Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Soon Warn Users of Software That Performs MitM Attacks (zdnet.com)

Posted by msmash on from the better-security dept.

The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.

79 comments

  1. Will have to be don carefully by The-Ixian · · Score: 4, Insightful

    Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

    On the bright side, users will learn quickly when Superfish style shenanigans are going on.

    Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      Yes you're right, even common consumer AV performs SSL inspection by default (eg. Kaspersky), this surely will give some headhaches even to home end users... But it's definitely a useful feature.

    2. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      superfish or 'legit' corporate spyage.. it's all the same 'shenanigans'.

      how does a third party determine a 'legitimate' hijack of a secure browsing session from one that isn't? hint: you don't. you can't. as soon as you can tell them apart, the bad guys will exploit that loophole themselves. you must treat all activities such as this as hostile.

    3. Re:Will have to be don carefully by Ol+Olsoc · · Score: 3, Insightful

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      Hehe, you aren't kidding.They'll have to find a different way to keep track of where their employees are going.

      In practice, I am thinking this is going to cause more pain than pleasure....

      Pain can be a way of alerting you to problems.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:Will have to be don carefully by rtowne72 · · Score: 1

      In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

    5. Re:Will have to be don carefully by grumpy-cowboy · · Score: 0

      Nope. They will simply ban the use of Firefox and force their employees to use
      Edge.

      --
      Will $CURRENT_YEAR be the year of the Linux Desktop?
    6. Re:Will have to be don carefully by The-Ixian · · Score: 2

      In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

      Two words: Group Policy

      Chrome also has GP support for their Enterprise version of Chrome.

      Last I checked (which was a while ago) there was only 3rd party GP templates for Firefox.

      --
      My eyes reflect the stars and a smile lights up my face.
    7. Re:Will have to be don carefully by The-Ixian · · Score: 1

      You are not wrong. But there does have to be a balance. Corporations have every reasonable right to police the content that flows over their wires.

      --
      My eyes reflect the stars and a smile lights up my face.
    8. Re:Will have to be don carefully by gibbsjoh · · Score: 1

      Edge! I should be so lucky where I work... still on IE11!

      --
      -- "...I'm a bad guy because I, well, I sing some rock-and-roll songs." M. Manson
    9. Re:Will have to be don carefully by Anonymous Coward · · Score: 3, Insightful

      Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigans.

    10. Re:Will have to be don carefully by Anonymous Coward · · Score: 2, Informative

      Firefox added group policy support with the release of ESR version 60, including official templates.

      You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.

    11. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      This generally isn't used to track where they're going, but rather what they are downloading (or uploading) once they get there. You can track where people are going using SNI.

    12. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      You can count them on one hand. Mozilla has always been extremely hostile towards the owners of a computer using their software as we want instead of how Mozilla demands.

      Corporations monitoring their employees isn't even the best example, since no one likes that in the first place.

      How about just making Firefox work with "HTTP" right, or "TCP" properly, or even follow the decades long "IP" standard and be a working network application for a change?

      Want to use DNS search domains for aliases? Nope not allowed.
      Want to use local mdns advertisements? Nope, can't.
      Want to run your own CA and not pay thousands of dollars a year or more to CAs partnered with Mozilla? Not without a ton of extra work that they will reverse and undo every update.

      Want to just tell people on your wifi "hey checkout firefox, it's great" and not require them to fill in network settings and proxy auth and more preferences fields than are on my tax return?
      Fuck no!

      They can't stand the users of their software doing what those users want with their own property.
      Why would it matter when the owner is a corporation instead of just a person? It doesn't, they fight tooth and nail to fuck over both.

    13. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Mozilla has always been extremely hostile towards the owners of a computer using their software as we want instead of how Mozilla demands.

      Much truth here. You have to wonder what the end game is. I actually prefer Firefox to Chrome, but it sure as fuck feels like they're doing everything they can to make me switch.

      I remember way back as Phoenix transitioned to Firefox and there was a lot of input (not that it generally got listened to) about what people would like that browser to be... even then decisions would be made that made everybody scratch their heads. The response from the Mozillians was generally along the lines that people were too stupid to figure out how to use a browser, so Mozilla had to save them from themselves.

      It was a truly fantastic example of the Dunning-Kruger effect at work.

