Mozilla Halts Rollout of Firefox 65 on Windows Platform After Antivirus Issue (zdnet.com) 112
Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'.
The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.
The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.
Re: (Score:1)
So, you willingly fucked Creimer?
Even I can't scrape the bottom of that barrel. And I used to work in porn.
Avats fault of doing MITM (Score:5, Insightful)
https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/
Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.
Re: (Score:2)
The problem isn't what they are doing, but how they are implementing it.
Is it a Man In the Middle Attack, or is it port forwarding?
The biggest problem with IT Security, is a lot of the hacks and tricks have valid uses as well, and normally when ever such a hack has been shown to cause a greater problem, an other tool in your toolbox is tossed out... Often without a good replacement.
Re: (Score:2)
normally when ever such a hack has been shown to cause a greater problem, another tool in your toolbox is tossed out... Often without a good replacement.
I feel that way about politics -- hacks causing greater problems, no good replacements.
Re: (Score:2)
The software is already running in the kernel. If the software was malicious, you're already screwed. MITM doesn't make it worse IMO.
Re: (Score:2)
Re: (Score:1)
I was referring to their antivirus software in general. If the WebSheild part isn't a kernel component, I stand corrected..
Re: Avats fault of doing MITM (Score:1)
Anti virus software intercept file open, there is no mitigation to their control of your device
Re: (Score:2)
Man in the middle is not automatically bad, if you trust the man in the middle. If the third party called Microsoft did this then everyone would be happy, but because it's a different third party then it's bad. Even the kernel is a man in the middle here . How else do you scan the data between a browser and the internet without a man-in-the-middle? You could alter the browser, but assume that you can't.
Re: (Score:3)
Re: (Score:3)
They should implement it as a browser plug-in. Problem is that all the major browsers block their plug-ins now because local plug-in installation was widely abused. Now they only allow installation via the user clicking to accept within the browser itself, and apparently that's not a good enough user experience for AV companies.
Re: (Score:2)
Do browser plug-ins have this level of access?
Re: (Score:2, Insightful)
Basically avast and co are doing a MITM attack to scan the content of https traffic
Last I checked, when one program deliberately breaks functionality of another program to accomplish its purpose, it was more correctly called malware or a virus.
Re: Avats fault of doing MITM (Score:1)
I thought itâ(TM)s called a bug if itâ(TM)s not intended
Re: (Score:3)
To be fair, to the extent they can offer any protection against attack from javascript to browser they would have to pull this sort of trick. Replacing certificate with either a trusted or untrusted one so long as the CA private key is unique per endpoint and the software correctly validates before passing it on. It is of course ugly as hell, but at least not crazy bad in security.
Of course, on the practical side I'd want to see some examples of them actually doing anything on that front. Compared to 'do
Re:Avast's (and others) fault of doing MITM (Score:2, Insightful)
I agree. If anything, Mozilla should not accept Avast's (and all other's - because there aren't a zillion ways to scan HTTPS traffic) fake MITM certificates, but change the error message explaining the user's choice, limited by the current state of technology: Either their AV provider get cleartext access to all their HTTPS traffic, or their HTTPS traffic won't be scanned.
Some sites could start using Mutual Authentication, with their own CA, since this will make the MITM fail. I've encountered this when wor
Re: (Score:1)
They probably want a general solution for all HTTPS traffic.
Re: (Score:1)
One person's attack is another person's security
Which is fine, if they're the same person/org :-)
You're effectively telling the vast majority of them to completely disable their antivirus to access your site. Why?
Because we're requiring mutual SSL, with the client cert and privkey on the electronic ID chip, so that citizens don't get into each other's tax, pension etc.. files.
When the antivirus impersonates the server, the SSL/TLS session will fail when mutual SSL is in use, because
---(from RFC 5246)---
Certificate Verify
[...]
This message is used to provide explicit verification of a client
certificate. [...] handshake_messages refers to all handshake messages sent or
received, starting at client hello and up to, but not including,
this message [...] This is the concatenation of all the
Handshake structures (as defined in Section 7.4) exchanged thus
far.
---cut here--
https://tools.ietf.org/html/rfc5246#section-7.4.8
Because it uses all handshake messages so far, the client and the server will calculate different versions, because the server will have a calculation involving it's own REAL certificate/key and the client will calculate using the FAKE cert/key from the MITM.
So the connection fails with a technically correct but terribly unhelpful message to the user.
The solution is to not to try and subvert a well-designed mechanism, and implement a different scanning technique.
Why use Avast? (Score:4, Insightful)
Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.
Perhaps someone knows more about Avast and AVG than I do but I fail to see any meaningful advantage in them over the built in security software in Windows. Like so much AV software they just seem to slow things down and gum up the works while providing little real protection in the process for a lot of money. What are they doing that anyone actually needs?
Thank you Captain Obvious! (Score:2)
Sometimes, one product is better than another.
Now if you would only clarify under what circumstances a reasonable person might consider Avast or AVG to actually be the better option you would actually have answered the question that was asked.
Re: (Score:2)
In theory they can block dangerous downloads before they even hit your hard drive, block malicious Javascript, and block access to "bad" sites. They often have some kind of phishing detection for webmail built in too.
All stuff you can get for free elsewhere, e.g. most browsers have site blocklists enabled by default, decent webmail will detect and at least warn about potential phishing etc. I'm sure the AV companies would claim that they do a better job and have more coverage, and I suppose to be fair they
Re: (Score:2)
I agree. Avast absolutely beats my system down. And when AVG was new, it was good, but it started using up the whole system ages ago. I went back to just using the Mickeysoft stuff, which for some reason doesn't do that even though it seems to actually work pretty well according to independent tests.
