Security Articles
-
Fuzzing Firefox with WebIDL
Fuzzing, or fuzz testing, is an automated approach for testing the safety and stability of software. For the past 3 years, the Firefox fuzzing team has been developing a new fuzzer to identify security vulnerabilities in the implementation of WebAPIs in Firefox. This fuzzer leverages the WebAPIs’ own WebIDL definitions as a fuzzing grammar.
-
Twitter Direct Message Caching and Firefox
Distinguished engineer Martin Thomson explains how this problem occurred, the implications for people who might be affected, and how problems of this nature might be avoided in future. To get there, we need to dig a little into how web caching works.
-
Security means more with Firefox 74
The release of Firefox 74 is focused on security enhancements: Feature Policy, the Cross-Origin-Resource-Policy header, and removal of TLS 1.0/1.1 support. We’ve also got some new CSS text property features, the JS optional chaining operator, and additional 2D canvas text metric features, along with the usual wealth of DevTools enhancements and bug fixes.
-
Securing Firefox with WebAssembly
Protecting the security and privacy of individuals is a central tenet of Mozilla’s mission. While we continue to make extensive use of both sandboxing and Rust in Firefox to address security challenges in the browser, each has its limitations. Today we’re adding a third approach to our arsenal. RLBox, a new sandboxing technology developed by researchers at the University of California, San Diego, and the University of Texas, Austin, allows us to quickly and efficiently convert existing Firefox components to run inside a WebAssembly sandbox.
-
It’s the Boot for TLS 1.0 and TLS 1.1
The Transport Layer Security (TLS) protocol is the de facto means for establishing security on the Web. The newest version, TLS 1.3, improves efficiency and remedies the flaws and weaknesses present in earlier versions. In October 2018, we announced our plans regarding TLS 1.0 and TLS 1.1 deprecation. Now's the time for us to make this change together and move the TLS ecosystem forward.
-
TLS 1.0 and 1.1 Removal Update
As you may have read last year, Safari, Firefox, Edge and Chrome browsers are removing support for TLS 1.0 and 1.1 in March of 2020. That means there’s less than a year to enable TLS 1.2 (and, ideally, 1.3) on your servers, otherwise all major browsers will display error pages, rather than the content your users came to see.
-
Implications of Rewriting a Browser Component in Rust
There have been 69 security bugs in Firefox’s style component since the browser was first released in 2002. If we'd had a time machine and could have written this component in Rust from the start, 51 (73.9%) of these bugs would not have been possible. Rust isn't foolproof, but by removing the burden of memory safety, Rust lets programmers focus on logical correctness and soundness.
-
Fearless Security: Thread Safety
Multithreading allows programs to do more faster, but adds synchronization bugs and attacks. Programming languages have evolved different concurrency strategies to help developers manage both the performance and security challenges of multi-threaded applications. Diane Hosfelt explores the challenges of thread safety, and the approach that Rust takes.
-
Fearless Security: Memory Safety
Memory safety violations leave programs vulnerable to security threats like unintentional data leakage and remote code execution. There are ways to ensure memory safety, including smart pointers and garbage collection. Research engineer Diane Hosfelt explains how Rust’s ownership system achieves memory safety while minimizing performance costs.
-
Private by Design: How we built Firefox Sync
Firefox Sync lets you share your bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. We think it’s important to highlight the privacy aspects of Sync, which protects all your synced data by default so Mozilla can’t read it, ever. In this post, we take a closer look at some of the technical design choices we made in order to put user privacy first.
