Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Soon Warn Users of Software That Performs MitM Attacks (zdnet.com)

Posted by msmash on from the better-security dept.

The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.

48 of 79 comments (clear)

  1. Will have to be don carefully by The-Ixian · · Score: 4, Insightful

    Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

    On the bright side, users will learn quickly when Superfish style shenanigans are going on.

    Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      Yes you're right, even common consumer AV performs SSL inspection by default (eg. Kaspersky), this surely will give some headhaches even to home end users... But it's definitely a useful feature.

    2. Re:Will have to be don carefully by Ol+Olsoc · · Score: 3, Insightful

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      Hehe, you aren't kidding.They'll have to find a different way to keep track of where their employees are going.

      In practice, I am thinking this is going to cause more pain than pleasure....

      Pain can be a way of alerting you to problems.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Will have to be don carefully by rtowne72 · · Score: 1

      In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

    4. Re:Will have to be don carefully by The-Ixian · · Score: 2

      In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

      Two words: Group Policy

      Chrome also has GP support for their Enterprise version of Chrome.

      Last I checked (which was a while ago) there was only 3rd party GP templates for Firefox.

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Will have to be don carefully by The-Ixian · · Score: 1

      You are not wrong. But there does have to be a balance. Corporations have every reasonable right to police the content that flows over their wires.

      --
      My eyes reflect the stars and a smile lights up my face.
    6. Re:Will have to be don carefully by gibbsjoh · · Score: 1

      Edge! I should be so lucky where I work... still on IE11!

      --
      -- "...I'm a bad guy because I, well, I sing some rock-and-roll songs." M. Manson
    7. Re:Will have to be don carefully by Anonymous Coward · · Score: 3, Insightful

      Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigans.

    8. Re:Will have to be don carefully by Anonymous Coward · · Score: 2, Informative

      Firefox added group policy support with the release of ESR version 60, including official templates.

      You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.

    9. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      This generally isn't used to track where they're going, but rather what they are downloading (or uploading) once they get there. You can track where people are going using SNI.

    10. Re:Will have to be don carefully by Anonymous Coward · · Score: 1

      This.

      They should be required to inform employees that they're intercepting SSL connections. Companies should have every right to do it, of course, but employees should know that the IT department is looking when they check their bank account.

      And every time some development tool I'm trying to use pukes because it won't accept the company self-signed-cert, I should be allowed to walk over to the IT department and kick some maggot admin in his balls. Hard.

    11. Re: Will have to be don carefully by buchanmilne · · Score: 2

      "Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"

      But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their diminishing market share.

      To be clear, I have no problem with the following:
      - an indication in the address bar that the connection is/may be MitM'd
      - a warning that I can dismiss to the same effect
      - an error page, as long as there is an easy way to make it go away for the next year or lifetime of the internal CA cert used to sign imposter certs

      However, if every site gives an error message I need to click through, or if any of these errors can't be clicked through, I will finally be forced to drop firefox for work.

      It is bad enough that Firefox makes it so onerous to get into management interfaces on new installations of e.g. server management interfaces to do the minimal configuration to get them to enroll for real certs, but I have tolerated it.

      I won't be able to tolerate it for every external site I visit from work on the work network with their computer.

      Is Mozilla intentionally trying to get rid of all users who use Firefox at work?

    12. Re: Will have to be don carefully by zlives · · Score: 1

      firefox mgmt issues was a reason we didn't deploy ff for corporate users and instead went with Groan. i still do use it but this "feature" would kill it for me as well.

    13. Re:Will have to be don carefully by zlives · · Score: 1

      at least that still works better than edge

    14. Re:Will have to be don carefully by zlives · · Score: 1

      good to know

    15. Re:Will have to be don carefully by newbie_fantod · · Score: 1

      I am thinking this is going to cause more pain than pleasure...

      "Was she told when she was young that pain would lead to pleasure?"

    16. Re: Will have to be don carefully by Londovir · · Score: 1

      Please aim your kick carefully. I work in web applications development (full stack) for a public school district that switched to Fortinet across the district. The day it did my NPM and Node work went straight to hell. The networking/WAN group did it so the district could peep into the traffic to look for students doing things like death threats, bullying, etc. I'm just as screwed as ever. The kicker is they are okay with me switching my NPM server to insecure HTTP, when I don't want to. Ugh.

      --
      Londovir
    17. Re:Will have to be don carefully by Ol+Olsoc · · Score: 1

      Nope. They will simply ban the use of Firefox and force their employees to use Edge.

      You have to admit, Edge has the edge in MitM results.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  2. TLSA/DANE by QuietLagoon · · Score: 2

    Would also be nice if Firefox would check/verify TLSA/DANE is a domain/site uses it. There was a plug-in (DNSSEC/TLSA Validator) that performed this task, but the developers gave up on Firefox back when the API changed.

