Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue

Posted by Soulskill on from the generates-too-many-opportunities dept.

darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption. "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own." They plan to re-enable opportunistic encryption when this issue is investigated and fixed.

42 comments

  1. uhhh by Anonymous Coward · · Score: 0

    So thank s to OE I can see https in the url and no certificate warnings but it's actually not that safe at all? oh good that won't mislead users

    1. Re:uhhh by Z00L00K · · Score: 1

      Considering the short time it was up I don't see a major problem.

      The main problem I see is that encrypted links are certified as being more secure than unencrypted when it comes to privileges in browsers because they aren't.

      The basic idea as I see it with the Firefox browser doing opportunistic encryption is sound. The problem comes with all permutations of how it can be applied in a way that's transparent for the user.

      We also have the problem with the chain of trust - not all CAs are trustworthy.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  2. Stop pulling googles and write software again! by Anonymous Coward · · Score: 0, Troll

    Maybe the whole Mozilla organization should care a little less about *everything else* and go back writing, debugging and fixing what should have been a browser (and now is almost an half-assed Chrome clone).

    You know, that kind of things developers used to do before shipping to users, not after.

  3. Well done Mozilla. by Anonymous Coward · · Score: 0, Offtopic

    Roll out a vulnerable "security" feature just long enough to get exploited?

    Mission Complete!

    Let us know how the NSA debriefing goes.

  4. Opposite? by DrYak · · Score: 4, Informative

    From what I understand how this is supposed to work, it's the opposite:

    I think it's: you type a simple *http* address, the website behaves like a plain normal one. (so no https address, nothing misleading you into thinking you are using secure https website)
    But when you submit data to it, the browser will automatically switch on-the-fly to an alternate, encrypted route, so the data is sent encrypted to a alternate destination handling encryption.
    It's not a full blown https, but it's better than nothing.
    Think of it as "https-lite" for sending data. Designed for server which can afford having a full blown https stack.

    Except, that the thing is so much simplified that there aren't enough checks in this protocol. So a third party could use the feature to re-route data to their eavesdropping infrastructure, instead of re-routing it to an encryption feature on the original http server.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Opposite? by Anonymous Coward · · Score: 0

      Yeah but half the point of HTTPS is no MITM. This just means you MITM the HTTP and give the false impression of security by OE redirection to the malicious server. In particular, it's precisely what Cameron/GCHQ have been asking for over the last few months: encryption in transit but which can be intercepted by them as needed.

    2. Re:Opposite? by MobyDisk · · Score: 1

      But when you submit data to it, the browser will automatically switch on-the-fly to an alternate, encrypted route, so the data is sent encrypted to a alternate destination handling encryption.

      What benefit does that have over regular HTTPs? Why is this different from just having the submit URL be HTTPs? And wouldn't a security-aware user refuse to click submit when they saw the page wasn't encrypted?

      Thanks for the explanation. I've been reading about this since I saw the Slashdot headline a few days ago and I'm just not getting it.

    3. Re:Opposite? by Dagger2 · · Score: 2

      If you're at the point where you can insert arbitrary HTTP headers into a connection, you don't really need to insert a header that causes the client to make requests from one of your own servers in order to sniff the data in the connection. Just sniff the connection.

    4. Re: Opposite? by Mitsoid · · Score: 1

      It's good for nonfinancial/pii websites that can't afford SSL certs, but may have contact forms, website logins, etc. Where users may type in their (hopefully different from their banks) user name and passwords... Or email address, or plaintext commentary in a forum that they may not necessarily care if it's encrypted or not.

      Is not intended for sites you really need or want security. I really see this as a benefit to helping protect people who use the same password for everything -- helping, in this case, just delaying the inevitable.

      I wouldn't mind this kind of thing for my own website, where only a handful of people will ever have accounts, and the only thing I need to protect is their login info. I set their passwords currently, but if I left them choose, I wouldn't mind extra security on their form data when they log in

    5. Re:Opposite? by Dagger2 · · Score: 2

      Valid certificate not required. In particular this means you can use self-signed certs without a big massive warning.

      Obviously a valid certificate via https:// is better, but if your choice is between a self-signed cert that throws a big warning and unsecured http://, you're going to choose the latter. Alt-Svc adds the option of delivering your http:// site over an encrypted connection.

      (Nitpicker's corner: yes, the connection will be unauthenticated, which yes, means an active MITM can still read the contents. An active MITM is harder to pull off than passive sniffing, is obviously more evil, and is detectable, which makes this better than unsecured HTTP even if you don't get 100% perfect protection with it.)

    6. Re:Opposite? by Anonymous Coward · · Score: 0

      Seems to me, that Chrome's method is the best:
      - small pop-up about how the page is unauthenticated
      - https done in red and strike-out

      Demonstrates well that the site cannot be trusted more than http, but doesn't make it seem WORSE than http.

