Mozilla has released Firefox 37, and along with the promised addition of the OneCRL certificate revocation list, the company has included a feature that enables opportunistic encryption on connections for servers that don’t support HTTPS.
The new feature gives users a new defense against some forms of monitoring and doesn’t require any setup from users. When Web servers are configured correctly to provide a specific response header, Firefox will begin sending requests to the indicated encrypted port rather than in cleartext to port 80. Opportunistic encryption isn’t a replacement for SSL, as it’s not authenticated, but it can provide a alternative for organizations that can’t migrate fully to HTTPS for one reason or another.
“OE provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text. This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial,” Patrick McManus of Mozilla wrote in a post explaining the new feature.
“When the browser consumes that response header it will start to verify the fact that there is a HTTP/2 service on port 443. When a session with that port is established it will start routing the requests it would normally send in cleartext to port 80 onto port 443 with encryption instead. There will be no delay in responsiveness because the new connection is fully established in the background before being used. If the alternative service (port 443) becomes unavailable or cannot be verified Firefox will automatically return to using cleartext on port 80.”
Mozilla announced last month that Firefox 37 would include the OneCRL feature, a consolidated certificate-revocation list that is designed to simplify the process of revoking bad or otherwise problematic certificates. Mis-issued, expired and malicious certificates have become a serious problem for both users and browser vendors, especially in the last few years as attackers have been targeting certificate authorities and stealing legitimate certificates from organizations. Having the ability to revoke bad certificates quickly is essential for protecting users, and Mozilla officials say the OneCRL feature will improve that process for Firefox users.
“Firefox already has a mechanism for periodically checking for things that may harm users called blocklisting. OneCRL extends the blocklist to include certificates which should be revoked in addition to the errant add-ons, plugins and buggy graphics drivers currently included. This lets users get the benefit of fresh revocation information without having to update or restart their browser,” Mark Goodwin of Mozilla said.
Along with OneCRL and opportunistic encryption, Firefox 37 also includes patches for a number of security vulnerabilities, four of which are critical. Two of the critical vulnerabilities are use-after-free bugs, one is the result of some memory corruption crashes and the last is a batch of memory safety issues. There also is a patch for a same-origin bypass in Firefox that’s related to an older, similar bug.
“Mozilla developer Olli Pettay reported that while investigating Mozilla Foundation Security Advisory 2015-28, he and Mozilla developer Boris Zbarsky found an alternate way to trigger a similar vulnerability. The previously reported flaw used an issue with SVG content navigation to bypass same-origin policy protections to run scripts in a privileged context. This newer variant found that the same flaw could be used during anchor navigation of a page, allowing bypassing of same-origin policy protections,” the Mozilla advisory says.