    14. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      On the bright side, users will learn quickly when Superfish style shenanigans are going on.

      Like hell. MOZILLA_PKIX_ERROR_MITM_DETECTED? What a joke. Completely useless.

      -Hey Bob, something's wrong wit mah innernet.

      -What happened Jim?

      -I went to the google and it told me pixy error, Mitt Romney detected.

      -Mitt Romney? What's he doin up in yer See-Pee-You?

      -Dunno. Whadda I do? I can't look at nekkid ladies no more.

      -Hang on Bob - what's this? Fire-fox. What in the hell's a fire fox?

      -Is that like a snow leopard or sumpin?

      -I dunno. You 'member my cousin Arlene down at the bank? She says the blue 'e' means innernet. When you want innernet just click the blue e.

      -Hey it works! My nekkid ladies is back! Thanks Bob!

    15. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      This.

      They should be required to inform employees that they're intercepting SSL connections. Companies should have every right to do it, of course, but employees should know that the IT department is looking when they check their bank account.

      And every time some development tool I'm trying to use pukes because it won't accept the company self-signed-cert, I should be allowed to walk over to the IT department and kick some maggot admin in his balls. Hard.

    16. Re: Will have to be don carefully by buchanmilne · · Score: 2

      "Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"

      But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their diminishing market share.

      To be clear, I have no problem with the following:
      - an indication in the address bar that the connection is/may be MitM'd
      - a warning that I can dismiss to the same effect
      - an error page, as long as there is an easy way to make it go away for the next year or lifetime of the internal CA cert used to sign imposter certs

      However, if every site gives an error message I need to click through, or if any of these errors can't be clicked through, I will finally be forced to drop firefox for work.

      It is bad enough that Firefox makes it so onerous to get into management interfaces on new installations of e.g. server management interfaces to do the minimal configuration to get them to enroll for real certs, but I have tolerated it.

      I won't be able to tolerate it for every external site I visit from work on the work network with their computer.

      Is Mozilla intentionally trying to get rid of all users who use Firefox at work?

    17. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Where I live, corporations can have video surveillance, inspect employer email and so on. But they have to be open about it. Video surveillance is illegal without signs telling about it. The employer can't open someone's email unless they have warned that they do so. And so on. Snoop & catch someone without warning, and it is lawsuit time - where the employee wins.

    18. Re: Will have to be don carefully by zlives · · Score: 1

      firefox mgmt issues was a reason we didn't deploy ff for corporate users and instead went with Groan. i still do use it but this "feature" would kill it for me as well.

    19. Re:Will have to be don carefully by zlives · · Score: 1

      at least that still works better than edge

    20. Re:Will have to be don carefully by zlives · · Score: 1

      good to know

    21. Re:Will have to be don carefully by newbie_fantod · · Score: 1

      I am thinking this is going to cause more pain than pleasure...

      "Was she told when she was young that pain would lead to pleasure?"

    22. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Speak for yourself pain lover, not all of us are Masochists.

    23. Re: Will have to be don carefully by Londovir · · Score: 1

      Please aim your kick carefully. I work in web applications development (full stack) for a public school district that switched to Fortinet across the district. The day it did my NPM and Node work went straight to hell. The networking/WAN group did it so the district could peep into the traffic to look for students doing things like death threats, bullying, etc. I'm just as screwed as ever. The kicker is they are okay with me switching my NPM server to insecure HTTP, when I don't want to. Ugh.

      --
      Londovir
    24. Re:Will have to be don carefully by Ol+Olsoc · · Score: 1

      Nope. They will simply ban the use of Firefox and force their employees to use Edge.

      You have to admit, Edge has the edge in MitM results.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    25. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Yes, but there is no support for a "Extension Whitelist" making it kinda useless for enterprise. Yes, I know there is a way to blacklist ALL extensions, but if you still want to give your users a way to install approved extensions, then firefox does not provide a path for this.

    26. Re:Will have to be don carefully by Anonymous Coward · · Score: 0

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      On the bright side, users will learn quickly when Superfish style shenanigans are going on.

      Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....

      Mozilla will be careful to code the software in such a way that it does not reveal that Mozilla software conducts MitM attacks / intercepts

  2. TLSA/DANE by QuietLagoon · · Score: 2

    Would also be nice if Firefox would check/verify TLSA/DANE is a domain/site uses it. There was a plug-in (DNSSEC/TLSA Validator) that performed this task, but the developers gave up on Firefox back when the API changed.

