Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Will Soon Warn Users of Software That Performs MitM Attacks (zdnet.com)

Posted by msmash on from the better-security dept.

The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.

12 of 79 comments (clear)

  1. Will have to be don carefully by The-Ixian · · Score: 4, Insightful

    Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

    On the bright side, users will learn quickly when Superfish style shenanigans are going on.

    Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Will have to be don carefully by Ol+Olsoc · · Score: 3, Insightful

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      Hehe, you aren't kidding.They'll have to find a different way to keep track of where their employees are going.

      In practice, I am thinking this is going to cause more pain than pleasure....

      Pain can be a way of alerting you to problems.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:Will have to be don carefully by The-Ixian · · Score: 2

      In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

      Two words: Group Policy

      Chrome also has GP support for their Enterprise version of Chrome.

      Last I checked (which was a while ago) there was only 3rd party GP templates for Firefox.

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Will have to be don carefully by Anonymous Coward · · Score: 3, Insightful

      Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigans.

    4. Re:Will have to be don carefully by Anonymous Coward · · Score: 2, Informative

      Firefox added group policy support with the release of ESR version 60, including official templates.

      You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.

    5. Re: Will have to be don carefully by buchanmilne · · Score: 2

      "Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"

      But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their diminishing market share.

      To be clear, I have no problem with the following:
      - an indication in the address bar that the connection is/may be MitM'd
      - a warning that I can dismiss to the same effect
      - an error page, as long as there is an easy way to make it go away for the next year or lifetime of the internal CA cert used to sign imposter certs

      However, if every site gives an error message I need to click through, or if any of these errors can't be clicked through, I will finally be forced to drop firefox for work.

      It is bad enough that Firefox makes it so onerous to get into management interfaces on new installations of e.g. server management interfaces to do the minimal configuration to get them to enroll for real certs, but I have tolerated it.

      I won't be able to tolerate it for every external site I visit from work on the work network with their computer.

      Is Mozilla intentionally trying to get rid of all users who use Firefox at work?

  2. TLSA/DANE by QuietLagoon · · Score: 2

    Would also be nice if Firefox would check/verify TLSA/DANE is a domain/site uses it. There was a plug-in (DNSSEC/TLSA Validator) that performed this task, but the developers gave up on Firefox back when the API changed.

  3. Re:Okay, I'll bite by Anonymous Coward · · Score: 3, Informative

    Because it contacts a third party server which also looks at the website's certificate. If the certificate that your browser is presented with has a different fingerprint than the one their server sees, an error is flagged.

    See also the CheckMyHTTPS add-on for Chrome and Firefox

  4. Re:Okay, I'll bite by Anonymous Coward · · Score: 2, Insightful

    In other words, Firefox will send a list of all sites you're visiting to a third party server under the pretext of "security". Riiiiiight.

  5. Re:ISPs? by TechyImmigrant · · Score: 3, Informative

    How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

    It's not mitm. That why TFA is so confusing. The attack involves changes to your trust list.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Re:Pain in the ass by TexasDex · · Score: 3, Interesting

    They've already been on the record that third-party antivirus can be harmful to security: https://www.zdnet.com/article/... They're not wrong, I've seen some things from McAfee and Symantec that are downright shady.

    --
    The Cheese Stands Alone.
  7. Re:Okay, I'll bite by Dagger2 · · Score: 2

    That does not appear to be how it works. From reading the patch: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.

    (The code is here and here.)

    The check piggy-backs on one of Firefox's existing phone home mechanisms, and it doesn't involve reporting every cert you see to some third party.