Home arrow Mozilla
Mozilla Security Blog
  • CSP for the web we have
    Introduction: Content Security Policy (CSP) is a good way to defeat Cross Site Scripting (XSS) on the web. In fact, it’s the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can … Continue reading

  • RSA Signature Forgery in NSS
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your … Continue reading

  • Phasing Out Certificates with SHA-1 based Signature Algorithms
    Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the … Continue reading

  • A Faster Content Security Policy (CSP)
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is … Continue reading

  • Phasing out Certificates with 1024-bit RSA Keys
    For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA). We are actively working with CAs to … Continue reading

  • Public key pinning released in Firefox
    Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be … Continue reading

  • Update on reviewing our data practices and Bugzilla development database disclosure
    As we indicated in the post titled “MDN Disclosure”, we began several remediation measures, including a review of data practices surrounding user data. We have kicked off a larger project to better our practices around data, including with respect to … Continue reading

  • mozilla::pkix ships in Firefox!
    In April, we announced an upcoming certificate verification library designed from the ground up to be fast and secure. A few weeks ago, this new library – known as “mozilla::pkix” – shipped with Firefox and is enabled by default. Please … Continue reading

  • MDN Database Disclosure
    We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our … Continue reading

  • Improving Malware Detection in Firefox
    We are always looking for ways to help protect people better from the constant threat of malicious software. For years Firefox has utilized Google’s Safe Browsing phishing and malware protection to help keep you from accidentally visiting dangerous sites. This … Continue reading

Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter

Upcoming Events