Johnathan Nightingale
Earlier today we sent an email to all certificate authorities in the Mozilla root program to clarify our expectations around certificate issuance. In particular, we made it clear that the issuance of subordinate CA certificates for the purposes of SSL … Continue reading
Johnathan Nightingale
Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we … Continue reading
Johnathan Nightingale
This is a follow-up to the previous Mozilla report about the fraudulent certificates issued by Comodo last week. On 15th March 2011, a RA partner of the Comodo CA suffered an internal security breach (Comodo incident report). The attacker used … Continue reading
Johnathan Nightingale
Issue Mozilla has been informed about the issuance of several fraudulent SSL certificates for public websites. The certificates have been revoked by their issuer which should protect most users. This is not a Firefox-specific issue. As part of our ongoing … Continue reading
Brandon Sterne
One of the new features in Firefox 4 that we are very excited about is Content Security Policy, which is a mechanism that works behind the scenes to prevent some of the more severe web-based attacks against users and websites. … Continue reading
Sid Stamm
There have been a number of reports about a new Firesheep tool that exposes a weakness in website security, letting attackers snoop on people using public networks, steal their cookies, access their accounts and pose as them on sites such … Continue reading
Sid Stamm
One of the security enhancements included with Firefox 3.6.9 is support for the x-frame-options header. This optional header can be included within the HTTP response to instruct the client’s browser on whether the returned content is allowed to be framed by other pages. Continue reading
Sid Stamm
A while ago, we talked about Force-TLS that lets sites say “hey, only access me over HTTPS in the future” and the browser listens. Well, this idea has been solidifed into a draft spec for HTTP Strict Transport Security (HSTS) … Continue reading
Lucas Adamski
Mozilla has accelerated its timetable and released Firefox 3.6.2 ahead of schedule. This release contains a number of security fixes, including a fix to Secunia Advisory SA38608 which was previously discussed on this blog when we were first made aware … Continue reading
Lucas Adamski
Mozilla is aware of the claim of a zero-day in Firefox as posted here: http://secunia.com/advisories/38608/. We cannot confirm the report as we have received no details regarding the reported vulnerability, such as a proof-of-concept or steps to reproduce. We’ve attempted … Continue reading