    1. Re:TLSA/DANE by Anonymous Coward · · Score: 0

      Would also be nice if Firefox would check/verify TLSA/DANE is a domain/site uses it. There was a plug-in (DNSSEC/TLSA Validator) that performed this task, but the developers gave up on Firefox back when the API changed.

      Unless you have split-horizon DNS and you cannot directly get to the Internet except through a proxy.

  3. Okay, I'll bite by XanC · · Score: 1

    The linked article has no technical details.

    How does the browser know when the certificate isn't the "right" one? Presumably, the false certificate's root is installed as valid on the system. Will this warning come up any time a page is viewed that relies on a non-bundled root certificate?

    1. Re:Okay, I'll bite by Anonymous Coward · · Score: 3, Informative

      Because it contacts a third party server which also looks at the website's certificate. If the certificate that your browser is presented with has a different fingerprint than the one their server sees, an error is flagged.

      See also the CheckMyHTTPS add-on for Chrome and Firefox

    2. Re:Okay, I'll bite by Anonymous Coward · · Score: 2, Insightful

      In other words, Firefox will send a list of all sites you're visiting to a third party server under the pretext of "security". Riiiiiight.

    3. Re:Okay, I'll bite by Anonymous Coward · · Score: 0

      Ugh, so it's creating additional traffic and potentially leaking information to a third party (even Mozilla-central) about your browsing? Why doesn't that sound very winny?

    4. Re:Okay, I'll bite by Anonymous Coward · · Score: 0

      And of course anyone intercepting you traffic would just intercept this check.

    5. Re:Okay, I'll bite by Anonymous Coward · · Score: 1

      Well, if Firefox has a reasonably secure encryption system, then that isn't trivial. Presumably, the folks at Mozilla have thought of that, and aren't using the computers root certificate store to trust this connection.

    6. Re:Okay, I'll bite by XanC · · Score: 1

      Does that mean all SSL connections have to wait for this other new connection to succeed?

      If that other service is out, do all SSL connections fail? Or is defeating this new "feature" as simple as blocking those connections?

    7. Re:Okay, I'll bite by BKDotCom · · Score: 1

      It's right in the summary! :
      "The way this feature works is to show a visual error page"

    8. Re: Okay, I'll bite by buchanmilne · · Score: 1

      Or just block it ...

    9. Re:Okay, I'll bite by zekica · · Score: 1

      From the actual bug report and commit in HG: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service detects a non-built-in cert.

      So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.

    10. Re:Okay, I'll bite by zekica · · Score: 1

      It won't: see my comment.

    11. Re:Okay, I'll bite by Dagger2 · · Score: 2

      That does not appear to be how it works. From reading the patch: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.

      (The code is here and here.)

      The check piggy-backs on one of Firefox's existing phone home mechanisms, and it doesn't involve reporting every cert you see to some third party.

    12. Re:Okay, I'll bite by Anonymous Coward · · Score: 0

      So the only thing a MitM has to do to make this detection fail is to let the connection to Mozilla's update server pass untouched?

  4. ISPs? by reanjr · · Score: 1

    How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

    1. Re:ISPs? by TechyImmigrant · · Score: 3, Informative

      How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

      It's not mitm. That why TFA is so confusing. The attack involves changes to your trust list.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:ISPs? by JThundley · · Score: 1

      Most of the time it is MITM, by method of adding a new cert to your trust list. I know because my company does this and I have to add these certs to Firefox since it doesn't use the Windows cert store. Without the cert, they can't MITM your traffic and you just can't access any websites through firefox until the MITM cert is trusted.

    3. Re:ISPs? by SuricouRaven · · Score: 1

      By adding their own certificate to the trusted root signers list on your device. ISPs seldom try this sort of thing because it requires modifying configuration for all user devices, but it's very common in the business and education network areas, where the IT administrators can do that quite easily. It's the only way to properly monitor and filter internet access, which is a requirement in all schools and most offices: If IT could not monitor and filter their users, they wouldn't be able to provide internet access at all.

