Mozilla is out today with its Firefox 32 release, providing users of the open-source Web browser with new security fixes and features. Firefox 32 now provides support for public-key pinning, which enables enhanced security for Secure Sockets Layer (SSL) certificate authenticity.
“Key pinning allows site operators to specify which certificate authorities [CAs] may issue valid certificates for them, rather than accepting any of the many CAs that are trusted,” Sid Stamm, senior engineering manager for security and privacy at Mozilla, explained to eWEEK. “This helps reduce the chance that any CA compromise can be leveraged to issue for the site.”
There have been multiple incidents in the past several years where CAs were somehow compromised, including incidents at Comodo, and DigitNotar in particular.
The new key-pinning feature joins multiple mechanisms used by modern Web browsers to help ensure the integrity and authenticity of SSL certificates. Mozilla has long supported the Online Certificate Status Protocol (OCSP), which is used by the browser to check with a CA on the status of a given certificate. An extension of OCSP is a technique known as OCSP Stapling, which helps accelerate the SSL certificate status-checking process.
Going a step further to help improve security, Firefox 32 removes a number of 1,024-bit trust certificates from the browser.
“1,024-bit RSA keys are no longer considered secure enough for root certificates, and we have phased them out in favor of stronger keys,” Stamm said. “The recent root removals are part of this move to stronger encryption in Firefox.”
In addition to the new security features, Mozilla has issued six security advisories for vulnerabilities that are being patched in Firefox 32. Three of the advisories are rated critical, with all the critical flaws being memory-related vulnerabilities.
Mozilla Foundation Security Advisory (MFSA) 2014-67 details memory-corruption vulnerabilities but could potentially be exploited to run arbitrary code.
Google Chrome Security Team researcher Abhishek Arya is credited with reporting MFSA 2014-68, which is a use-after-free memory error with animated SVG graphics content.
A researcher working with Hewlett-Packard’s Tipping Point Zero Day Initiative (ZDI) is credited by Mozilla for reporting a use-after-free memory issue (identified as MFSA 2014-72) resulting from setting the direction of text on a page.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.