Mozilla today released its Firefox 37 browser, providing users with security patches for 13 different security advisories as well as adding new security and user-experience features.
Among the major new security features is a technology known as opportunistic encryption, which is designed to encrypt potentially sensitive data that would otherwise have been sent unencrypted and in the clear.
“Opportunistic encryption is meant to improve the transport properties of legacy HTTP resources that would otherwise be carried in clear text,” Patrick McManus, platform engineer at Mozilla, told eWEEK. “Any TLS [Transport Layer Security] certificate, including self-signed ones, may be used with opportunistic encryption because it does not enforce authentication. Servers must run either HTTP/2 or SPDY/3.1.”
HTTP/2, the latest generation of the HTTP Web protocol, is largely based on the SPDY protocol first created by Google.
In addition to opportunistic encryption, Firefox 37 also integrates Mozilla’s OneCRL (Certificate Revocation List), which is an effort to make SSL/TLS certificate revocation more effective. During the month of March, Firefox beta users tried out OneCRL, and the feedback was mainly positive, according to Richard Barnes, cryptographic engineering manager at Mozilla. The challenge that OneCRL aims to help solve is that of misissued SSL/TLS certificates. It’s an issue that has occurred several times in the past month with fraudulent certificates issued for Google and Microsoft domains.
Mozilla used OneCRL to remove invalid certificates that were issued earlier this month for Google, Barnes said.
For developers, Firefox 37 now includes an SSL/TLS security tab as part of the network monitor feature in Firefox’s Web developer tools. Firefox browser users have been able to get basic SSL/TLS information for the sites they visit by simply clicking on the browser padlock, since the beginning of the Web era.
Dan Veditz, principal security engineer at Mozilla, explained that the browser padlock only gives the user information about the top-level page. “The network view in developer tools lets a developer check the state of individual sub-resource loads,” Veditz told eWEEK. “The network tool also shows the status of Strict Transport Security and Public Key Pinning for each load, information that is missing from the page info view.”
Security Patches
As part of the Firefox 37 release, Mozilla has issued 13 security advisories, of which four are rated critical. All four are memory-corruption-related security vulnerabilities.
Among the vulnerabilities rated by Mozilla as having moderate impact is an interesting cursor clickjacking flaw identified as CVE-2015-0810.
“Security researcher Jordi Chancel reported a mechanism that made [the] cursor invisible through flash content and then replaced it through the layering of HTML content,” Mozilla warned in its advisory. “This flaw can be in used in combination with an image of the cursor manipulated through JavaScript, leading to clickjacking during subsequent interactions with HTML content.”
Firefox Heartbeat
In addition to the security improvements in Firefox 37, Mozilla is also aiming to improve user experience with a new feedback mechanism called Heartbeat. The tool is a new and complementary feedback mechanism to Mozilla’s existing support and Bugzilla feedback systems.
“Heartbeat is an attempt to expand the feedback funnel and empower users who may not understand how to pass on their feedback to make the product better,” Chad Weiner, director of product management at Mozilla, told eWEEK. “Like a lot of what we do, it’s an experiment that we will refine if it’s not delivering what we expect it to.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.