    4. Re:ISPs? by TechyImmigrant · · Score: 1

      That's why it isn't MITM. An essential part of it takes place at one end using privilege not available to a MITM.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:ISPs? by Anonymous Coward · · Score: 0

      By adding their own certificate to the trusted root signers list on your device. ISPs seldom try this sort of thing because it requires modifying configuration for all user devices, but it's very common in the business and education network areas, where the IT administrators can do that quite easily. It's the only way to properly monitor and filter internet access, which is a requirement in all schools and most offices: If IT could not monitor and filter their users, they wouldn't be able to provide internet access at all.

      If I am using company-owned equipment on company-paid time, as an employee, then yes that's quite reasonable. Otherwise? Especially if I am a student of an educational institution using my own equipment?

      The first thing I do is connect to my VPN (which has a "stealth mode" indistinguishable from an SSL session*) so after that, fuck 'em.

      *They can MITM that all they like, SSL is just the first layer. All they would get is encrypted traffic from another layer of encryption (AES-256-GCM or AES-256-CBC with a SHA512 HMAC and perfect forward secrecy). Unless they have some cryptanalysis capabilities that would strongly interest the NSA, what they see would be indistinguishable from random data.

    6. Re:ISPs? by JThundley · · Score: 1

      It is a MITM in this case, a corporate-sponsored and condoned one. It's not the ISP doing it, but it's still the textbook definition of a MITM attack. A third party between the user and their requested destination that is decrypting and obtaining their network traffic.

    7. Re:ISPs? by Anonymous Coward · · Score: 0

      You've obviously never worked with layer-7 firewalls or done much monitoring with wireshark, as this sort of thing is trivial to block.

      Outside of a catchall "block random gibberish" rule (because legitimate traffic is not random and includes headers), encrypted traffic usually does not prevent somebody from being able to tell that there is encrypted traffic, it just blocks access to the data.

    8. Re:ISPs? by Anonymous Coward · · Score: 0

      How does an ISP inject certs?

      SSL/TLS protects the contents of the communications. The destination is not secret. To use an analogy, imagine that you are walking across the living room at a party to speak with your old friend Bob, but then Alice suddenly jumps in between you and Bob and says, "Hello Bob this is Charlie, long time no see" and Bob responds, "Hey there Charlie how has it been?" and immediately after that Alice turns to you and says "Hey there Charlie how has it been?". Do you see what happened here? Bob doesn't know who you are so he believes Alice when she tells him that she's Charlie (you) and because you trust Alice you accept it when she tells you that she's Bob. Alice is relaying Bob to Alice to Charlie and Charlie to Alice to Bob, aka the "man in the middle"

      The whole point of SSL/TLS is to stop that.

      It's technical and that's the way that companies and the vendors that sell these eavesdropping packages like it. They benefit from user ignorance and "rules of thumb". Most users see the "lock" icon in the browser, assume it's secure and don't bother to examine the certificate to see who actually issued it. If your corporate workstation has been configured to trust the signing certificate of the corporate interception appliance (aka Alice) then your workstation implicitly trusts the certificates issued by that appliance as part of jumping in front of all your HTTPS connections to man-in-the-middle them. Of course, they cannot hide the fact that certificate in the HTTPS session will tell you what's going on, but as long as the certificate is trusted by your workstation and browser it won't trigger the warning dialog. Of course, some technically savvy users might still notice that the HTTPS connection to TheirBank is not really issued by TheirEmployer and spot what's happening, but most of them will not. That's why it's unethical for companies to not at least warn employees that secure traffic is being intercepted for inspection before heading on to its final destination. The connections between Bob and Alice and Alice and Charlie are both encrypted against outside parties, but Alice sees the whole session in the clear.

      Is this some new attack vector?

      No, it's not a flaw in SSL/TLS or HTTPS. The flaw is that when you don't own and control the hardware you're using then somebody else, your employer for instance, can set things up to enable automatic interception of HTTPS and man-in-the-middle such that it's difficult for users who aren't tech savvy to spot. The reason that we have trusted root CA certificates is to prevent this kind of interception on the public Internet where attackers cannot force your system to trust a certificate signed by them because they don't generally have access to your hardware to control which CAs you trust and which you do not. You trust the certificate when VeriSign say that it's YourBank but not when the certificate for YourBank has been signed by YourISP. That's when your browser throws up the scary red window to warn you that somebody is trying to impersonate YourBank to you. Since corporations control their end of the connection completely, they can subvert that power to break the chain of public trust and insert themselves as a trusted link in that chain. Your ISP cannot do that because generally speaking your personal devices are not directly under the control of their admins.

