Articles tagged “security”
Introducing Firefox’s new Site Isolation Security Architecture
Like any web browser, Firefox loads code from untrusted and potentially hostile websites and runs it on your computer. To protect you against new types of attacks from malicious sites and to meet the security principles of Mozilla, we set out to redesign Firefox on desktop.
Eliminating Data Races in Firefox – A Technical Report
We successfully deployed ThreadSanitizer in the Firefox project to eliminate data races in our remaining C/C++ components. In the process, we found several impactful bugs and can safely say that data races are often underestimated in terms of their impact on program correctness. We recommend that all multithreaded C/C++ projects adopt the ThreadSanitizer tool to enhance code quality.
Browser fuzzing at Mozilla
Mozilla has been fuzzing Firefox and its underlying components for a while. It has proven itself to be one of the most efficient ways to identify quality and security issues. In general, we apply fuzzing on different levels: there is fuzzing the browser as a whole but a significant amount of time is also spent on fuzzing isolated code (e.g. with libFuzzer) or even whole components such as the JS engine using separate shells with various fuzzers. For the purpose of this blog post, we will talk specifically about browser fuzzing only, and go into detail on the pipeline we’ve developed.
Changes to SameSite Cookie Behavior – A Call to Action for Web Developers
Browsers are changing the default value of the
SameSiteattribute for cookies from
Lax. This will greatly improve security for users. However, some web sites may depend (even unknowingly) on the old default, potentially resulting in site breakage. At Mozilla, we are slowly introducing this change. And we urge web developers to test their sites with the new default.
Safely reviving shared memory
At Mozilla, we want the web to be capable of running high-performance applications so that users and content authors can choose the safety, agency, and openness of the web platform. Shared-memory multi-threading is an essential low-level building block for high-performance applications. However, keeping users safe is paramount, which is why shared memory and high-resolution timers were effectively disabled at the start of 2018, in light of Spectre. Until now...
Private by Design: How we built Firefox Sync
Firefox Sync lets you share your bookmarks, browsing history, passwords and other browser data between different devices, and send tabs from one device to another. We think it’s important to highlight the privacy aspects of Sync, which protects all your synced data by default so Mozilla can’t read it, ever. In this post, we take a closer look at some of the technical design choices we made in order to put user privacy first.
Shipping a security update of Firefox in less than a day
One of Mozilla’s top priorities is to keep our users safe; this commitment is written into our mission. As soon as we discover a critical issue in Firefox, we plan a rapid mitigation. This post describes how we fixed a Pwn2Own exploit discovery and released new builds of the browser in less than 22 hours, through the collaborative and well-coordinated efforts of a global cross-functional team.
Implementing Content Security Policy
The add-ons team recently completed work to enable Content Security Policy (CSP) on addons.mozilla.org (AMO). This article is intended to cover the basics of implementing CSP, as well as highlighting some of the issues that we ran into implementing CSP on AMO. What is Content Security Policy? Content Security Policy (CSP) is a security standard […]
An interesting way to determine if you are logged into social web sites
Do you remember the trick how to find out that you went to certain web sites by analysing link colour (now patched in Firefox)? There is much your browser tells about you if you just create a few HTML elements. Mike Cardwell has found an interesting way to detect if you are logged into social […]