    7. Re: Opposite? by MobyDisk · · Score: 1

      How is this better than I'm unclear HTTPS with a self-signed cert? It seems like a convoluted way to suppress a certificate prompt.

    8. Re:Opposite? by MobyDisk · · Score: 1

      So we created this mechanism just to hide the certificate prompt? It seems like it would be better just to put text on the form that says "Hey, I used a self-signed certificate so ignore the message you see when you click submit" then just submit the form to an HTTP URL as usual. Alternatively, we could standardize on an HTML meta-attribute or HTTP header attribute that tells the browser to ignore the cert. No special browser feature required.

      Surely I am missing something here.

    9. Re: Opposite? by Anonymous Coward · · Score: 0

      It is HTTPS with a self-signed cert. Opportunistic encryption is a way for the server to tell the client that instead of using an unencrypted connection, it should use an encrypted but unverified connection, allowing for protection again passive attacks. The difference is the browser treats it as HTTP for UI and security purposes because the cert doesn't get verified. HTTPS is reserved for connections that are supposed to be secure (although we know that there's a constant parade of security bugs in HTTPS implementations), so it's not okay to use self-signed HTTPS without this way of doing that with an http:/// URI.

      Also not sure what the OP was talking about with "when you submit data". The entire connection is encrypted just like with HTTPS.

    10. Re:Opposite? by Dagger2 · · Score: 1

      No, we created it to make it actually possible to do unauthenticated encryption with self-signed certificates on public websites. Currently, nobody uses self-signed certs because of the invalid cert warnings.

      <meta> tags or HTTP headers are sent after the SSL negotiation, so neither of them can change the negotiation behavior. (Putting text on the page telling people to ignore the warning doesn't work either, because they'd need to ignore the warning just to see the text.) The only way a new header is going to work is if you use http:// for the first request, and then include a header that tells the browser it can pull the same pages over TLS, but without doing authenticity checks on the certificate.

      Which is pretty much how this Alt-Svc header works.

    11. Re:Opposite? by MobyDisk · · Score: 1

      The only way a new header is going to work is if you use http:/// for the first request, and then include a header that tells the browser it can pull the same pages over TLS, but without doing authenticity checks on the certificate.

      That's what I meant. Someone further up the comment chain said that is how OE works. First it connects with HTTP, then when "data is submitted" (I took that to mean a forms submission) it uses the OE.

      So, in trying to understand the intent here:

      No, we created it to make it actually possible to do unauthenticated encryption with self-signed certificates on public websites.

      We already have that capability, but as you say:

      Currently, nobody uses self-signed certs because of the invalid cert warnings.

      So that seems to confirm that yes, the purpose of this is to hide the cert warnings. Am I missing something?

      Aside: I just learned about dh_anon, which actually does not even require a certificate. Interesting.

    12. Re:Opposite? by Dagger2 · · Score: 1

      I'd say the main purpose is to encrypt more stuff, and "not throwing a wobbly when you see a self-signed cert" is just a part of that. (Since you can't just turn off cert warnings and be done with it; you need some way to enable encryption without enabling authentication.)

      It's not just for forms, or whatever "submit" was supposed to mean. All HTTP requests to the site except for the first one (per session? I'm not sure how long these headers are cached for) will go over TLS.

  5. MSIE is dead by dolmen.fr · · Score: 1

    Except MSIE is dead. And "Project Spartan" still doesn't have an official name.

    1. Re:MSIE is dead by Anonymous Coward · · Score: 1

      Firefox died when they switched to version 4. It is now a buggy chrome-clone, but with even more tracking.

  6. HTTP/2 by Anonymous Coward · · Score: 0

    Nobody uses it, yet it alredy causes vulnerabilities.

  7. Why not bump to version 38? by Anonymous Coward · · Score: 0

    Have they forgotten that higher version numbers equals better software?
    At this rate, we won't even be at version 50 by Christmas.

    1. Re:Why not bump to version 38? by ShaunC · · Score: 1

      They can't bump to 38 until the built-in BitTorrent client is finished. 38.0.1 should have a couple of security fixes for that, plus a version of Gimp developed in PDFjs. I believe version 39 is slated to natively run Google Chrome.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  8. hmmm...Man in the Middle attack... by l0n3s0m3phr34k · · Score: 1

    were have I read about that recently? Oh yeah, Hillary Clinton's "disappeared" email server with it's self-signed cert. Running Exchange 2010 MitM might not be very easy, but when you've got an entire country funding you (China, NK, Russia, etc) nothing like that is actually impossible.