    9. Re:ISPs? by Anonymous Coward · · Score: 0

      It is a MITM in this case, a corporate-sponsored and condoned one. It's not the ISP doing it, but it's still the textbook definition of a MITM attack. A third party between the user and their requested destination that is decrypting and obtaining their network traffic.

      Precisely. TechyImmigrant is hardly the first user to be confused by these sorts of setups. Companies and IT departments benefit from this confusion and see no reason to explain how the slight of hand works. They benefit from user ignorance that such a setup is even possible and the corporate workstation browsers don't scare them with security warnings. Meanwhile, they can view all HTTPS traffic entering and leaving their network as clear text. Problem solved from the IT admin point of view with most users none the wiser.

    10. Re:ISPs? by TechyImmigrant · · Score: 1

      I'm not at all confused. I understand PKI just fine, my day job is crypto system design and I understand how this particular slight of hand works down to the packet level.

      A MITM attack is performed between the end points. This particular attack cannot work solely between the end points. An essential element is a modified trust list at one end point. There's a MITM component, but it's not sufficient on its own.

      I've done my share of ranting about X.509, PKI and all that goes along with it. This is one of the things that has been broken for a long time. While it's common in corporate deployments, it's still shady as heck because the MITM component is signing everything it sees, without question. What happens when the trust list in the router gets out of date and still carries some discredited CA's cert in its trust list? It compromises the security of everyone on the network. Trust is not transitive, but these systems treat it like it is.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    11. Re:ISPs? by Anonymous Coward · · Score: 0

      I'm not at all confused. I understand PKI just fine, my day job is crypto system design and I understand how this particular slight of hand works down to the packet level.

      Then you must understand that It's MITM. Why did you say that it wasn't? MITM refers to the mechanics of the attack, not the motivation behind it or who's responsible for setting it up or their reasons for doing so.

      While it's common in corporate deployments, it's still shady as heck because the MITM component is signing everything it sees, without question.

      We never argued that doing this isn't problematic, especially if it's not disclosed to the users. However, it's not guaranteed that the MITM component necessarily signs everything it sees. It depends upon the implementation. Effectively, the MITM is taking upon itself the sole responsibility for all certificate operations between the internal network and all external networks. That may be risky, but it's not necessarily true the MITM components simply re-issue and sign every cert they come across in the wild.

      What happens when the trust list in the router gets out of date and still carries some discredited CA's cert in its trust list? It compromises the security of everyone on the network. Trust is not transitive, but these systems treat it like it is.

      It's obvious that any MITM component takes upon itself the responsibility for managing all details of certificate handling. Any problems that result from that are the fault of management and the admins, not the users. I think that the use of these tools ought to be disclosed to users, for ethical reasons, so that they can make their own informed decisions about personal browsing or accounts, but I don't have a problem with these tools in the context of an employment relationship, especially when the network and the computing devices are owned by the employer and provided to the employee so that they can do their job.

    12. Re:ISPs? by TechyImmigrant · · Score: 1

      >Then you must understand that It's MITM.
      It's really not complicated - There's a MITM component, but it DOES NOT WORK if it is solely MITM. There's and endpoint component too - so it's not just a man in the middle MITM.

      It's like saying - (You) "Here's my red car", (onlooker):" But the front half is yellow". (You):"It's still just red", (onlooker): "No it isn't, it's red and yellow, it's not just red".

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. it better warn me by Anonymous Coward · · Score: 0

    if that "man" happens to be a 400 pound IT janitor, there isn't enough food in my fridge for both of us!

  6. Warn me about russian spying by Anonymous Coward · · Score: 0

    Screw MITM attacks by my employer. I want to know when Trump is colluding with Russians, or if it is easier, just tell me when he is NOT colluding with them.

    Hillary 2020 is going to own his shit this time. Fucking Cheeto.

    1. Re:Warn me about russian spying by Anonymous Coward · · Score: 0

      It's not her turn. She won the fucking election you stupid twat. By several million votes. It's not royal succession when someone WINS A FUCKING ELECTION.

