Skip to main content

Mozilla Dials Back on Firefox Opportunistic Encryption

posted onApril 7, 2015
by l33tdawg

Mozilla has had a change of heart regarding opportunistic encryption—for now. The company rolled out its open-source Firefox 37 Web browser on March 31, with one of the key new features being a capability known as opportunistic encryption. However, due to a security issue related to opportunistic encryption, Mozilla disabled the feature in the Firefox 37.0.1 update released April 3.

The security issue is located in Mozilla's HTTP Alternative Services (Alt-Svc) implementation, which is connected to the opportunistic encryption capability.

"If an Alt-Svc header is specified in the HTTP/2 response, Secure Sockets Layer (SSL) certificate verification can be bypassed for the specified alternate server," Mozilla warned in its security advisory. "As a result of this, warnings of invalid SSL certificates will not be displayed, and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own."

Source

Tags

Mozilla Firefox

You May Also Like

Recent News

Friday, November 29th

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th