  3. Okay, I'll bite by XanC · · Score: 1

    The linked article has no technical details.

    How does the browser know when the certificate isn't the "right" one? Presumably, the false certificate's root is installed as valid on the system. Will this warning come up any time a page is viewed that relies on a non-bundled root certificate?

    1. Re:Okay, I'll bite by Anonymous Coward · · Score: 3, Informative

      Because it contacts a third party server which also looks at the website's certificate. If the certificate that your browser is presented with has a different fingerprint than the one their server sees, an error is flagged.

      See also the CheckMyHTTPS add-on for Chrome and Firefox

    2. Re:Okay, I'll bite by Anonymous Coward · · Score: 2, Insightful

      In other words, Firefox will send a list of all sites you're visiting to a third party server under the pretext of "security". Riiiiiight.

    3. Re:Okay, I'll bite by Anonymous Coward · · Score: 1

      Well, if Firefox has a reasonably secure encryption system, then that isn't trivial. Presumably, the folks at Mozilla have thought of that, and aren't using the computers root certificate store to trust this connection.

    4. Re:Okay, I'll bite by XanC · · Score: 1

      Does that mean all SSL connections have to wait for this other new connection to succeed?

      If that other service is out, do all SSL connections fail? Or is defeating this new "feature" as simple as blocking those connections?

    5. Re:Okay, I'll bite by BKDotCom · · Score: 1

      It's right in the summary! :
      "The way this feature works is to show a visual error page"

    6. Re: Okay, I'll bite by buchanmilne · · Score: 1

      Or just block it ...

    7. Re:Okay, I'll bite by zekica · · Score: 1

      From the actual bug report and commit in HG: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service detects a non-built-in cert.

      So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.

    8. Re:Okay, I'll bite by zekica · · Score: 1

      It won't: see my comment.

    9. Re:Okay, I'll bite by Dagger2 · · Score: 2

      That does not appear to be how it works. From reading the patch: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.

      (The code is here and here.)

      The check piggy-backs on one of Firefox's existing phone home mechanisms, and it doesn't involve reporting every cert you see to some third party.

  4. ISPs? by reanjr · · Score: 1

    How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

    1. Re:ISPs? by TechyImmigrant · · Score: 3, Informative

      How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

      It's not mitm. That why TFA is so confusing. The attack involves changes to your trust list.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:ISPs? by JThundley · · Score: 1

      Most of the time it is MITM, by method of adding a new cert to your trust list. I know because my company does this and I have to add these certs to Firefox since it doesn't use the Windows cert store. Without the cert, they can't MITM your traffic and you just can't access any websites through firefox until the MITM cert is trusted.

    3. Re:ISPs? by SuricouRaven · · Score: 1

      By adding their own certificate to the trusted root signers list on your device. ISPs seldom try this sort of thing because it requires modifying configuration for all user devices, but it's very common in the business and education network areas, where the IT administrators can do that quite easily. It's the only way to properly monitor and filter internet access, which is a requirement in all schools and most offices: If IT could not monitor and filter their users, they wouldn't be able to provide internet access at all.

    4. Re:ISPs? by TechyImmigrant · · Score: 1

      That's why it isn't MITM. An essential part of it takes place at one end using privilege not available to a MITM.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re:ISPs? by JThundley · · Score: 1

      It is a MITM in this case, a corporate-sponsored and condoned one. It's not the ISP doing it, but it's still the textbook definition of a MITM attack. A third party between the user and their requested destination that is decrypting and obtaining their network traffic.

    6. Re:ISPs? by TechyImmigrant · · Score: 1

      I'm not at all confused. I understand PKI just fine, my day job is crypto system design and I understand how this particular slight of hand works down to the packet level.

      A MITM attack is performed between the end points. This particular attack cannot work solely between the end points. An essential element is a modified trust list at one end point. There's a MITM component, but it's not sufficient on its own.

      I've done my share of ranting about X.509, PKI and all that goes along with it. This is one of the things that has been broken for a long time. While it's common in corporate deployments, it's still shady as heck because the MITM component is signing everything it sees, without question. What happens when the trust list in the router gets out of date and still carries some discredited CA's cert in its trust list? It compromises the security of everyone on the network. Trust is not transitive, but these systems treat it like it is.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    7. Re:ISPs? by TechyImmigrant · · Score: 1

      >Then you must understand that It's MITM.
      It's really not complicated - There's a MITM component, but it DOES NOT WORK if it is solely MITM. There's and endpoint component too - so it's not just a man in the middle MITM.

