Tom Ritter

@[email protected]
258 Followers
142 Following
131 Posts
Firefox Security, Tor Browser Dev. Also: exploits, mitigations, crypto, privacy, pseudonymity & anonymity, tor
Tom Ritter14h ago
Filippo Valsorda1d ago

In 2020, OpenSSL had a vulnerability in handling the signature_algorithms_cert extension. https://openssl-library.org/news/secadv/20200421.txt

Palo Alto apparently "solved" this in their IPS by blocking connections with "unknown" algs in signature_algorithms_cert.

Six years later, we can't add ML-DSA to signature_algorithms_cert in Go. signature_algorithms_cert is dead.

Sigh.

Thanks to @cks for diagnosing this. Sometimes it takes us months to figure out things like this.

https://github.com/golang/go/issues/79626#issuecomment-4754225610

Tom RitterJun 1

There was a blogpost that made the rounds with the comment "As an aside, if you're wondering, Mozilla Firefox screwed up their WebGL fingerprinting protection" and implying the Blink has more protections - that is decidedly not the case, and I have graphs.

https://ritter.vg/blog-webgl_renderer.html

webgl renderer privacy - ritter.vg

Tom Ritter's personal homepage, where he rambles about tech-related topics.

Tom RitterMay 18
Tor Project is hiring an Android Engineer: https://www.torproject.org/about/jobs/
The Tor Project | Privacy & Freedom Online

Defend yourself against tracking and surveillance. Circumvent censorship.

Tom RitterMay 14

When I was a younger man, I had my presentations done at least a week in advance, rehearsed. I looked upon those doing them last minute with scorn. (Doubly so for those proud of themselves.) Well here I sit, wearing my shame, completed far too late, practiced by the thinnest of margins. Perhaps they deserved my sympathy back then, for this was certainly not my intention, yet it is how I find myself.

ANYWAY if you're in NYC for the Reddit thing tonight, see you there. I brought stickers.

Tom RitterMay 14

Firefox started the week with SIX entries at pwn2own!! We shipped a dot release this week that made half of them withdraw. I got asked "Isn't that kind of cheating?" The answer is no - it is strictly better for contestants. Here's why.

If a contestant goes on stage and demos an exploit that we could have killed but didn't, then they go to the disclosure room. ZDI asks us if we know about the vulnerability. Duplicates don't count. So now the contestant walks away with nothing AND loses their chance.

If we kill the bug ahead of time, sometimes contestants have a backup bug. Sometimes they're just really extra and decide to find a bug and write an exploit the night before. (I forget if it was Dino or Charlie that did this...) Either way they have a shot at something. It would be underhanded to hold things back that we could have patched.

(By the way, of the three remaining entries, two withdrew today...)

Tom RitterMay 14
ben dafydd gillardMay 14

Dr Siouxie Wiles (who you may remember from such pandemics as SARS-CoV2 and misogyny) is crowdfunding for a research project on reusable menstrual cups. There's a long way to go and only a fortnight to get there.

https://www.rnz.co.nz/life/wellbeing/fairy-godmothers-wanted-to-help-fund-research-on-menstrual-cups

'Fairy godmothers' wanted to help fund research on menstrual cups

Reusable period products are under the microscope, or they would be if researchers could get funding to investigate them.

RNZ
Tom RitterMay 5

OpenSSL's "0 means fail and 1 means success and oh yeah -1 also means fail" APIs have been causing bugs for decades.

https://barghest.asia/blog/cve-2026-0073-adb-tls-auth-bypass/

CVE-2026-0073 Android adbd TLS client-authentication bypass

BARGHEST analysis of CVE-2026-0073, an Android adbd ADB-over-TCP authentication bypass enabling no-interaction RCE through cross-algorithm TLS certificate comparison.

Barghest
Tom RitterApr 30
Tom SchusterApr 29

In case you're curious, here's what AI-generated bug reports look like. These are 4 non-security bugs, but still bugs in the Temporal specification.

https://bugzilla.mozilla.org/show_bug.cgi?id=2028880
https://bugzilla.mozilla.org/show_bug.cgi?id=2029756
https://bugzilla.mozilla.org/show_bug.cgi?id=2028872
https://bugzilla.mozilla.org/show_bug.cgi?id=2029455

2028880 - Assertion failure: IsValidDuration(dateDuration) in Duration_round with seconds: -(2^53-1)

NEW (nobody) in Core - JavaScript Engine. Last updated 2026-04-29.

Tom RitterApr 23
Trail of BitsApr 22

If you market a machine that “cooks for you,” a chef will never buy it.

This is called identity threat, one of the four reasons why people resist adopting AI.

Reframed: The machine doesn't cook for you. It makes you a faster, more efficient chef.

Our CEO Dan Guido's full playbook on how we went from 95% resistance to 80-95% weekly Claude usage within a year: https://blog.trailofbits.com/2026/03/31/how-we-made-trail-of-bits-ai-native-so-far/

Tom RitterApr 21

New version of Firefox released.

It's got uh... (checks notes) 354 vuln fixes. So pretty impressed by the platform team for pulling that off in a 4-week cycle.

Actually, a 4 week cycle would include the 41 vulns we fixed in the dot release, so that would be 395 vulns.... Exciting times.

https://www.mozilla.org/en-US/security/advisories/mfsa2026-30/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-25/

Security Vulnerabilities fixed in Firefox 150

Mozilla