Security Articles
-
privacy-related changes coming to CSS :visited
For more information about this, have a look at David Baron’s post, the bug and the post on the security blog. For many years the CSS :visited selector has been a vector for querying a user’s history. It’s not particularly dangerous by itself, but when it’s combined with <a href="https://developer.mozilla.org/en/DOM/window.getComputedStyle">getComputedStyle()</a> in JavaScript it means that […]
-
Account Manager coming to Firefox
Update: The Account Manager is no longer maintained. Building on this experiment, we have conceived BrowserID. Please consider using it instead. Last month Mozilla Labs announced a new concept series on online identity. As part of this exploration, we developed the Account Manager. The Account Manager makes it incredibly easy for users to create new […]
-
A cartoon intro to DNS over HTTPS
At Mozilla, we closely track threats to users' privacy and security. This is why we've added tracking protection to Firefox and created the Facebook container extension. In today's cartoon intro, Lin Clark describes two new initiatives we're championing to close data leaks that have been part of the domain name system since it was created 35 years ago: DNS over HTTPS, a new IETF standard, and Trusted Recursive Resolver, a new secure way to resolve DNS that we’ve partnered with Cloudflare to provide.
-
WebSocket disabled in Firefox 4
Recent discoveries found that the protocol that Websocket works with is vulnerable to attacks. Adam Barth demonstrated some serious attacks against the protocol that could be used by an attacker to poison caches that sit in between the browser and the Internet. This is a serious threat to the Internet and Websocket and not a […]
-
Firefox 4: HTTP Strict Transport Security (force HTTPS)
This article is about a new HTTPS header: Strict-Transport-Security, which force a website to be fetched through HTTPS. This feature will be part of Firefox 4. How do you type URLs? Do you prefix them with http:// or https:// systematically? Or do you just type example.com and let your browser add http://, like most of […]
-
Do not let your CDN betray you: Use Subresource Integrity
Mozilla Firefox Developer Edition 43 and other modern browsers help websites to control third-party JavaScript loads and prevent unexpected or malicious modifications. Using a new specification called Subresource Integrity, a website can include JavaScript that will stop working if it has been modified. With this technology, developers can benefit from the performance gains of using […]
-
Passwordless authentication: Secure, simple, and fast to deploy
Passwordless is an authentication middleware for Node.js that improves security for your users while being fast and easy to deploy. The last months were very exciting for everyone interested in web security and privacy: Fantastic articles, discussions, and talks but also plenty of incidents that raised awareness. Most websites are, however, still stuck with the […]
-
Private by Design: How we built Firefox Sync
Firefox Sync lets you share your bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. We think it’s important to highlight the privacy aspects of Sync, which protects all your synced data by default so Mozilla can’t read it, ever. In this post, we take a closer look at some of the technical design choices we made in order to put user privacy first.
-
ECMAScript 5 strict mode in Firefox 4
Editor’s note: This article is posted by Chris Heilmann but authored by Jeff Walden – credit where credit is due. Developers in the Mozilla community have made major improvements to the JavaScript engine in Firefox 4. We have devoted much effort to improving performance, but we’ve also worked on new features. We have particularly focused […]
-
Implications of Rewriting a Browser Component in Rust
There have been 69 security bugs in Firefox’s style component since the browser was first released in 2002. If we'd had a time machine and could have written this component in Rust from the start, 51 (73.9%) of these bugs would not have been possible. Rust isn't foolproof, but by removing the burden of memory safety, Rust lets programmers focus on logical correctness and soundness.