      It's like saying - (You) "Here's my red car", (onlooker):" But the front half is yellow". (You):"It's still just red", (onlooker): "No it isn't, it's red and yellow, it's not just red".

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  5. So, Basically by mysidia · · Score: 1

    They're adding a feature to prevent a "Trusted Man-in-the-Middle" being setup by an application, or by your company.

    I wish they would think about this a little more carefully.... This is likely to lead to Firefox being put back on many companies' "Banned Browser List"

    1. Re:So, Basically by drinkypoo · · Score: 1

      Prevent? No. Make more complicated? Yes. You will probably have to install certs manually. But if you don't have a way to deliver files to your clients, and run commands on them, then you aren't in charge of those machines anyway.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:So, Basically by Dagger2 · · Score: 1

      It doesn't even do that much. The only thing this feature does is, if an MITM is detected, to change the text on the "unrecognized issuer" error page. You won't see the MITM detected error except in situations where you would otherwise be getting an unrecognized issuer error. You're just getting a slightly nicer error message.

      'Trusted' MITM already requires you to install the MITM cert manually to avoid getting unrecognized issuer errors on every page load.

  6. But I don't trust Mozilla to pick CAs! by Anonymous Coward · · Score: 1

    The main problem with the entire X.509 system that I have, is that it just assumes everyone at the organization that makes your browser and where you get it from, is trustworthy.

    What good is a certificate from an "authority" that I have never met in person, let alone got to know enough to decide if they are trustworthy?
    What good is an "authority" just shoved down my throat by a browser maker that I have never met in person, let alone got to know enough to decide if the people there are trustworthy? (Or the devices that they use.)
    What good is even a perfectly trustworthy browser maker who picks perfectly trustworthy CAs, if I download it over the outdated browser of my OS that I installed from a medium that was made with an outdated OS or on another computer, and so on, that all were never checked for trustworthiness?

    Especially in a world of firmware with backdoors and crazy shit like dopant-level hardware trojans that you can't even detect with a microscope!

    I have my own CA, and then the system makes sense, but what it's built on still makes it as pointless as WhatsApp's encryption between closed-source Facebook code (the client) and Facebook servers.

    Am I supposed to just turn my brain off and assume that in that entire chain, there was not even a single dickhead with a big budget, who just wanted to spy on ALL the things? I've read the Snowden leaks and know about Five Eyes, China, Russia and Israel's efforts. Hell, I can do half that shit myself in my spare time!

    We're bickering about utterly superficial pointless things. Who watches the watchmen? WE DO. In the very end, it is always oneself. And even that implies that we're competent in that in the first place.

    ERROR 9001: EXISTENTIAL CRISIS. CONNECTION TERMINATED.

  7. Don't care by smooth+wombat · · Score: 1

    All I want to know is how to get rid of the three extraneous bars which appear below the address bar when I start typing an address. First started in version shitty 65 (it was forced on me at work) and the documentation for it doesn't say what these bars are for.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
    1. Re: Don't care by gnc20 · · Score: 1

      They'll have to find a different way to keep track of where their employees are going. In practice, I am thinking this is going to cause more pain than pleasure. https://xender.pro/ https://discord.software/ https://omegle.onl/

  8. Re:Pain in the ass by TexasDex · · Score: 3, Interesting

    They've already been on the record that third-party antivirus can be harmful to security: https://www.zdnet.com/article/... They're not wrong, I've seen some things from McAfee and Symantec that are downright shady.

    --
    The Cheese Stands Alone.
  9. Last week on /., by memnock · · Score: 1

    there was a post about a M$ manager who was badmouthing Mozilla.

    Mozilla/Firefox makes a product that I truly believe puts the user's interests first. This particular goal is an example of the philosophy. As long as Firefox does stuff like this, I don't care if it is 0.1% of the browser market, I will use it. F M$ and google and their browsers. I use intentionally use those companies' other services and products as little as possible and will continue to do so for as long as I can.

    --
    "To stop the terrorists."
  10. The average user response ... by fahrbot-bot · · Score: 1

    ... to a warning about a "Man in the Middle" issue will be to tell their son to stop standing in front of the WiFi. (sigh)

    --
    It must have been something you assimilated. . . .
  11. Yes answer is TLSA/DANE by johnjones · · Score: 1

    YES exactly TLSA/DANE is the answer here but sadly apart from national Security agencies...

    if only mozilla actually built a browser around security...

    TLSA/DANE effectively declares the TLS/SSL cert you should expect so you can use it even through a proxy

    1. Re:Yes answer is TLSA/DANE by QuietLagoon · · Score: 1
      ... if only mozilla actually built a browser around security... ...

      .

      That's my hope as well. Mozilla talks up security, but does not implement one available security aspect (TLSA/DANE).