Security Articles
-
A cartoon intro to DNS over HTTPS
At Mozilla, we closely track threats to users' privacy and security. This is why we've added tracking protection to Firefox and created the Facebook container extension. In today's cartoon intro, Lin Clark describes two new initiatives we're championing to close data leaks that have been part of the domain name system since it was created 35 years ago: DNS over HTTPS, a new IETF standard, and Trusted Recursive Resolver, a new secure way to resolve DNS that we’ve partnered with Cloudflare to provide.
-
Firefox 60 – Modules and More
Firefox 60 continues the evolution of Quantum. The parallel processing of Quantum CSS comes to Firefox for Android, while WebRender work is ongoing. Potch reports on two security upgrades - support for the Web Authentication API and for the Same-Site attribute for cookies - as well the arrival of ES modules. Firefox Quantum for Enterprise, our Extended Support Release, is now available for large installations. Read all about it!
-
Shipping a security update of Firefox in less than a day
One of Mozilla’s top priorities is to keep our users safe; this commitment is written into our mission. As soon as we discover a critical issue in Firefox, we plan a rapid mitigation. This post describes how we fixed a Pwn2Own exploit discovery and released new builds of the browser in less than 22 hours, through the collaborative and well-coordinated efforts of a global cross-functional team.
-
Hands-On Web Security: Capture the Flag with OWASP Juice Shop
A CTF (Capture the Flag) event is a type of security challenge or competition that can be used to teach or test online security. In this post, Mozilla security engineer and OWASP developer Simon Bennetts describes a recent CTF he hosted at a Mozilla event, and how to set up your own web security CTF with OWASP Juice Shop.
-
Using Hardware Token-based 2FA with the WebAuthn API
To provide higher security for logins, websites are deploying two-factor authentication (2FA), often using a smartphone application or text messages. Those mechanisms make phishing harder but fail to prevent it entirely. Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today. The API is available today in Firefox Nightly, and it's not too soon to start learning how to secure millions of users already in possession of FIDO U2F USB tokens.
-
An overview of Containers for add-on developers
Containers work by giving users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. This in-depth introduction to Containers and Container extensions explores the capabilities of Containers and contextual identity for developers.
-
Containers Come to Test Pilot
The Containers feature in Firefox Nightly gives users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. After running the Containers UI through successive rounds of user research and UX iteration, we’ve launched a Containers experiment in Firefox Test Pilot in order to widen the audience for Containers, iterate on the UI, and reason about the future of the feature.
-
How to implement SRI in your build process
Imagine getting a call from a customer who says your website is serving malware. Your heart drops, you start sweating, and then the tweets start pouring in. Something is up. You find out your systems have not been tampered with. In fact, it was your CDN provider that got hacked, and the scripts you included […]
-
Implementing Content Security Policy
The add-ons team recently completed work to enable Content Security Policy (CSP) on addons.mozilla.org (AMO). This article is intended to cover the basics of implementing CSP, as well as highlighting some of the issues that we ran into implementing CSP on AMO. What is Content Security Policy? Content Security Policy (CSP) is a security standard […]
-
Login Forms over HTTPS, Please
Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50. Pretty much everyone who uses the web has used a password to log into something. And pretty much everyone who has used a password has put that password at risk by entering it into an insecure form. In Firefox 46 […]
