Home arrow Mozilla
Mozilla Security Blog
  • Phase 2: Phasing out Certificates with 1024-bit RSA Keys
    In the previous post about certificates with 1024-bit RSA keys we said that the changes for the second phase of migrating off of 1024-bit root certificates were planned to be released in Firefox in early 2015. These changes have been … Continue reading

  • Tighter Control Over Your Referrers
    The purpose of the HTTP Referer (sic) header is to help sites figure out where their traffic comes from. However, as the Web got more complex, the amount of information in the Referer header ballooned, leading to bigger privacy problems. … Continue reading

  • Mozilla at HITB Malaysia
    The Mozilla security team was proud to be part of Hack In The Box (HITB) 2014, held from 15-16 October 2014 in Kuala Lumpur (KL), Malaysia. Mozilla has been involved in HITB for several years now, and this year‘s HackWEEKDAY … Continue reading

  • The POODLE Attack and the End of SSL 3.0
    Summary SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information. We have a plan to turn … Continue reading

  • CSP for the web we have
    Introduction: Content Security Policy (CSP) is a good safety net against Cross Site Scripting (XSS). In fact, it’s the best one and I would recommend it to anyone building new sites. For existing sites, implementing CSP can be a challenge … Continue reading

  • RSA Signature Forgery in NSS
    Issue A flaw in the Network Security Services (NSS) library used by Firefox and other products allows attackers to create forged RSA certificates. Mozilla has released updates to fix this vulnerability and you should apply these updates to ensure your … Continue reading

  • Phasing Out Certificates with SHA-1 based Signature Algorithms
    Many of the certificates used by secure websites today are signed using algorithms based on a hash algorithm called SHA-1. The integrity of the hash algorithm used in signing a certificate is a critical element in the security of the … Continue reading

  • A Faster Content Security Policy (CSP)
    With the establishment of CSP Level 2, Mozilla shifted gears and reimplemented CSP in C++. This security feature first shipped in Firefox 4 (2011), and until now was implemented in a combination of JavaScript and C++. The new implementation is … Continue reading

  • Phasing out Certificates with 1024-bit RSA Keys
    For many years, Mozilla, NIST, the CA/Browser Forum, and others have been encouraging Certification Authorities (CAs) to upgrade their 1024-bit RSA keys to a stronger cryptographic algorithm (either longer RSA keys or ECDSA). We are actively working with CAs to … Continue reading

  • Public key pinning released in Firefox
    Firefox now supports built-in public key pins, which means that a shortened list of acceptable certificate authorities (CAs) for participating sites is built into Firefox. In this first stage of pinning roll-out, protected domains include addons.mozilla.org and Twitter, to be … Continue reading

Angelo Castigliola     View Photos of Angelo (8)
    Send Angelo a Message
Sec and Sec-Tech Newsletter

Upcoming Events