My next class:

Firefox 3 Updates and SSL Blocklist extension

Published: 2011-03-23. Last Updated: 2011-03-23 13:01:43 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates.

SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.

However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.

The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "addons.mozilla.org", the site used for Firefox plugins, was created using the compromised CA.

 

 [1] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

Also see:

https://github.com/ioerror/crlwatch#readme
https://www.eff.org/observatory
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Firefox ssl
2 comment(s)
My next class:

Comments

According to https://wiki.mozilla.org/Releases new Firefox 3.x aren't due until:
Firefox 3.6.16 April 19
Firefox 3.5.18 April 19
The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?
Looks like the Firefox update servers are now up to date, 3.6.16 was just offered. Release notes
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.18/releasenotes/

Diary Archives