Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Firefox Bug Encryption Mozilla Security

Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue 42

darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, which had a key new feature called opportunistic encryption. The basic idea is that it will do some baseline encryption for data that would have otherwise been sent by a user via clear text. Unfortunately, Mozilla has already issued Firefox 37.0.1, which removes opportunistic encryption. A security vulnerability was reported in the underlying Alternative Services capability that helps to enable opportunistic encryption. "If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle, replacing the original certificate with their own." They plan to re-enable opportunistic encryption when this issue is investigated and fixed.
This discussion has been archived. No new comments can be posted.

Mozilla Rolls Back Firefox 37's Opportunistic Encryption Over Security Issue

Comments Filter:
  • were have I read about that recently? Oh yeah, Hillary Clinton's "disappeared" email server with it's self-signed cert. Running Exchange 2010 MitM might not be very easy, but when you've got an entire country funding you (China, NK, Russia, etc) nothing like that is actually impossible.
  • Before integrating all the newest protocols, how about fixing decades old bugs to basic functions, like printing...? Since forever, when you print https pages, firefox will print the first, and last one, and nothing in between.(it's not on all https pages, but it's on enough that it's a major anyoance) Other browsers have no problems with the same pages, so it's a FF problem. Bugs related to this have been opened since 2004, 11 years ago! And again, you get answer to the bug to the likes of "we got too
    • If mozilla is looking for money, how about allowing us to pay, say, 40$ for one year where we get the privileges that the bugs we report are actually WORKED on?

      Given their record, there's no way in hell I'd pay them for any bugs they haven't already fixed.

      I would make a simple donation, but that won't happen until they start listening to the users, and take firefox in a sane direction again, so I don't anticipate it happening any time soon. Regardless, I'm not rewarding bad behavior. Right now they seem to be spending most of their time shitting up Firefox, I'm not paying for that.

    • by Anonymous Coward

      For several years, Mozilla was getting about $700,000. a DAY from Google. They were rolling in money, and all they did was screw up the browser more and more.

      Source: computerworld.com [computerworld.com]

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...