  9. How about fixing https printing first by Kinwolf · · Score: 1

    Before integrating all the newest protocols, how about fixing decades old bugs to basic functions, like printing...? Since forever, when you print https pages, firefox will print the first, and last one, and nothing in between.(it's not on all https pages, but it's on enough that it's a major anyoance) Other browsers have no problems with the same pages, so it's a FF problem. Bugs related to this have been opened since 2004, 11 years ago! And again, you get answer to the bug to the likes of "we got too much on our plate right now to take a look at this" If mozilla is looking for money, how about allowing us to pay, say, 40$ for one year where we get the privileges that the bugs we report are actually WORKED on?

    1. Re:How about fixing https printing first by drinkypoo · · Score: 1

      If mozilla is looking for money, how about allowing us to pay, say, 40$ for one year where we get the privileges that the bugs we report are actually WORKED on?

      Given their record, there's no way in hell I'd pay them for any bugs they haven't already fixed.

      I would make a simple donation, but that won't happen until they start listening to the users, and take firefox in a sane direction again, so I don't anticipate it happening any time soon. Regardless, I'm not rewarding bad behavior. Right now they seem to be spending most of their time shitting up Firefox, I'm not paying for that.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:How about fixing https printing first by Anonymous Coward · · Score: 0

      Funny, I've never seen this problem with e10s enabled (isn't that the default now?).

    3. Re:How about fixing https printing first by Anonymous Coward · · Score: 0

      Have you posted a bugzilla report? I've never come across this bug

    4. Re:How about fixing https printing first by Kinwolf · · Score: 1

      Tons of bugs about this opened already by many users. They are really quick to flag them as duplicate, but never about fixing it An exemple: https://bugzilla.mozilla.org/s...

  10. Re:hmmm...apostrophe in the middle attack.... by Anonymous Coward · · Score: 0

    hmmm.... ... it's means it is....

  11. It's not for a lack of money by Anonymous Coward · · Score: 1

    For several years, Mozilla was getting about $700,000. a DAY from Google. They were rolling in money, and all they did was screw up the browser more and more.

    Source: computerworld.com

  12. Re:hmmm...apostrophe in the middle attack.... by Culture20 · · Score: 1

    hmmm.... ... it's means it is....

    "It depends on what the meaning of the word 'is' is." -Clinton

  13. Thereby fixing the problem by Anonymous Coward · · Score: 0

    warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own.

    But by disabling OE and falling back to completely unprotected plaintext, attackers lose the ability to MitM, thereby fixing the problem?

  14. DANE... [skip] DANE... [skip] by chihowa · · Score: 2

    I hate to sound like a broken record here, but this is a problem than can be easily solved with DANE (or certificate pinning or CT...). If you make a positive assertion about the legitimacy of your self-signed certificate in DNS, you can have the authentication of a CA-signed certificate without the associated expense.

    With DANE, you (the domain owner) are acting as the authority who vouches for your certificate instead of (or in addition to) one of the many CAs.

    (I know that this is supposed to be an opportunistic approach, but reliance on the CAs is what is making proper HTTPS, even if just for forms, underutilized.)

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    1. Re:DANE... [skip] DANE... [skip] by 0123456 · · Score: 1

      But surely anyone able to perform an MITM attack on the key can also perform a MITM attack on DNS, since it's not authenticated? I presume you'd at least need DNSSEC to prevent that?

    2. Re:DANE... [skip] DANE... [skip] by chihowa · · Score: 1

      DANE depends on DNSSEC, so the response is authenticated.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    3. Re:DANE... [skip] DANE... [skip] by Anonymous Coward · · Score: 0

      I agree, but Mozilla has no intention of supporting DANE. I'm not sure if opportunistic encryption supports certificate pinning (Firefox supports it for HTTPS sites, but the cert has to be signed by a CA in the first place), although it would make sense for it to do so. Maybe Mozilla could be convinced to support DANE for OE only at first. It would be interesting if opportunistic encryption got enough security features tacked on that it could [optionally] be more secure than HTTPS.

  15. Sniffing doesn't work with OE by DrYak · · Score: 2

    With OE, sniffing data doesn't work.
    OE will encrypt the tiny bit that interests you, in the middle of an otherwise plain text connection.

    So by simply passively listening to packets, you won't be able to gain access to the juicy parts, they will be the (only) encrypted part.

    OE can prevent incident like google car which recorded sensitive information while logging data packets from non secure Wifi. Or attacks like FireSheep passively listening to clear text cookies in a internet café

    But currently OE apparently lack any authentication scheme. so it's trivial to throw a MITM attack.

    OE isn't competing as being an alternative to HTTPS. (Https is the real deal if you want security).
    OE is trying to be a tiny bit better than plain text over HTTP, and currently is a little bit better at preventing accidental eavesdrop.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  16. Sounds like a straightforward case of ... by Anonymous Coward · · Score: 0

    decent idea, but seriously flawed implementation (and lack of thinking through sufficient non-sunny-day scenarios).