Mozilla Kills Firefox Encryption Feature in Face of Security Flaw

Just as fast as Mozilla rolled out the latest version of its Firefox browser for Windows desktop, Mac, Linux and Android operating systems last week, it rolled it back. Version 37 boasted the largest-ever security feature: Opportunistic Encryption (OE) for servers and Web sites that support HTTP/2 AltSvc.

However, the company disclosed that security researcher Muneaki Nishimura discovered a flaw in its HTTP Alternative Services implementation and swiftly killed the feature.

EUIf an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,EU Mozilla said in a security advisory. EUAs a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.EU

Defending Against Eavesdropping

We caught up with Tod Beardsley, engineering manager at vulnerability assessment and compliance solution provider Rapid7, to get his take on FirefoxEUs failed OE venture. He offered us a deeper explanation of what OE is and how it really works.

First off, Beardsley told us the OE feature was based on the draft specification for "HTTP Alternative Services," where a Web server can communicate to a browser that its resources -- such as Web pages, and scripts -- and can also be found at other locations. In this case, he said, a Web server is telling a browser that an encrypted version of a Web site is available somewhere else.

EUThe idea is, if content providers can make their content available encrypted, and let browser know where to find it, users don't have to do anything special in order to enjoy a minimum level of encryption,EU Beardsley said. EUNow, this is truly a minimal level -- there is no authentication guarantee with OE. But, in the case where nobody cares about...

Comments are closed.