Mozilla CTF Competition

This post is cross-posted from the Mozilla Web Application Security blog.

Announcing the Mozilla CTF hacking competition

Per the announcement during Frederik Braun’s presentation today, Mozilla will host a CTF event in January, 2012.

The Mozilla CTF will take place on January 25, 2012 (24 hours, PST). (Yes, this is a business day. Sorry)

The competition will be open for 24 hours to allow people from all over the world to participate.

Registration

This CTF is mainly aimed at the Mozilla Community and is designed to be accessible to people of all skill levels. There will be two registration phases, with the Community registration opening first. If you are a member of our community and are interested early registration, please reach out to your contacts within in Mozilla, or the CTF organizers (fbraun at mozilla.com, or yboily at mozilla.com)

Other players are still encouraged to join us, but please note that this CTF is mainly aimed at people who are new to Capture The Flags and the skill level has been adjusted accordingly.

Detailed information can be found at https://wiki.mozilla.org/Security/Events/CTF and you can watch this blog and follow @mozwebsec on twitter for updates.

Securing Browserid

This post is cross-posted from the Mozilla Web Application Security blog.

One of the important projects that Mozilla has been building in 2011 is BrowserID, a user-centric identity protocol and authentication service. Significant work has gone into building out and testing the infrastructure and protocol to make sure that it is a robust, open, and simple to adopt authentication scheme. If you want to learn more about BrowserID, here is a quick 12 minute video that explains what it is, and why we are doing this.

BrowserID continues to evolve as we build support for it across Mozilla properties and encourage adoption from 3rd parties. To date there almost 1000 different websites that rely on BrowserID, but we still have a long way to go to see large scale adoption!

Much of the effort we have put into reviewing the protocol and implementation of BrowserID is discussed in a recent presentation, a recording of which can be found below:

[Slides: html | html(zip) | pdf] (if the video doesn’t appear, click here!)

In addition to ongoing application and infrastructure security work in the next year, we are aiming for two significant milestones in 2012. First we will engage two third party security reviews of the Browserid.org site, and the cryptography used in BrowserID (including the protocol, the algorithms used, and the libraries we are relying on). Our objective in doing the third party review is to remain as transparent as possible in the development and review of the security aspects of BrowserID. This commitment to transparency includes:

  • opening up currently closed security bugs as the issues are resolved
  • publishing the results of the 3rd party review once high risk issues are addressed

As we proceed with this effort we will publish additional information on this blog, and we will work to keep the community up to date at each stage of progress.

Second, once we have completed the 3rd party review, resolved the issues identified, and published the results, BrowserID.org will become one of the properties fully covered by the Bug Bounty program (as always, exception bugs reported for none covered sites will be considered for bounty nomination).