    2. Re:Warn me about russian spying by Anonymous Coward · · Score: 0

      What alternate universe do you live in? Oh, one without the Electoral College.

  7. So, Basically by mysidia · · Score: 1

    They're adding a feature to prevent a "Trusted Man-in-the-Middle" being setup by an application, or by your company.

    I wish they would think about this a little more carefully.... This is likely to lead to Firefox being put back on many companies' "Banned Browser List"

    1. Re:So, Basically by drinkypoo · · Score: 1

      Prevent? No. Make more complicated? Yes. You will probably have to install certs manually. But if you don't have a way to deliver files to your clients, and run commands on them, then you aren't in charge of those machines anyway.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:So, Basically by Dagger2 · · Score: 1

      It doesn't even do that much. The only thing this feature does is, if an MITM is detected, to change the text on the "unrecognized issuer" error page. You won't see the MITM detected error except in situations where you would otherwise be getting an unrecognized issuer error. You're just getting a slightly nicer error message.

      'Trusted' MITM already requires you to install the MITM cert manually to avoid getting unrecognized issuer errors on every page load.

  8. Pain in the ass by Anonymous Coward · · Score: 0

    https://support.mozilla.org/en-US/kb/error-codes-secure-websites?redirectlocale=en-US&redirectslug=troubleshoot-SEC_ERROR_UNKNOWN_ISSUER#w_kaspersky

    The most common causes are security software scanning encrypted connections or malware listening in, replacing legitimate website certificates with their own. In particular, this is indicated by the error code "MOZILLA_PKIX_ERROR_MITM_DETECTED" if Firefox is able to detect that the connection is intercepted.

    Third-party antivirus software can interfere with Firefox's secure connections. We recommend uninstalling your third-party software and using the security software offered for Windows by Microsoft:

    I guess it didn't occur to the Firefox developers that one reason that users install 3rd party antivirus software is to check for, you know, MITM attacks on their https connections. So basically, now you have the browser's MITM attack detection of the anti-virus's MITM attack detection, which causes the annoying error message about a MITM attack to pop up. And Mozilla's solution to this annoyance? Get rid of your favorite antivirus product and just go with Microsoft's offerings. Yeah, no.

    1. Re:Pain in the ass by TexasDex · · Score: 3, Interesting

      They've already been on the record that third-party antivirus can be harmful to security: https://www.zdnet.com/article/... They're not wrong, I've seen some things from McAfee and Symantec that are downright shady.

      --
      The Cheese Stands Alone.
  9. CISA to the Rescue by Anonymous Coward · · Score: 0

    Have no fear, the Cybersecurity and Infrastructure Security Agency is here!
    Using our amazing powers of bureaucratic ineptitude, we will distract everyone and suck more taxpayer money while performing "cybersecurity" theater, going on junkets to expensive places such as Rome, London, and Zurich, and constantly reorganizing.

  10. But I don't trust Mozilla to pick CAs! by Anonymous Coward · · Score: 1

    The main problem with the entire X.509 system that I have, is that it just assumes everyone at the organization that makes your browser and where you get it from, is trustworthy.

    What good is a certificate from an "authority" that I have never met in person, let alone got to know enough to decide if they are trustworthy?
    What good is an "authority" just shoved down my throat by a browser maker that I have never met in person, let alone got to know enough to decide if the people there are trustworthy? (Or the devices that they use.)
    What good is even a perfectly trustworthy browser maker who picks perfectly trustworthy CAs, if I download it over the outdated browser of my OS that I installed from a medium that was made with an outdated OS or on another computer, and so on, that all were never checked for trustworthiness?

    Especially in a world of firmware with backdoors and crazy shit like dopant-level hardware trojans that you can't even detect with a microscope!

    I have my own CA, and then the system makes sense, but what it's built on still makes it as pointless as WhatsApp's encryption between closed-source Facebook code (the client) and Facebook servers.

    Am I supposed to just turn my brain off and assume that in that entire chain, there was not even a single dickhead with a big budget, who just wanted to spy on ALL the things? I've read the Snowden leaks and know about Five Eyes, China, Russia and Israel's efforts. Hell, I can do half that shit myself in my spare time!

    We're bickering about utterly superficial pointless things. Who watches the watchmen? WE DO. In the very end, it is always oneself. And even that implies that we're competent in that in the first place.

