Mozilla’s latest browser update, Firefox 32, has added public-key pinning to prevent man-in-the-middle (MiTM) attacks and the use of rogue certificates.
The update also includes patches for several critical security vulnerabilities.
Public-key pinning helps ensure that web surfers are connecting to the sites they intend to connect to—and not an imposter site looking to capture credentials or serve malware. Pinning allows site operators to specify which certificate authorities (CAs) issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox.
If any certificate in the verified certificate chain corresponds to one of the known good certificates, Firefox displays the lock icon as normal. If not, then Firefox will reject the connection with a pinning error.
“This type of error can also occur if a CA mis-issues a certificate,” said Sid Stamm, senior manager of ssecurity and privacy engineering at Mozilla, in a blog. “In this way, key pinning can be used by sites to add another layer of trust to their servers’ deployment of TLS.
To begin with, Mozilla is supporting a limited set of pinned domains, including addons.mozilla.org and Twitter. The Google Chromium pinset, Tor and Dropbox will be supported in future releases.
“Firefox 32 and above supports built-in pins, which means that the list of acceptable certificate authorities must be set at time of build for each pinned domain,” Mozilla explained in an announcement. “Pinning is enforced by default. Sites may advertise their support for pinning with the Public Key Pinning Extension for HTTP, which we hope to implement soon.”
The HTTP extension allows web host operators to instruct user agents to remember ('pin') the hosts' cryptographic identities for a given period of time.
Meanwhile, Firefox 32 also patches two critical use-after-free flaws.
“Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection,” the Mozilla advisory said for one of the issues. “This was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash.”
As for the other flaw, “security researcher Regenrecht reported, via TippingPoint's Zero Day Initiative, a use-after-free during text layout when interacting with the setting of text direction,” Mozilla said. “This results in a use-after-free which can lead to arbitrary code execution.”
The update also fixes a series of memory safety bugs, along with three less-severe vulnerabilities.