Security Articles
-
Using Hardware Token-based 2FA with the WebAuthn API
To provide higher security for logins, websites are deploying two-factor authentication (2FA), often using a smartphone application or text messages. Those mechanisms make phishing harder but fail to prevent it entirely. Firefox 60 will ship with the WebAuthn API enabled by default, providing two-factor authentication built on public-key cryptography immune to phishing as we know it today. The API is available today in Firefox Nightly, and it's not too soon to start learning how to secure millions of users already in possession of FIDO U2F USB tokens.
-
An overview of Containers for add-on developers
Containers work by giving users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. This in-depth introduction to Containers and Container extensions explores the capabilities of Containers and contextual identity for developers.
-
Containers Come to Test Pilot
The Containers feature in Firefox Nightly gives users the ability to place barriers on the flow of data across sites by isolating cookies, indexedDB, localStorage, and caches within discrete browsing contexts. After running the Containers UI through successive rounds of user research and UX iteration, we’ve launched a Containers experiment in Firefox Test Pilot in order to widen the audience for Containers, iterate on the UI, and reason about the future of the feature.
-
How to implement SRI in your build process
Imagine getting a call from a customer who says your website is serving malware. Your heart drops, you start sweating, and then the tweets start pouring in. Something is up. You find out your systems have not been tampered with. In fact, it was your CDN provider that got hacked, and the scripts you included […]
-
Implementing Content Security Policy
The add-ons team recently completed work to enable Content Security Policy (CSP) on addons.mozilla.org (AMO). This article is intended to cover the basics of implementing CSP, as well as highlighting some of the issues that we ran into implementing CSP on AMO. What is Content Security Policy? Content Security Policy (CSP) is a security standard […]
-
Login Forms over HTTPS, Please
Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50. Pretty much everyone who uses the web has used a password to log into something. And pretty much everyone who has used a password has put that password at risk by entering it into an insecure form. In Firefox 46 […]
-
Inspecting Security and Privacy Settings of a Website
Inspecting the Content Security Policy of a Website Starting in Firefox 41, Mozilla provides a developer tool that allows users to inspect the security settings of a website. Using GCLI (Graphic Command Line Interface) a user can inspect the Content Security Policy (CSP) of a website. CSP is a security concept that allows websites to […]
-
Do not let your CDN betray you: Use Subresource Integrity
Mozilla Firefox Developer Edition 43 and other modern browsers help websites to control third-party JavaScript loads and prevent unexpected or malicious modifications. Using a new specification called Subresource Integrity, a website can include JavaScript that will stop working if it has been modified. With this technology, developers can benefit from the performance gains of using […]
-
Passwordless authentication: Secure, simple, and fast to deploy
Passwordless is an authentication middleware for Node.js that improves security for your users while being fast and easy to deploy. The last months were very exciting for everyone interested in web security and privacy: Fantastic articles, discussions, and talks but also plenty of incidents that raised awareness. Most websites are, however, still stuck with the […]
-
Firefox and FireCAT as a Platform for Ethical Hacking
Some years ago – in early 2007, while working as freelancers – we were challenged to do a penetration test on a web application. It was really simple but had a condition-based methodology, and therefore was impossible to use any automated tool; we could only use a web browser. Our solution was to convert Firefox […]