Mozilla Dials Back on Firefox Opportunistic Encryption
Mozilla issued the Firefox 37.0.1 update, which disables the opportunistic encryption feature that was just introduced in Firefox 37.Mozilla has had a change of heart regarding opportunistic encryption—for now. The company rolled out its open-source Firefox 37 Web browser on March 31, with one of the key new features being a capability known as opportunistic encryption. However, due to a security issue related to opportunistic encryption, Mozilla disabled the feature in the Firefox 37.0.1 update released April 3. The security issue is located in Mozilla's HTTP Alternative Services (Alt-Svc) implementation, which is connected to the opportunistic encryption capability. "If an Alt-Svc header is specified in the HTTP/2 response, Secure Sockets Layer (SSL) certificate verification can be bypassed for the specified alternate server," Mozilla warned in its security advisory. "As a result of this, warnings of invalid SSL certificates will not be displayed, and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own." Opportunistic encryption is designed to encrypt potentially sensitive data that would otherwise have been sent unencrypted and in the clear. The opportunistic encryption capability makes use of the new HTTP/2 protocol, which is the next generation of the HTTP protocol that dominates the Web today.
"Opportunistic encryption is a related but separate feature that depends on Alt-Svc," Chad Weiner, director of product management at Mozilla, told eWEEK. "Opportunistic encryption was disabled because of its use of Alt-Svc."