Firefox 3 Updates and SSL Blocklist extension

Firefox 3 Updates and SSL Blocklist extension
At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version. This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates. SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked. However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust. The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "addons.mozilla.org", the site used for Firefox plugins, was created using the compromised CA. [1] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion Also see: https://github.com/ioerror/crlwatch#readme https://www.eff.org/observatory http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates ------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4479 Posts ISC Handler Mar 23rd 2011
Thread locked Subscribe	Mar 23rd 2011 1 decade ago
According to https://wiki.mozilla.org/Releases new Firefox 3.x aren't due until: Firefox 3.6.16 April 19 Firefox 3.5.18 April 19 The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?	Anonymous
Quote	Mar 23rd 2011 1 decade ago
Looks like the Firefox update servers are now up to date, 3.6.16 was just offered. Release notes http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/ http://www.mozilla.com/en-US/firefox/3.5.18/releasenotes/	Anonymous
Quote	Mar 23rd 2011 1 decade ago

At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.

This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates.

SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.

However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.

The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "addons.mozilla.org", the site used for Firefox plugins, was created using the compromised CA.

[1] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

Also see:

https://github.com/ioerror/crlwatch#readme
https://www.eff.org/observatory
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4479 Posts
ISC Handler

Mar 23rd 2011

According to https://wiki.mozilla.org/Releases new Firefox 3.x aren't due until:
Firefox 3.6.16 April 19
Firefox 3.5.18 April 19
The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?

Anonymous

Looks like the Firefox update servers are now up to date, 3.6.16 was just offered. Release notes
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.18/releasenotes/

Anonymous