Just two weeks after introducing the “opportunistic encryption” feature to Firefox, Mozilla has disabled it in order to fix a critical security bug that allowed malicious websites to bypass HTTPS protections.
According to Arstechnica, the bug was introduced in Firefox 37 where the vulnerability, which resides in functionality related to opportunistic crypto, in some cases gave attackers an easy way to present fake TLS certificates that wouldn’t be detected by the browser.
Mozilla said in an advisory that “if an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server”. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.
Opportunistic encryption offered unauthenticated encryption over TLS for data that would otherwise be carried via clear text. Terence Spies, CTO of HP Security Voltage, said that opportunistic encryption are not a “better” solution than TLS, but this standard would remove almost all barriers to encrypting web traffic.
“There was a Firefox implementation problem with Alt-Svc,” Chad Weiner, Mozilla’s director of product management, wrote in a statement sent to Ars. “Opportunistic Encryption is a related, but separate, feature that depends on Alt-Svc. Opportunistic Encryption was disabled because of its use of Alt-Svc. We plan to re-enable this feature once we’ve had time to fully investigate the issue.”
Russell Spitler, VP of product strategy at AlienVault, told IT Security Guru that opportunistic encryption provided a path to ensure nobody is listening without necessarily authenticating who you are talking to.
He said: “This bug allowed attackers to exploit opportunistic encryption (which does not authenticate who you are talking to) so that users believe they have authenticated the other end (by presenting a certificate to the browser). This allows an attacker to establish a connection with a user that appears to originate from a trusted entity (such as Google), but is controlled by the attacker.
“This issue is simply an evolution in our technology. We have dealt with issues in this system for years and years, getting this done correctly and without bugs is a process that will take decades (consider how long some of the recent OpenSSL bugs existed in code before discovery). The introduction with new systems will be fraught with issues, careful design and iteration is the only path to maturing new systems like this. It is critical that someone takes the lead on establishing new paths such as this, but it is even more important that they are broadly reviewed and tested.”
He also asked why there was a need for opportunistic encryption to be built, when projects like ‘Let’s Encrypt’ exist and are making it easy to achieve the same goals as above without reinventing a new system. “While the goal is noble, rebuilding encryptions systems should be done only when absolutely necessary, not when there are viable improvements to existing standards,” he said.