Mozilla Recalls New Features Due to Fatal Security Bug
Firefox 37 was released on March 31st, but less than a week later, on April 3rd, Mozilla was forced to release a patch that disabled many new features it had instituted.
Mozilla had attempted to implement a security function called opportunistic encryption, which makes it difficult for hackers to monitor client-side communications when accessing servers that do not have their own native encryption. A little less than 60% of the top one million websites online do not use SSL by default. Many argue that they have no need to, as they are simply displaying information, not collecting anything sensitive. But unencrypted connections make it easier for attackers to compromise clients using the websites, and opportunistic encryption is an effort to mitigate this risk.
The Firefox bug was discovered by one of Mozilla’s security researchers, Muneaki Nishimura, and in the report the foundation issued, they described it as a pretty serious problem:
If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.
Testament to the Community
Software development is a risky business, especially when you’re producing one of the world’s most popular web browsers. A mistake like this could have led to serious, unnecessary breaches to user privacy, and could have spelled the end of the Mozilla Foundation as an entity taken seriously. It is a testament to the community that it took less than four days for the flaw to be discovered. It is well-documented that bugs in the production code of much larger organizations, such as Microsoft, have persisted for years without a patch, or worse, releases patches that actually break security even further.
Further Auditing in Order
Perhaps the past few updates haven’t been fully audited, you may be thinking. And you may be right. Luckily, if you’re a security researcher, you’ve got an opportunity to make some money by finding vulnerabilities and exploits. Just go here, the bounty program, and make up to $3,000 per flaw that you find.
Not the First Major Mozilla Flaw
Images from Shutterstock.