Mozilla Recalls New Features Due to Fatal Security Bug

Firefox 37 was released on March 31st, but less than a week later, on April 3rd, Mozilla was forced to release a patch that disabled many new features it had instituted.

Opportunistic Encryption

firefox1Mozilla had attempted to implement a security function called opportunistic encryption, which makes it difficult for hackers to monitor client-side communications when accessing servers that do not have their own native encryption. A little less than 60% of the top one million websites online do not use SSL by default. Many argue that they have no need to, as they are simply displaying information, not collecting anything sensitive. But unencrypted connections make it easier for attackers to compromise clients using the websites, and opportunistic encryption is an effort to mitigate this risk.

The Firefox bug was discovered by one of Mozilla’s security researchers, Muneaki Nishimura, and in the report the foundation issued, they described it as a pretty serious problem:

If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.

Testament to the Community

Software development is a risky business, especially when you’re producing one of the world’s most popular web browsers. A mistake like this could have led to serious, unnecessary breaches to user privacy, and could have spelled the end of the Mozilla Foundation as an entity taken seriously. It is a testament to the community that it took less than four days for the flaw to be discovered. It is well-documented that bugs in the production code of much larger organizations, such as Microsoft, have persisted for years without a patch, or worse, releases patches that actually break security even further.

Also read: No Browser is Secure: All Major Browsers Hacked at 2015 Pwn2Own Contest

Further Auditing in Order

Perhaps the past few updates haven’t been fully audited, you may be thinking. And you may be right. Luckily, if you’re a security researcher, you’ve got an opportunity to make some money by finding vulnerabilities and exploits. Just go here, the bounty program, and make up to $3,000 per flaw that you find.

Not the First Major Mozilla Flaw

Like all good software, Mozilla has had its share of bumps in the road. Notably, in 2012, a javascript vulnerability enabled the attacker to escalate to administrator privileges on affected machines. Like the opportunistic encryption bug described here, it didn’t last long.

Images from Shutterstock.



P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at