Security Articles

• 

  It’s the Boot for TLS 1.0 and TLS 1.1

  The Transport Layer Security (TLS) protocol is the de facto means for establishing security on the Web. The newest version, TLS 1.3, improves efficiency and remedies the flaws and weaknesses present in earlier versions. In October 2018, we announced our plans regarding TLS 1.0 and TLS 1.1 deprecation. Now's the time for us to make this change together and move the TLS ecosystem forward.

  Posted on February 6, 2020
• 

  TLS 1.0 and 1.1 Removal Update

  As you may have read last year, Safari, Firefox, Edge and Chrome browsers are removing support for TLS 1.0 and 1.1 in March of 2020. That means there’s less than a year to enable TLS 1.2 (and, ideally, 1.3) on your servers, otherwise all major browsers will display error pages, rather than the content your users came to see.

  Posted on May 15, 2019
• 

  Implications of Rewriting a Browser Component in Rust

  There have been 69 security bugs in Firefox’s style component since the browser was first released in 2002. If we'd had a time machine and could have written this component in Rust from the start, 51 (73.9%) of these bugs would not have been possible. Rust isn't foolproof, but by removing the burden of memory safety, Rust lets programmers focus on logical correctness and soundness.

  Posted on February 28, 2019
• 

  Fearless Security: Thread Safety

  Multithreading allows programs to do more faster, but adds synchronization bugs and attacks. Programming languages have evolved different concurrency strategies to help developers manage both the performance and security challenges of multi-threaded applications. Diane Hosfelt explores the challenges of thread safety, and the approach that Rust takes.

  Posted on February 14, 2019
• 

  Fearless Security: Memory Safety

  Memory safety violations leave programs vulnerable to security threats like unintentional data leakage and remote code execution. There are ways to ensure memory safety, including smart pointers and garbage collection. Research engineer Diane Hosfelt explains how Rust’s ownership system achieves memory safety while minimizing performance costs.

  Posted on January 23, 2019
• 

  Private by Design: How we built Firefox Sync

  Firefox Sync lets you share your bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. We think it’s important to highlight the privacy aspects of Sync, which protects all your synced data by default so Mozilla can’t read it, ever. In this post, we take a closer look at some of the technical design choices we made in order to put user privacy first.

  Posted on November 13, 2018
• 

  A cartoon intro to DNS over HTTPS

  At Mozilla, we closely track threats to users' privacy and security. This is why we've added tracking protection to Firefox and created the Facebook container extension. In today's cartoon intro, Lin Clark describes two new initiatives we're championing to close data leaks that have been part of the domain name system since it was created 35 years ago: DNS over HTTPS, a new IETF standard, and Trusted Recursive Resolver, a new secure way to resolve DNS that we’ve partnered with Cloudflare to provide.

  Posted on May 31, 2018
• 

  Firefox 60 – Modules and More

  Firefox 60 continues the evolution of Quantum. The parallel processing of Quantum CSS comes to Firefox for Android, while WebRender work is ongoing. Potch reports on two security upgrades - support for the Web Authentication API and for the Same-Site attribute for cookies - as well the arrival of ES modules. Firefox Quantum for Enterprise, our Extended Support Release, is now available for large installations. Read all about it!

  Posted on May 9, 2018
• 

  Shipping a security update of Firefox in less than a day

  One of Mozilla’s top priorities is to keep our users safe; this commitment is written into our mission. As soon as we discover a critical issue in Firefox, we plan a rapid mitigation. This post describes how we fixed a Pwn2Own exploit discovery and released new builds of the browser in less than 22 hours, through the collaborative and well-coordinated efforts of a global cross-functional team.

  Posted on March 22, 2018
• 

  Hands-On Web Security: Capture the Flag with OWASP Juice Shop

  A CTF (Capture the Flag) event is a type of security challenge or competition that can be used to teach or test online security. In this post, Mozilla security engineer and OWASP developer Simon Bennetts describes a recent CTF he hosted at a Mozilla event, and how to set up your own web security CTF with OWASP Juice Shop.

  Posted on March 8, 2018