Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Firefox Encryption Mozilla Security

Mozilla To Support Public Key Pinning In Firefox 32 90

Trailrunner7 writes: Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla's own sites, all of the sites pinned in Google Chrome and several Twitter sites. Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user's browser encounters a site that's presenting a certificate that isn't included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
This discussion has been archived. No new comments can be posted.

Mozilla To Support Public Key Pinning In Firefox 32

Comments Filter:
  • by MobyDisk ( 75490 ) on Friday August 29, 2014 @04:54PM (#47787055) Homepage

    Sorry! I'm totally wrong! The corporate MITM will work just fine once it is updated:

    The UA will not be able to detect and thwart a MITM attacking the
          UA's first connection to the host. (However, the requirement that
          the MITM provide an X.509 certificate chain that can pass the UA's
          validation requirements, without error, mitigates this risk
          somewhat.) Worse, such a MITM can inject its own PKP header into the
          HTTP stream, and pin the UA to its own keys. To avoid post facto
          detection, the attacker would have to be in a position to intercept
          all future requests to the host from that UA.

  • Good idea (Score:3, Insightful)

    by Anonymous Coward on Friday August 29, 2014 @04:54PM (#47787061)

    Lets patch an inherently broken system with another inherently broken system that does not scale and will cause a whole new range of unwanted side-effects and problems.

  • Please... (Score:5, Insightful)

    by Anonymous Coward on Friday August 29, 2014 @04:58PM (#47787081)

    What ever public-key pinning is. How about a stable 64-bit version for Windows, and actually fix the bugs in their software (yeah, Thunderbird too) that have been actively open for *years* instead of wasting time a mobile OS that nobody uses, and features that aren't really relevant. Hell, just working on the things that are broken might fix the issues they're pushing through as new features.

  • by Kethinov ( 636034 ) on Friday August 29, 2014 @05:18PM (#47787167) Homepage Journal

    When will Firefox support killing CPU-hogging tabs individually?

    That's the only killer feature from Chrome I'm waiting for to switch back to Firefox.

    In Chrome, if I've got 50 tabs open (not uncommon) and one of them starts spiking my CPU, I can pull open Activity Monitor (on OS X) and kill the "Google Chrome Helper" that's eating all the CPU.

    That kills the one tab that was the problem, not the whole browser. And lets me reload it when I actually care about that tab again.

    I haven't found a similar way to imitate this workflow in Firefox.

    The whole noscript / flashblock / adblock / etc approach hasn't worked. Tried it with Firefox, still had constant CPU issues after whitelisting sites I need JS or Flash turned on for, still had no way to kill runaway processes individually.

  • by Anonymous Coward on Friday August 29, 2014 @05:25PM (#47787209)

    They are too busy ruining the user interface and removing customization features to actually copy any of the good features of Chrome.

  • by diamondmagic ( 877411 ) on Friday August 29, 2014 @06:32PM (#47787559) Homepage

    Why does the list have to be hardcoded? Why not pull the records from DNSSEC... there's a whole specification for this, RFC6698 [ietf.org]

Any sufficiently advanced technology is indistinguishable from a rigged demo.