Can't patch this: Mozilla pulls Firefox encryption feature after just a week

Stop right there. This thing ain’t ready

Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation.

A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption.

Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances.

Mozilla correctly labels Firefox 37.0.1 as a critical update.

Opportunistic encryption offers some basic encryption of data previously sent as clear text. The vulnerability arises in security flaws within the Alternative Services capability that underpins opportunistic encryption.

The CVE-2015-0799 bug in Mozilla's HTTP Alternative Services implementation – discovered by security researcher Muneaki Nishimura – left surfers vulnerable to man-in-the-middle attacks that involved hackers impersonating genuine sites.

Normally, the fake certificate hackers try to fool surfers with (in such cases) would generate warnings.

However, these certificate warnings would fail to appear, leaving surfers without a clue that anything was amiss, as a security advisory by Mozilla explains.

If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server.

As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MITM), replacing the original certificate with their own.

Mozilla plans to re-introduce opportunistic encryption once it irons out the wrinkles in its version of the technology. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood


More from The Register

Firefox Preview, a new browser for Android from Mozilla

Firefox Preview for Android: Mozilla has another go at a mobile browser

Firefox Focus frozen as Mozilla redirects Android effort ... despite small market share

Today in tortured tech analogies: Mozilla lets Firefox loose in the hen house, and by hen house, we mean the tracking cookie jar, er...

Remember when people didn't use browsers from the one of world's biggest adtech giants?
Image by elroyspelbos

DoH! Mozilla assures UK minister that DNS-over-HTTPS won't be default in Firefox for Britons

As Reg readers will know, you'll have to click a few buttons first
red fox. pic by Shutterstock

This Free software ain't free to make, pal, it's expensive: Mozilla to bankroll Firefox with paid-for premium extras

Browser will remain gratis, optional $$-per-month services to be offered later this year

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare
Chrome vs. Firefox

Mozilla says Firefox won't defang ad blockers – unlike a certain ad-giant browser

Extensions still free to use uber-powerful webRequest API to filter crap out of webpages
Google, photo by lightpoet via Shutterstock

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Ad giant's site slurping tech complicates web security model, could give more power to search engines and social networks, Firefox maker warns
Well done, everyone

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

* Terms and conditions apply. Offer not valid outside Kazakhstan. Your home may be repossessed if you do not keep up payments

Biting the hand that feeds IT © 1998–2019