Home arrow Mozilla
Mozilla Security Blog
  • Testing for Heartbleed vulnerability without exploiting the server.
    Heartbleed is a serious vulnerability in OpenSSL that was disclosed on Tuesday, April 8th, and impacted any sites or services using OpenSSL 1.01 – 1.01.f and 1.0.2-beta1. Due to the nature of the bug, the only obvious way to test … Continue reading

  • Heartbleed Security Advisory
    Issue OpenSSL is a widely-used cryptographic library which implements the TLS protocol and protects communications on the Internet. On April 7, 2014, a bug in OpenSSL known as “Heartbleed” was disclosed (CVE-2014-0160). This bug allows attackers to read portions of … Continue reading

  • Using FuzzDB for Testing Website Security
    After posting an introduction to FuzzDB I received the suggestion to write more detailed walkthroughs of the data files and how they could be used during black-box web application penetration testing. This article highlights some of my favorite FuzzDB files … Continue reading

  • Update on Plugin Activation
    To provide a better and safer experience on the Web, we have been working to move Firefox away from plugins. After much testing and iteration, we determined that Firefox would no longer activate most plugins by default and instead opted … Continue reading

  • Mozilla Security @ BSidesVancouver and CanSecWest
    This year Mozilla will be sponsoring BSidesVancouver, a free community oriented event on March 10th & 11th in Vancouver, BC. This event is very much in the spirit of the Mozilla community and mission, and several of our security team … Continue reading

  • Reporting Web Vulnerabilities to Mozilla using Zest
    Overview We always want to hear about potential vulnerabilities in our software, and have a long running Bug Bounty program to reward those who find serious security bugs. However we sometimes receive bug notifications for vulnerabilities in our websites that … Continue reading

  • On the X-Frame-Options Security Header
    A few weeks ago, Mario Heiderich and I published a white paper about the X-Frame-Options security header. In this blog post, I want to summarize the key arguments for settings this security header in your web application. X-Frame-Options is an … Continue reading

  • Revoking Trust in one ANSSI Certificate
    Last week, Mozilla was notified that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a man-in-the-middle (MITM) traffic management device. It was then used, during the process of inspecting traffic, to … Continue reading

  • Navigating the TLS landscape
    A few weeks ago, we enabled Perfect Forward Secrecy on https://www.mozilla.org [1]. Simultaneously, we published our guidelines for configuring TLS on the server side. In this blog post, we want to discuss some of the SSL/TLS work that the Operations … Continue reading

  • Learning From a Recent Security Vulnerability in Persona
    The purpose of our “Bug Bounty Program” is to encourage contributors to test and experiment with our code for the purposes of improving its functionality, security and robustness. Through this program we were recently alerted to a potential security flaw … Continue reading


Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter
Email:





Upcoming Events