Mozilla Kills Firefox Encryption Feature in Face of Security Flaw
Just as fast as Mozilla rolled out the latest version of its Firefox browser for Windows desktop, Mac, Linux and Android operating systems last week, it rolled it back. Version 37 boasted the largest-ever security feature: Opportunistic Encryption (OE) for servers and Web sites that support HTTP/2 AltSvc.
However, the company disclosed that security researcher Muneaki Nishimura discovered a flaw in its HTTP Alternative Services implementation and swiftly killed the feature.
“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” Mozilla said in a security advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.”
Defending Against Eavesdropping
We caught up with Tod Beardsley, engineering manager at vulnerability assessment and compliance solution provider Rapid7, to get his take on Firefox’s failed OE venture. He offered us a deeper explanation of what OE is and how it really works.
First off, Beardsley told us the OE feature was based on the draft specification for "HTTP Alternative Services," where a Web server can communicate to a browser that its resources -- such as Web pages, and scripts -- and can also be found at other locations. In this case, he said, a Web server is telling a browser that an encrypted version of a Web site is available somewhere else.
“The idea is, if content providers can make their content available encrypted, and let browser know where to find it, users don't have to do anything special in order to enjoy a minimum level of encryption,” Beardsley said. “Now, this is truly a minimal level -- there is no authentication guarantee with OE. But, in the case where nobody cares about endpoint identity, then it's a pretty good measure to defend against widespread, passive eavesdropping.”
Shifting Implementation Burden
According to Beardsley, there are a couple of caveats worth mentioning. First, the Web server must be configured to support the Alternative Services (ALTSVC) specification. That means there needs to be action from each individual Web site operator to make this work. Arguably, this is easier than rolling out both full-blown transport layer security with a real certificate authority and instrumenting your existing site to forward along the usual way, he said.
Second, there really is no authentication. Beardsley said an attacker can easily plant an ALTSVC directive in a hijacked, plain-text HTTP response, and redirect a victim's browser to basically anything he cared to do.
“Now, an attacker could have done this before, anyway -- after all, that's the price you pay with HTTP's total lack of authentication -- and OE doesn't stop this focused attack. This is why it's being described as strictly a defense against passive listeners, and not as a defense against an active, man-in-the-middle attacker,” Beardsley said.
He noted that the Electronic Frontier Foundation has been pushing "HTTPS Everywhere" -- a browser plugin that does much of the same thing as OE by rewriting requests originating from the browser -- for at least four years.
“This has seen some success among people who were already concerned with privacy and don't mind a little breakage here and there,” he concluded. “Ideally, if OE picks up, it shifts the implementation burden off the end users, who shouldn't really be concerned about eavesdropping anyway.”