Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Firefox 3 Updates and SSL Blocklist extension SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox 3 Updates and SSL Blocklist extension

At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates.

SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.

However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.

The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "", the site used for Firefox plugins, was created using the compromised CA.



Also see:

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Defending Web Applications Security Essentials - SANS Paris June 2021


4132 Posts
ISC Handler
Mar 23rd 2011
According to new Firefox 3.x aren't due until:
Firefox 3.6.16 April 19
Firefox 3.5.18 April 19
The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?
Looks like the Firefox update servers are now up to date, 3.6.16 was just offered. Release notes

Sign Up for Free or Log In to start participating in the conversation!