Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Halts Rollout of Firefox 65 on Windows Platform After Antivirus Issue (zdnet.com)

Posted by msmash on from the fyi dept.

Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'.

The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.

12 of 112 comments (clear)

  1. Avats fault of doing MITM by aepervius · · Score: 5, Insightful

    Basically avast and co are doing a MITM attack to scan the content of https traffic :
    https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/
    Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
    1. Re:Avats fault of doing MITM by Anonymous Coward · · Score: 2, Insightful

      Basically avast and co are doing a MITM attack to scan the content of https traffic

      Last I checked, when one program deliberately breaks functionality of another program to accomplish its purpose, it was more correctly called malware or a virus.

    2. Re:Avats fault of doing MITM by Junta · · Score: 2

      To be fair, to the extent they can offer any protection against attack from javascript to browser they would have to pull this sort of trick. Replacing certificate with either a trusted or untrusted one so long as the CA private key is unique per endpoint and the software correctly validates before passing it on. It is of course ugly as hell, but at least not crazy bad in security.

      Of course, on the practical side I'd want to see some examples of them actually doing anything on that front. Compared to 'download and run executable', the browser security models are a lot more restrictive and I can't think of specific scenarios where 'anti-virus' steps in rather than site operators fixing their CORS rules or similar in the face of an attack. I suppose if you are not updating your web browsers there could be risks, but updating web browsers would be easy enough...

      --
      XML is like violence. If it doesn't solve the problem, use more.
    3. Re: Avats fault of doing MITM by AmiMoJo · · Score: 2

      They should implement it as a browser plug-in. Problem is that all the major browsers block their plug-ins now because local plug-in installation was widely abused. Now they only allow installation via the user clicking to accept within the browser itself, and apparently that's not a good enough user experience for AV companies.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re: Avats fault of doing MITM by Bengie · · Score: 2

      HTTPS scanning and proxy is a known attack vector. HTTPS provides both encryption and authentication. MITM breaks authentication. Unfortunately, HTTP does not support signing content, only the outer stream can be signed.

    5. Re: Avats fault of doing MITM by 0ld_d0g · · Score: 2

      The software is already running in the kernel. If the software was malicious, you're already screwed. MITM doesn't make it worse IMO.

  2. Mozilla needs to take bugs seriously by xack · · Score: 2

    There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs. It's time Mozilla stops drinking the Chrome-aid and listen to it's users for once. Until Mozilla does, use Waterfox or Pale Moon.

  3. Re:Avast's (and others) fault of doing MITM by Anonymous Coward · · Score: 2, Insightful

    I agree. If anything, Mozilla should not accept Avast's (and all other's - because there aren't a zillion ways to scan HTTPS traffic) fake MITM certificates, but change the error message explaining the user's choice, limited by the current state of technology: Either their AV provider get cleartext access to all their HTTPS traffic, or their HTTPS traffic won't be scanned.

    Some sites could start using Mutual Authentication, with their own CA, since this will make the MITM fail. I've encountered this when working on electronic identity cards ; when you set authenticate both the client (using their eID) and the server (using a commercial CA), the latter fails, because the MITM does not have the user's private key and the client auth is part of the data signed in the server auth..

    We had to tell our citizens that they had to choose between securely authenticating and accessing their official (tax, etc..) data, and virus scanning. Because those are the limits of using an attack technique for user security.

    You can't have everyone using OpenBSD ;-)

  4. Why use Avast? by sjbe · · Score: 3, Insightful

    Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.

    Perhaps someone knows more about Avast and AVG than I do but I fail to see any meaningful advantage in them over the built in security software in Windows. Like so much AV software they just seem to slow things down and gum up the works while providing little real protection in the process for a lot of money. What are they doing that anyone actually needs?

  5. Bugs? by sjbe · · Score: 5, Insightful

    There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.

    A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.

    It's time Mozilla stops drinking the Chrome-aid and listen to it's users for once.

    Has it occurred to you that maybe they are? Believe it or not, people have different opinions about what they want out of Firefox. Just because they don't agree with some vocal users doesn't mean they aren't listening to the others as well. If you don't like their choices you have other browsers that you can use and that's totally fine.

    Until Mozilla does, use Waterfox or Pale Moon.

    Yeah they don't really solve any problems for me and they create some new ones. If they work for you that's great.

    1. Re:Bugs? by gustygolf · · Score: 2

      Has it occurred to you that maybe they are [listening to their users]? Believe it or not, people have different opinions about what they want out of Firefox.

      Mozilla's bugzilla installation has a feature where people can vote on bugs (i.e. express their interest in getting a bug fixed or feature implemented), and this feature of the bug tracker has been there for 15+ years.

      I can't remember the last time a bug with lots of votes was resolved.

      In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

      Here is a list of currently open bugs with at least 100 votes.

      (My memory might be playing tricks on me, but I remember there being much more votes on bugs. Thousands, at least. The current number one has 571 votes. Perhaps they did a user purge which wiped out votes? It would certainly explain why the list is dominated by WebExtensions bugs -- a recent feature.)

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
  6. Feature requests are not (necessarily) bugs by sjbe · · Score: 3, Insightful

    Mozilla's bugzilla installation has a feature where people can vote on bugs

    Nice but popular does not necessarily equal important. As Henry Ford once said, "if I asked my customers what they wanted they would say 'a faster horse'."

    I can't remember the last time a bug with lots of votes was resolved.

    There is some survivorship bias in play there. Bugs with lots of votes are necessarily the ones that don't get resolved. That doesn't necessarily mean they are the most important things to resolve and those will tend to be bugs that get resolved before they get a lot of votes. So you are going to tend to see items with a lot of votes be items that have some sort of following but not generally high priority problems.

    Furthermore most of the items on the list you linked to are not really bugs. They are feature requests. Nothing wrong with those but it's hardly surprising that many feature requests will tend to get ignored. A product cannot be all things to all people and remain useful.

    In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

    Presumably you can look this information up. Bear in mind that the VAST majority of non-developers do not and never will file bug reports. And just because someone does file a bug report does not make their opinion magically more important. Listening to customers involves far more than just watching the bug report list.