Firefox 32 Debuts With Public-Key Pinning, Several Security Fixes

Mozilla has released Firefox 32, the latest version of its browser, which now supports public-key pinning and also includes fixes for several critical security vulnerabilities.

The move to support public-key pinning is an important one for Firefox, as it helps protect users against man-in-the-middle attacks that rely on forged certificates. The feature binds a set of public keys that have been issued by a known-good certificate authority to a given domain. If the user visits a site protected by public-key pinning that presents a public key that’s not inthe known set, the browser will reject the TLS connection.

In Firefox 32, Mozilla has implemented a limited pinset, which includes several Twitter domains–twitter.com, api.twitter.com, mobile.twitter.com and others–as well as the Mozilla add-ons site and the Mozilla CDN site. In future releases, the company will add the Google Chromium pinset, *.twitter.com. Tor and Dropbox, among others.

Public Key Pinning helps ensure that people are connecting to the sites they intend. It allows site operators to specify which CAs issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox. If any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal,” Mozilla’s Sid Stamm said. “When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error. This type of error can also occur if a CA mis-issues a certificate. In this way, key pinning can be used by sites to add another layer of trust to their servers’ deployment of TLS.

Among the vulnerabilities fixed in Firefox 32 are two critical use-after-free flaws and a series of memory safety bugs. There also are three less-severe vulnerabilities patched in this release. One of the use-after-free flaws was discovered by a member of Google’s internal security team.

“Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a use-after-free during cycle collection. This was found in interactions with the SVG content through the document object model (DOM) with animating SVG content. This leads to a potentially exploitable crash,” the Mozilla advisory says.

The full list of flaws fixed in Firefox 32 includes:

MFSA 2014-72 Use-after-free setting text directionality

MFSA 2014-71 Profile directory file access through file: protocol

MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline

MFSA 2014-69 Uninitialized memory use during GIF rendering

MFSA 2014-68 Use-after-free during DOM interactions with SVG

MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)

 

Suggested articles