots of other organizations. For example, we recently got together with Google, Facebook, Cloudflare, INRIA, and others to test out the latest encryption protocols, and demonstrated several different systems from different vendors all working together.
Another role we play is as the maintainer of the Mozilla Root Certificate Program, which is used by Firefox and many other open-source projects to determine what digital certificates they should accept to identify websites. Maintaining trust in the digital certificate system is central to maintaining trust in the web, and Mozilla is the only browser with a fully open, community based process for making decision about which certificates are trusted.
Finally, sometimes we have to create a part of the ecosystem when we find one that’s missing. A few years ago, we noticed that the complexity and expense of getting a certificate was holding back security in the web. So we teamed up with EFF, Cisco, Akamai, and others to create Let’s Encrypt, a certificate authority that provides websites with certificate automatically and free of charge. In less than a year, Let’s Encrypt has helped secure more than 14 million websites – most of which had never had security before. It wouldn’t have been possible without the whole team of industry partners and community contributors.
Building a community around security
Of course, securing the Internet is not just a technical challenge. It requires a whole community of informed people to help guide companies and governments to make good decisions that make the Internet more secure. That’s why earlier this year, we started a campaign to educate more people about encryption, and we continue to provide tools to educate people about how to stay safe on the Web.
We’re also helping our peers in the open source community make their security better. The Mozilla Open Source Support program has provided more than $800,000 in funding to open source projects this year, much of it focused on improving security. MOSS grants are supporting Tor, the TAILS privacy-enhanced operating system, the Caddy HTTP server (which provides automatic security), a bunch of security audits, and several other security projects across the open source ecosystem.
It takes a village
As you can see, our security work at Mozilla is deeply tied with work that the rest of the community is doing — independent researchers, government agencies, industry partners, interested users, and more. Every part of this intricate machine is critical; remove any part, and everyone gets less safe. If you’d like to follow along with what the Mozilla security team is up to, please keep an eye on our Security blog.