Re: (Score:2)
Re: (Score:2)
I went with Avast when I had a rootkit that the expensive anti-malware system I had failed to find it. Avast found it quickly and it left my computer much more responsive than the big-name variant. I haven't seen any real slowdown since.
I put it on my mother's computer because she's much more virus prone because she clicks on everything that promises to save her money or stop Hillary. And on her computer which is not as beefy it has a detectable slowdown, but the advantage is that it catches more things
Re: (Score:1)
>Basically avast and co are doing a MITM attack
That's kind of a dumb way to put it considering that antivirus products are ultimately MITM software intercepting syscalls, scanning disk and network io, etc in order to its job. Presumably users want that to occur since they installed the antivirus software to begin with. If it wasn't for the fact that Mozilla maintains it own certificate store instead of just using the OS's (like every other non-Mozilla based browsers on the market) on then this problem wo
Re: (Score:2)
Basically avast and co are doing a MITM attack to scan the content of https traffic :
And so do many corporations. How anyone didn't see this coming is beyond me. There's legitimate reasons to MITM something providing you have trust in that man who is in the middle.
Re: (Score:2)
I was complaining about this in another thread just last week [slashdot.org].
It would sure be nice if these companies like Mozilla and Google would show a little more consideration for organizations,
especially enterprises who are deploying their product, and stop making such high risk changes without considering the ramifications -- and testing appropriately in real-world environments.
Historically; it seems like Microsoft was the only browser developer sensitive to issues managing the deployment and
Re: (Score:2)
Historically Microsoft products are the main target of viruses and other unwanted issues, abandoning this monoculture is one way to avoid being in the group of low hanging fruit for the scammers. Looking a little further back MS was the main instigator of non-standard browsers (IE6)
Yet I'm not agreeing with MS to go Chromium.
Re: (Score:2)
Corporations have an IT department and are in a much better position than private users to check and approve of browser updates, this does not need to take many days or even longer.
You said approve. That isn't a solution. What we have here is an update that changed a functionality delivered in a take it or leave it approach without central management and declining it results in security gaps.
Regardless of how competent your IT department is, the only way to win this game is not to play it with Mozilla.
Re: (Score:2)
What is supposed to be the problem with Firefox? It seems they are doing exactly what they're supposed to which is flagging that shitty AV software is doing a man in the middle attack on your traffic
Mozilla needs to take bugs seriously (Score:3)
Re: (Score:1)
Please think before you shill. Pale Moon and Waterfox also have Firefox's old bugs, and also haven't resolved them.
Bugs? (Score:5, Insightful)
There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.
A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.
It's time Mozilla stops drinking the Chrome-aid and listen to it's users for once.
Has it occurred to you that maybe they are? Believe it or not, people have different opinions about what they want out of Firefox. Just because they don't agree with some vocal users doesn't mean they aren't listening to the others as well. If you don't like their choices you have other browsers that you can use and that's totally fine.
Until Mozilla does, use Waterfox or Pale Moon.
Yeah they don't really solve any problems for me and they create some new ones. If they work for you that's great.
Re: (Score:2)
There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.
A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.
Exactly. For example, Firefox 65 dropped support for the preference "browser.urlbar.suggest.history.onlyTyped" -- only suggest URLs that were actually typed -- saying the behavior was "not-so-useful" [mozilla.org] (and, apparently, because their "typed implementation is a mess"), while *I* found it extremely useful.
Re: (Score:3)
Has it occurred to you that maybe they are [listening to their users]? Believe it or not, people have different opinions about what they want out of Firefox.
Mozilla's bugzilla installation has a feature where people can vote on bugs (i.e. express their interest in getting a bug fixed or feature implemented), and this feature of the bug tracker has been there for 15+ years.
I can't remember the last time a bug with lots of votes was resolved.
In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.
Here is a list of currently open bugs with at least 100 votes. [mozilla.org]
(My memory might be playing tricks on me, but I remember there being m
Feature requests are not (necessarily) bugs (Score:4, Insightful)
Mozilla's bugzilla installation has a feature where people can vote on bugs
Nice but popular does not necessarily equal important. As Henry Ford once said, "if I asked my customers what they wanted they would say 'a faster horse'."
I can't remember the last time a bug with lots of votes was resolved.
There is some survivorship bias in play there. Bugs with lots of votes are necessarily the ones that don't get resolved. That doesn't necessarily mean they are the most important things to resolve and those will tend to be bugs that get resolved before they get a lot of votes. So you are going to tend to see items with a lot of votes be items that have some sort of following but not generally high priority problems.
Furthermore most of the items on the list you linked to are not really bugs. They are feature requests. Nothing wrong with those but it's hardly surprising that many feature requests will tend to get ignored. A product cannot be all things to all people and remain useful.
In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.
Presumably you can look this information up. Bear in mind that the VAST majority of non-developers do not and never will file bug reports. And just because someone does file a bug report does not make their opinion magically more important. Listening to customers involves far more than just watching the bug report list.
Re: (Score:2)
In that terminology, 'intermediate' does not refer to a MITM intermediate, but instead if your server cert is signed by a subordinate CA that is in turn signed by a really trusted authority. For example, lets encrypt certs at least at one point *required* that the servers offer up the full chain, since the server cert was not directly signed by any authority installed in the browsers.
Re: (Score:1)
That's not the quibble. Look at the work inappropriate in conjunction with "might not be sending". So is the message indicating that the server should send an inappropriate intermediate certificate for proper functionality?
Re: (Score:2)
Oh, whoops, yeah that is an... interesting phrasing...
66b4 (Score:2)