Mozilla Combats MiTM Attacks, Rogue Certificates in Firefox 32

Mozillaโ€™s latest browser update, Firefox 32, has added public-key pinning to prevent man-in-the-middle (MiTM)ย attacks and the use of rogue certificates.
The update also includes patches for several critical security vulnerabilities.
Public-key pinning helps ensure that web surfers are connecting to the sites they intend to connect toโ€”and not an imposter site looking to capture credentials or serve malware. Pinning allows site operators to specify which certificate authorities (CAs) issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.
If any certificate in the verified certificate chain corresponds to one of the known good certificates, Firefox displays the lock icon as normal. If not, then Firefox will reject the connection with a pinning error.
โ€œThis type of error can also occur if a CA mis-issues a certificate,โ€ said Sid Stamm, senior manager of ssecurity and privacy engineering at Mozilla, in a blog. โ€œIn this way, key pinning can be used by sites to add another layer of trust to their serversโ€™ deployment of TLS.”
To begin with, Mozilla is supporting a limited set of pinned domains, including addons.mozilla.org and Twitter. The Google Chromium pinset, Tor and Dropbox will be supported in future releases.
โ€œFirefox 32 and above supports built-in pins, which means that the list of acceptable certificate authorities must be set at time of build for each pinned domain,โ€ Mozilla explained in an announcement. โ€œPinning is enforced by default. Sites may advertise their support for pinning with the Public Key Pinning Extension for HTTP, which we hope to implement soon.โ€
The HTTP extension allows web host operators to instruct user agents to remember (‘pin’) the hosts’ cryptographic identities for a given period of time.ย 
Meanwhile, Firefox 32 also patches two critical use-after-free flaws.
โ€œSecurity researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection,โ€ the Mozilla advisory said for one of the issues. โ€œThis was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash.โ€
As for the other flaw, โ€œsecurity researcher Regenrecht reported, via TippingPoint’s Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction,โ€ Mozilla said. โ€œThis results in a use-after-free which can lead to arbitrary code execution.โ€
The update also fixes a series of memory safety bugs, along with three less-severe vulnerabilities.

Subscribe to our newsletter

To be updated with all the latest news

Abhishek Kumar Jha
Abhishek Kumar Jha
Knowledge is Power

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post