Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / World Wide Web / Mozilla Kills Encryption Feature
Mozilla Kills Firefox Encryption Feature in Face of Security Flaw
Mozilla Kills Firefox Encryption Feature in Face of Security Flaw
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Just as fast as Mozilla rolled out the latest version of its Firefox browser for Windows desktop, Mac, Linux and Android operating systems last week, it rolled it back. Version 37 boasted the largest-ever security feature: Opportunistic Encryption (OE) for servers and Web sites that support HTTP/2 AltSvc.

However, the company disclosed that security researcher Muneaki Nishimura discovered a flaw in its HTTP Alternative Services implementation and swiftly killed the feature.

“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server,” Mozilla said in a security advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.”

Defending Against Eavesdropping

We caught up with Tod Beardsley, engineering manager at vulnerability assessment and compliance solution provider Rapid7, to get his take on Firefox’s failed OE venture. He offered us a deeper explanation of what OE is and how it really works.

First off, Beardsley told us the OE feature was based on the draft specification for "HTTP Alternative Services," where a Web server can communicate to a browser that its resources -- such as Web pages, and scripts -- and can also be found at other locations. In this case, he said, a Web server is telling a browser that an encrypted version of a Web site is available somewhere else.

“The idea is, if content providers can make their content available encrypted, and let browser know where to find it, users don't have to do anything special in order to enjoy a minimum level of encryption,” Beardsley said. “Now, this is truly a minimal level -- there is no authentication guarantee with OE. But, in the case where nobody cares about endpoint identity, then it's a pretty good measure to defend against widespread, passive eavesdropping.”

Shifting Implementation Burden

According to Beardsley, there are a couple of caveats worth mentioning. First, the Web server must be configured to support the Alternative Services (ALTSVC) specification. That means there needs to be action from each individual Web site operator to make this work. Arguably, this is easier than rolling out both full-blown transport layer security with a real certificate authority and instrumenting your existing site to forward along the usual way, he said.

Second, there really is no authentication. Beardsley said an attacker can easily plant an ALTSVC directive in a hijacked, plain-text HTTP response, and redirect a victim's browser to basically anything he cared to do.

“Now, an attacker could have done this before, anyway -- after all, that's the price you pay with HTTP's total lack of authentication -- and OE doesn't stop this focused attack. This is why it's being described as strictly a defense against passive listeners, and not as a defense against an active, man-in-the-middle attacker,” Beardsley said.

He noted that the Electronic Frontier Foundation has been pushing "HTTPS Everywhere" -- a browser plugin that does much of the same thing as OE by rewriting requests originating from the browser -- for at least four years.

“This has seen some success among people who were already concerned with privacy and don't mind a little breakage here and there,” he concluded. “Ideally, if OE picks up, it shifts the implementation burden off the end users, who shouldn't really be concerned about eavesdropping anyway.”

Tell Us What You Think


Like Us on FacebookFollow Us on Twitter

Over the past decade, hospitals have been busy upgrading their systems from paper to electronic health records. Unfortunately, spending so much on EHR may have left insufficient funds for security.
The British government officially blamed Russia for waging the so-called NotPetya cyberattack that infected computers across Ukraine before spreading to systems in the U.S. and beyond.
© Copyright 2018 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.