Home of the Mozilla Identity team
Last Monday, we identified a security hole in the implementation of our Verifier. We deployed a fix in 6 hours. The full details of the issue are available on the wiki. If you’re running a site against our Verifier, you are safe.
We did our best to identify whether this issue affects other verifiers. To the best of our knowledge, there are no other implementations affected. If you happen to be running a custom verifier, please contact us so we can help you check.
We would also like to take this opportunity to introduce a new communications channel, persona-notices, for those who use Persona in production but don’t have time to read our developers list or this blog.
We will only post to the new list regarding topics that may require action by those who rely on Persona, such as:
In an effort to keep traffic to a minimum, fully backwards-compatible changes, like the introduction of new features, will not be covered on persona-notices.
We encourage all relying parties (RPs), identity providers (IDPs) and developers to join this list now.
If you have any other suggestions on how to improve our communication with those who rely on Persona, please let us know.