Mozilla has had a change of heart regarding opportunistic encryption—for now. The company rolled out its open-source Firefox 37 Web browser on March 31, with one of the key new features being a capability known as opportunistic encryption. However, due to a security issue related to opportunistic encryption, Mozilla disabled the feature in the Firefox 37.0.1 update released April 3.
The security issue is located in Mozilla’s HTTP Alternative Services (Alt-Svc) implementation, which is connected to the opportunistic encryption capability.
“If an Alt-Svc header is specified in the HTTP/2 response, Secure Sockets Layer (SSL) certificate verification can be bypassed for the specified alternate server,” Mozilla warned in its security advisory. “As a result of this, warnings of invalid SSL certificates will not be displayed, and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.”
Opportunistic encryption is designed to encrypt potentially sensitive data that would otherwise have been sent unencrypted and in the clear. The opportunistic encryption capability makes use of the new HTTP/2 protocol, which is the next generation of the HTTP protocol that dominates the Web today.
“Opportunistic encryption is a related but separate feature that depends on Alt-Svc,” Chad Weiner, director of product management at Mozilla, told eWEEK. “Opportunistic encryption was disabled because of its use of Alt-Svc.”
When asked whether the Alt-Svc vulnerability was a protocol problem or just a misconfiguration issue, Weiner explained that the issue is an implementation problem in Firefox Alt-Svc handling. There is currently an Internet Engineering Task Force (IETF) draft of the Alt-Svc approach. According to the IETF abstract, Alt-Svc enables “alternative service for HTTP, which allows an origin’s resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration.”
Rather than try and quickly fix the Alt-Svc issue, Weiner said that Mozilla decided that the quickest and safest approach was to disable Alt-Svc.
“We plan to re-enable this feature once we’ve had time to fully investigate the issue,” Weiner said.
It’s not known at this point if Alt-Svc and the associated opportunistic encryption capability will be re-enabled in the Firefox 37 browser or if it will take until Firefox 38 for the feature to re-emerge. Mozilla develops Firefox on an agile rapid release cycle with new major milestone releases approximately every six weeks.
Firefox 38, currently in beta, is scheduled to debut May 12. However, it will be a significant release in that it is set to be the base for the next Firefox Extended Support Release (ESR), which is a version of Firefox that is maintained for approximately one year.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
