Mozilla's Firefox has received a new update to patch a web encryption flaw which could allow malicious websites to bypass certificate verification checks.
Last week, Mozilla introduced Firefox 37.0, which included support for HTTP/2, an Internet standard which allows for web connections to be encrypted even when HTTPS is not supported. One feature is HTTP Alternative Services -- otherwise known as Alt-Svc -- which forces end-to-end encryption between pages through redirection protocols.
Alt-Svc communicates with your PC or mobile device, offering an alternative way to access a web page. Instructions then can be sent in order to perform "opportunistic encryption," which forces through basic encryption protocols when visiting a website. It is not as secure as HTTPS, but is certainly an improvement on today's HTTP, which is the most commonly used communication channel on the Internet.
Unfortunately, while the latest Firefox update was designed to improve basic security, it also introduced a new, critical bug which allowed a researcher to find a way to bypass certificate verification if a web server redirected visitors through the HTTP/2 system.
In a basic security advisory provided by the Mozilla Foundation, the security flaw was deemed "critical." The bug, exploited through the HTTP/2 Alt-Svc header -- within Mozilla's Alternative Services implementation -- allowed for SSL certification verification to be bypassed.
As a result, invalid SSL certificate warnings would not be displayed and a hacker could potentially use a man-in-the-middle (MITM) attack to impersonate legitimate websites with the overall aim of luring victims to malicious pages, which could then be used to steal data or deliver malware payloads.
Cyberattackers could, for example, hijack the connection which looks legitimate thanks to Alt-Svc and send a victim to a phishing site masquerading as their bank, and users may not find anything amiss -- as invalid certificate warnings would not be displayed.
As reported by the Sophos Naked Security team, the bug was rapidly discovered and fixed. The team also noted that HTTP/2 isn't yet finalized and is not widely used. However, it is on its way to adoption through support by web servers including Apache, Nginx and Microsoft's IIS (Internet Information Servers) in Windows 10 Preview.
Mozilla updates the Firefox browser every six weeks, and for now, opportunistic encryption has been disabled. Firefox should update itself to 37.0.1 to automatically to fix the bug, however, you can also update your browser manually.
Read on: In the world of security
- Yahoo launches password-free logins
- Feds hot on the trail of JPMorgan hackers
- EquationDrug: Sophisticated, stealthy data theft for over a decade
- Symantec research highlights security failures in the connected home
- New CryptoLocker ransomware targets gamers
Read on: Fixes and Flaws