Mozilla is planning to add support for public-key pinning in its Firefox browser in an upcoming version. In version 32, which would be the next stable version of the browser, Firefox will have key pins for a long list of sites, including many of Mozilla’s own sites, all of the sites pinned in Google Chrome and several Twitter sites.
Public-key pinning has emerged as an important defense against a variety of attacks, especially man-in-the-middle attacks and the issuance of fraudulent certificates. In the last few years Google, Mozilla and other organizations have discovered several cases of attackers using fraudulent certificates for high-value sites, including Gmail. The function essentially ties a public key, or set of keys, issued by known-good certificate authorities to a given domain. So if a user’s browser encounters a site that’s presenting a certificate that isn’t included in the set of pinned public keys for that domain, it will then reject the connection. The idea is to prevent attackers from using fake certificates in order to intercept secure traffic between a user and the target site.
That kind of attack has happened a number of times in recent years, most notably in the cases of DigiNotar, a Dutch CA that was compromised by attackers, who then issued fraudulent certificates for several major sites, including Google and Yahoo domains. That attack was a large-scale compromise of the CA, and eventually led to the company going out of business. But the first indications of the problem came from Chrome users in Iran, whose browsers detected a certificate for Gmail that was being used as part of a MITM attack. The attackers who compromised DigiNotar were able to issue a valid wild card certificate for *.google.com, giving them immense power to intercept traffic to Google domains. The public-key pinning in Chrome helped detect the attack.
In the next few versions of Firefox, Mozilla gradually will be adding a number of domains to Firefox’s public-key pinning list, beginning with Firefox 32.
“Firefox 32 and later has the ability to enforce built-in pinsets, or mappings of public key information to domains,” the Mozilla security engineering wiki page says.
The first pinset will include all of the sites in the Chromium pinset used by Chrome, along with Mozilla sites and high-value sites such as Facebook. Later versions will add pins for Twitter, a long list of Google domains, Tor, Dropbox and other major sites.
“Firefox 32 and above supports built-in pins, which means that the list of acceptable certificate authorities must be set at time of build for each pinned domain. Pinning is enforced by default. Sites may advertise their support for pinning with the Public Key Pinning Extension for HTTP, which we hope to implement soon. Pinned domains include addons.mozilla.org and Twitter in Firefox 32, and Google domains in Firefox 33, with more domains to come. That means that Firefox users can visit Mozilla, Twitter and Google domains more safely,” Monica Chew of Mozilla wrote.