Frederik Braun �

@[email protected]
1.6K Followers
612 Following
4.8K Posts

A web/browser security nerd. Working on security for Firefox and the web at Mozilla. Taught web security at Ruhr Uni Bochum.

I'm often spend my summer on multi-week #bikepacking trips with the family.

The posts here are my own and I do not speak for my employer

Websitehttps://frederikbraun.de/
LocationBerlin, Germany :club_mate:
Pronounshe/him
Signal usernamefreddy.{default HTTPS port}
Frederik Braun �1d ago
Sales email started with a poem. I must have put a prompt injection in my profile, but can't remember where. Was a good poem though. Thank you.
Frederik Braun �1d ago

RE: https://infosec.exchange/@attackanddefense/116418875523198922

Q1 2026 was a very strong quarter for Firefox Security & Privacy.

some highlights:
- We expanded AI-assisted vulnerability discovery through our collaboration with Anthropic, helping identify and fix a high number of real security issues.
- We shipped the Sanitizer API in Firefox 148, making Firefox the first browser to support this stronger defense against XSS.

More in the newsletter linked below :)

Frederik Braun �1d ago
Attack and Defense1d ago
We just published our recent Firefox Security and Privacy highlights in the Q1 newsletter. Take a look —> https://attackanddefense.dev/2026/04/14/Firefox-Security_and_Privacy_Newsletter_2026_Q1.html
Firefox Security & Privacy Newsletter 2026 Q1

Welcome to the Q1 2026 edition of the Firefox Security & Privacy Newsletter.

Attack & Defense
Frederik Braun �1d ago
This will be like what AddressSanitizer did to fuzzing but bigger...
Frederik Braun �3d ago
badkeys3d ago

I reported an insecure DKIM key to Deutsche Telekom / T-Systems. They first asked me to further explain things (not sure why 'Here's your DKIM private key' needs more explanation, but whatever...). Then they told me it's out of scope for their bugbounty.

I guess then there's really no reason not to tell you: They have a 384 bit RSA DKIM key configured at: dkim._domainkey.t-systems.nl

384 bit RSA is... how shall I put it? I think 512 bit is the lowest RSA key size that was ever really used. 384 bit RSA is crackable in a few hours on a modern PC (using cado-nfs). The private key is:
-----BEGIN RSA PRIVATE KEY-----
MIHxAgEAAjEAtTliQYV2Xvx1OGkDyOL799BTFEuobY2dn2AgtiKCQgrh78NVK1JK
j0yRXgNnPpGBAgMBAAECMF0t+TBZUCi8xATSMij7VLTxv5Xi5OIXesNiXOKtYIRP
LkpYfR5PggaMScfbmqSssQIZAMwOhm9d7Y7Qi7I2j1AlYbiqdtqO54T7FQIZAONa
9dJFkC6lM3EPXR+0SZ4dqwwpiM0nvQIYYgz8thi5JK264ohq9sTvnu9yKvUN9I09
AhgfgMYZKcxtujRjkSZtMzUUNLYzzDmJe90CGDKwqcBI0v9ChaR8WHht+/chMdxj
7ez94w==
-----END RSA PRIVATE KEY-----

Frederik Braun �3d ago
Show threadDmitry Chestnykh ☮️3d ago

Since SQLite supports importing CSV, here's a one-liner to convert a CSV file from stdin into a Markdown table:

sqlite3 :memory: -cmd ".mode csv" -cmd ".import /dev/stdin t" -cmd ".mode markdown" "SELECT * FROM t;"

#csv #markdown #sqlite

Frederik Braun �4d ago
Bryan Cantrill6d ago

The peril of laziness lost

https://bcantrill.dtrace.org/2026/04/12/the-peril-of-laziness-lost/

The peril of laziness lost | The Observation Deck

Frederik Braun �4d ago
balloob5d ago

WebSerial has landed in Firefox Nightly !! 🎉

Enable it in about:config and it all just works as expected. Took a brand new ESP32 and had a new Bluetooth proxy added to Home Assistant within 2 minutes 👌

Frederik Braun �4d ago

RE: https://infosec.exchange/@metacurity/116397875382563012

Must read if you work in security.

Frederik Braun �4d ago
Metacurity5d ago
OK, I just discovered this extremely useful take on Claude Mythos and highly recommend it to all cyber practitioners.
https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosready.pdf