Security Articles
-
mozilla developer preview 4 ready for testing
Note: this is a re-post of the entry in the Mozilla Project Development Weblog. There’s some juicy stuff in here for Web Developers that need testing. In particular, this is the first build with the CSS history changes. As part of our ongoing platform development work, we’re happy to announce the fourth pre-release of the […]
-
Securing Gamepad API
As part of Mozilla’s ongoing commitment to improve the privacy and security of the web platform, over the next few months, we will be making some changes to the Gamepad API. Starting with Firefox 81, the Gamepad API will be restricted to what are known as “secure contexts.”
-
It’s the Boot for TLS 1.0 and TLS 1.1
The Transport Layer Security (TLS) protocol is the de facto means for establishing security on the Web. The newest version, TLS 1.3, improves efficiency and remedies the flaws and weaknesses present in earlier versions. In October 2018, we announced our plans regarding TLS 1.0 and TLS 1.1 deprecation. Now's the time for us to make this change together and move the TLS ecosystem forward.
-
Fearless Security: Memory Safety
Memory safety violations leave programs vulnerable to security threats like unintentional data leakage and remote code execution. There are ways to ensure memory safety, including smart pointers and garbage collection. Research engineer Diane Hosfelt explains how Rust’s ownership system achieves memory safety while minimizing performance costs.
-
Firefox OS Security: Part 2 – User Experience and Security Updates
When presenting Firefox OS to people, security is a big topic. Can an operating system built on web technologies be secure? What has Mozilla built in to avoid drive-by downloads and malware? How can a browser-based app be secure without making the UX suffer by asking the user to react to a lot of “do […]
-
Eliminating Data Races in Firefox – A Technical Report
We successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. In the process, we found several impactful bugs and can safely say that data races are often underestimated in terms of their impact on program correctness. We recommend that all multithreaded C/C++ projects adopt the ThreadSanitizer tool to enhance code quality.
-
Safely reviving shared memory
At Mozilla, we want the web to be capable of running high-performance applications so that users and content authors can choose the safety, agency, and openness of the web platform. Shared-memory multi-threading is an essential low-level building block for high-performance applications. However, keeping users safe is paramount, which is why shared memory and high-resolution timers were effectively disabled at the start of 2018, in light of Spectre. Until now...
-
Security means more with Firefox 74
The release of Firefox 74 is focused on security enhancements: Feature Policy, the Cross-Origin-Resource-Policy header, and removal of TLS 1.0/1.1 support. We’ve also got some new CSS text property features, the JS optional chaining operator, and additional 2D canvas text metric features, along with the usual wealth of DevTools enhancements and bug fixes.
-
mitigating attacks with content security policy
Firefox support for Content Security Policy (CSP) has been in the news and is now available in test builds for web developers to try. Support for CSP isn’t slated for Firefox 3.6 but is likely to be included in the release after 3.6, mostly likely called 3.7. This post is targeted at web developers and […]
-
Fuzzing Firefox with WebIDL
Fuzzing, or fuzz testing, is an automated approach for testing the safety and stability of software. For the past 3 years, the Firefox fuzzing team has been developing a new fuzzer to identify security vulnerabilities in the implementation of WebAPIs in Firefox. This fuzzer leverages the WebAPIs’ own WebIDL definitions as a fuzzing grammar.