Firefox 32 Debuts With Improved SSL Security

 
 
By Sean Michael Kerner  |  Posted 2014-09-02 Email Print this article Print
 
 
 
 
 
 
 
Mozilla Firefox 32

The new open-source Mozilla browser release supports public-key pinning and fixes half a dozen vulnerabilities.

Mozilla is out today with its Firefox 32 release, providing users of the open-source Web browser with new security fixes and features. Firefox 32 now provides support for public-key pinning, which enables enhanced security for Secure Sockets Layer (SSL) certificate authenticity.

"Key pinning allows site operators to specify which certificate authorities [CAs] may issue valid certificates for them, rather than accepting any of the many CAs that are trusted," Sid Stamm, senior engineering manager for security and privacy at Mozilla, explained to eWEEK. "This helps reduce the chance that any CA compromise can be leveraged to issue for the site."

There have been multiple incidents in the past several years where CAs were somehow compromised, including incidents at Comodo, and DigitNotar in particular.

The new key-pinning feature joins multiple mechanisms used by modern Web browsers to help ensure the integrity and authenticity of SSL certificates. Mozilla has long supported the Online Certificate Status Protocol (OCSP), which is used by the browser to check with a CA on the status of a given certificate. An extension of OCSP is a technique known as OCSP Stapling, which helps accelerate the SSL certificate status-checking process.

Going a step further to help improve security, Firefox 32 removes a number of 1,024-bit trust certificates from the browser.

 "1,024-bit RSA keys are no longer considered secure enough for root certificates, and we have phased them out in favor of stronger keys," Stamm said. "The recent root removals are part of this move to stronger encryption in Firefox."

In addition to the new security features, Mozilla has issued six security advisories for vulnerabilities that are being patched in Firefox 32. Three of the advisories are rated critical, with all the critical flaws being memory-related vulnerabilities.

Mozilla Foundation Security Advisory (MFSA) 2014-67 details memory-corruption vulnerabilities but could potentially be exploited to run arbitrary code.

Google Chrome Security Team researcher Abhishek Arya is credited with reporting MFSA 2014-68, which is a use-after-free memory error with animated SVG graphics content.

A researcher working with Hewlett-Packard's Tipping Point Zero Day Initiative (ZDI) is credited by Mozilla for reporting a use-after-free memory issue (identified as MFSA 2014-72) resulting from setting the direction of text on a page.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

 
 
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel