Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation. <\/p>\n
A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption. <\/p>\n
Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances. <\/p>\n
Mozilla correctly labels Firefox 37.0.1 as a critical update. <\/p>\n
Opportunistic encryption offers some basic encryption of data previously sent as clear text. The vulnerability arises in security flaws within the Alternative Services capability that underpins opportunistic encryption. <\/p>\n
The CVE-2015-0799 bug in Mozilla's HTTP Alternative Services implementation discovered by security researcher Muneaki Nishimura left surfers vulnerable to man-in-the-middle attacks that involved hackers impersonating genuine sites. <\/p>\n
Normally, the fake certificate hackers try to fool surfers with (in such cases) would generate warnings. <\/p>\n
However, these certificate warnings would fail to appear, leaving surfers without a clue that anything was amiss, as a security advisory by Mozilla explains. <\/p>\n
If an Alt-Svc header is specified in the HTTP\/2 response, SSL certificate verification can be bypassed for the specified alternate server. <\/p>\n
As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MITM), replacing the original certificate with their own. <\/p>\n
<\/p>\n