    ERROR 9001: EXISTENTIAL CRISIS. CONNECTION TERMINATED.

  11. Meaningful Error Message by Anonymous Coward · · Score: 0

    I have to take issue with the whole, "MOZILLA_PKIX_ERROR_MITM_DETECTED".

    I mean, it's far from the worst error message I've ever seen, not that such a low bar should be the standard. It just seems like it's lacking. Majorly.

    Does it seem to anyone else like this doesn't really call attention to the security nature of this problem? If I was an ordinary user, this looks exactly like something I don't want to see. It looks like any bog-standard buffer overflow message, like any divide by zero message, like any memory access error message.

    Does the ordinary user know what Mozilla is? OK, that's not too hard. Do they know what a MITM is? Probably not. Hell, even I don't know what PKIX is! And it's in all caps and the spaces have been replaced by underscores.

    So my concern is, the average user sees this as yet more technobabble. How do they respond to technobabble? Try to click on OK and keep doing exactly what they were doing before the error. Which is the opposite of what we want them to be doing.

  12. Don't care by smooth+wombat · · Score: 1

    All I want to know is how to get rid of the three extraneous bars which appear below the address bar when I start typing an address. First started in version shitty 65 (it was forced on me at work) and the documentation for it doesn't say what these bars are for.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re: Don't care by gnc20 · · Score: 1

      They'll have to find a different way to keep track of where their employees are going. In practice, I am thinking this is going to cause more pain than pleasure. https://xender.pro/ https://discord.software/ https://omegle.onl/

  13. Look at that Interface - Evil Patterns EVERYWHERE. by Anonymous Coward · · Score: 0

    Look at that Interface - Evil Patterns EVERYWHERE.

  14. Clear and concise by Anonymous Coward · · Score: 0

    [sarcasm] Well, at least they will use a clear warning message that the average joe would understand. [/sarcasm] PKIX 2ur MITM MKAY

  15. Last week on /., by memnock · · Score: 1

    there was a post about a M$ manager who was badmouthing Mozilla.

    Mozilla/Firefox makes a product that I truly believe puts the user's interests first. This particular goal is an example of the philosophy. As long as Firefox does stuff like this, I don't care if it is 0.1% of the browser market, I will use it. F M$ and google and their browsers. I use intentionally use those companies' other services and products as little as possible and will continue to do so for as long as I can.

    --
    "To stop the terrorists."
    1. Re:Last week on /., by Anonymous Coward · · Score: 0

      This feature sends the URL of every page you visit to a 3rd party so that party can download the URL's cert and see if it matches the one you received. That isn't putting users first. It is finding another way to data mine everything you do.

  16. The average user response ... by fahrbot-bot · · Score: 1

    ... to a warning about a "Man in the Middle" issue will be to tell their son to stop standing in front of the WiFi. (sigh)

    --
    It must have been something you assimilated. . . .
  17. As Corporate IT... by Anonymous Coward · · Score: 0

    As corporate IT I can tell you it's not about knowing where you go. We have easier ways to find that out. It's about protecting out employees and corporate information. We use MitM SSL inspection to pump data to our Intrusion detection system to block viruses and malware in transit. It is VERY effective, desktop Malware incidents were reduced 85% the day we started. It is also used to detect tunneling ransomware and fraudulent reverse proxied sites. Turn it 180 and we use it on our web servers to detect hacking inside SSL to protect those services also. We also use it for detecting SS#, account#, customer info, and company "secrets" being uploaded; usually unintentionally..

    As long as the message was clear and accurate I would not have A problem but if it is a great big "YOU ARE NOT SAFE" nag screen we will probably drop Firefox internally and drop FF as a supported browser for our client facing web services because users will actually be LESS safe if we are not inspecting SSL for threats for them.

  18. Yes answer is TLSA/DANE by johnjones · · Score: 1

    YES exactly TLSA/DANE is the answer here but sadly apart from national Security agencies...

    if only mozilla actually built a browser around security...

    TLSA/DANE effectively declares the TLS/SSL cert you should expect so you can use it even through a proxy

    1. Re:Yes answer is TLSA/DANE by QuietLagoon · · Score: 1
      ... if only mozilla actually built a browser around security... ...

      .

      That's my hope as well. Mozilla talks up security, but does not implement one available security aspect (TLSA/DANE).