Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Firefox 3 Updates and SSL Blacklist extension - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox 3 Updates and SSL Blacklist extension

At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blacklisted SSL certificates.

SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.

However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.

The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "addons.mozilla.org", the site used for Firefox plugins, was created using the compromised CA.

 

 [1] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

Also see:

https://github.com/ioerror/crlwatch#readme
https://www.eff.org/observatory
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3512 Posts
ISC Handler
According to https://wiki.mozilla.org/Releases new Firefox 3.x aren't due until:
Firefox 3.6.16 April 19
Firefox 3.5.18 April 19
The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?
Anonymous
Looks like the Firefox update servers are now up to date, 3.6.16 was just offered. Release notes
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.18/releasenotes/
Anonymous

Sign Up for Free or Log In to start participating in the conversation!