Securing modern web applications effectively is a complex process. However there are many straightforward security controls such as HTTP security headers which are very effective at blocking web common attacks. … Read more
HTTPS, the secure variant of the HTTP protocol, has long been a staple of the modern Web. It creates secure connections by providing authentication and encryption between a browser and … Read more
At roughly 1:30pm Pacific time on November 30th, Mozilla released an update to Firefox containing a fix for a vulnerability reported as being actively used to deanonymize Tor Browser users. … Read more
Before loading a URI, Firefox enforces numerous content security checks verifying that web content can not perform malicious actions. As a first line of defense for example, Firefox enforces the … Read more
Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdating SSL certificates in order … Read more
An algorithm we’ve depended on for most of the life of the Internet — SHA-1 — is aging, due to both mathematical and technological advances. Digital signatures incorporating the SHA-1 … Read more
Earlier this week, security researchers published reports that Firefox and Tor Browser were vulnerable to “man-in-the-middle” (MITM) attacks under special circumstances. Firefox automatically updates installed add-ons over an HTTPS connection. … Read more
This is a short announcement for all security researchers working on Firefox that use our pre-built AddressSanitzer (ASan) builds. Until recently, you could download these ASan builds from our FTP … Read more
Scanning the content of a file allows web browsers to detect the format of a file regardless of the specified Content-Type by the web server. For example, if Firefox requests … Read more
The Mozilla Winter of Security of 2015 has ended, and the participating teams of students are completing their projects. The Certificate Automation tooling for Let’s Encrypt project wrapped up this … Read more
What security engineers do at Mozilla is critical — not for just Firefox users, but for the whole Web. If you’ve ever used the OWASP Zed Attack Proxy, read our … Read more
Protection against malicious downloads was added in Firefox 31 on Windows and in Firefox 39 on Mac and Linux. Thanks to Google’s expansion of their Safe Browsing service, Firefox 48 … Read more