Security certificate pinning protection shows weakness that may compromise users to MitM attacks.
Mozilla has recently announced that they will be releasing a Firefox update.
Last Tuesday, upon their announcement of the Firefox update stating that there will be fixes for the same cross-platform, malicious code-execution vulnerability that needs patching that was patched by the Tor browser.
They have found a vulnerabilty that allows an attacker to do a man-in-the-middle attack to be able to obtain a forged certificate that impersonates a Mozilla server. Tor officials has relased an advisorythat warns users about it.
From there on, an attacker could possibly deliver a malicious updpate for NoScript ormany other Firefox extension that can be targetted that are already installed on the computer.
The modified fraudulent certificate would have to be issued by any of the Firefox certificate authorities (CA).
Though it would be a daunting and challenging task to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.or, it is not far fetched.
In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.
The said advisory from Tor urges users to update as soon as possible. It did not take long for Mozilla to follow their strategy. It has been found that production versions of Firefox are vulnerable, although the September 4 release is not.
Duff said he was able to reproduce results published Tuesday by a different researcher that showed a Firefox-implemented protection known as “certificate pinning” was ineffective in preventing attacks using forged certificates. Certificate pinning is designed to ensure that a browser accepts only a specific certificate for a specific domain or subdomain and rejects all others, even if the certificates are issued by browser-trusted authority. Duff said the cause of the failure is linked to a form of static key pinning that’s not based on the HTTP Public Key Pinning protocol. More specifically, the failure is the result of Mozilla not properly extending the expiration dates for the static keys list which caused the pinning to go unenforced after they expired.
Shortly after the statement went live, Mozillas issued the following statement.
Until Mozilla releases the update, Firefox users who are concerned they might be targeted by nation-sponsored adversaries should consider using a different browser or, alternately, configuring Firefox to stop automatically accepting extension updates.
