Nav

Mozilla Disables Newly Released "Opportunistic Encryption Feature" in Firefox

By Kara Michelle sdbaterina@celebeat.com | Apr 08, 2015 09:08 AM EDT

On March 31, Mozilla released the latest version of Firefox, 37.0 which introduces a new feature that can cryptographically protect connections even when servers don't support the HTTPS protocol. Dubbed "opportunistic encryption," it acts as a bridge between plaintext HTTP connections and fully compliant HTTPS connections based on transport layer security or its predecessor, protocol secure sockets layer. But on April 3, Mozilla released Firefox 37.01, a minor maintenance release of the browser that disables the "opportunistic encryption" as a result of a vulnerability related to certificate verification.

According to Extreme Tech, it was security researcher Muneaki Nishimura who discovered the flaw in Firefox 37.0 which Mozilla describes in its own threat summary thus: "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own." In other words, the tech site adds, hackers could make someone think they were accessing a secure website, when in reality they had been switched over to an insecure, hacked version.

Sophos Naked Security explains why the "opportunistic encryption" feature was a fatal flaw in Firefox 37.0. In its blog, it wrote: "If you had a phishing site that pretended to be yourbank.example, and handled HTTP connections directly, you'd have difficulty presenting a legitimate-looking connection. You'd either have to use HTTP and hope your victims wouldn't notice the lack of a secure connection, or use HTTPS and hope they wouldn't notice the certificate warnings telling them that you probably weren't the lawful owner and operator of the yourbank.example domain. Some users would probably end up getting tricked anyway, but well-informed users ought to spot the ruse at once, and remove themselves from harm's way. But this Alt-Svcbug could be used by crooks to redirect victims to a secure connection (thus making the connection "look right") without producing a certificate warning to say that the site looked like an imposter. In other words, even a well-informed user might accept a phishing site as the real thing. The good news is that the bug was quickly found, and just as quickly fixed..." 

See Now: Eminem Album: 2 Chainz Confirms Collaboration With the King of Hip Hop; Adele, Imagine Dragons, Nicki Minaj Included?

Most Popular