Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue

darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption. "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own." They plan to re-enable opportunistic encryption when this issue is investigated and fixed.

Opposite?

[DrYak]

From what I understand how this is supposed to work, it's the opposite:

I think it's: you type a simple *http* address, the website behaves like a plain normal one. (so no https address, nothing misleading you into thinking you are using secure https website)
But when you submit data to it, the browser will automatically switch on-the-fly to an alternate, encrypted route, so the data is sent encrypted to a alternate destination handling encryption.
It's not a full blown https, but it's better than nothing.
Think of it as "https-lite" for sending data. Designed for server which can afford having a full blown https stack.

Except, that the thing is so much simplified that there aren't enough checks in this protocol. So a third party could use the feature to re-route data to their eavesdropping infrastructure, instead of re-routing it to an encryption feature on the original http server.