Naked Security Naked Security

Firefox issues brand new update to fix HTTPS security hole in new update

Firefox 37.0 added support for a security-enhancing feature in HTTP/2 known as Alternative Services. Unfortunately, the new feature had a rather bad HTTPS security hole all of its own...

Mozilla recently published its scheduled release of Firefox 37.0.

That was a pre-planned “fortytwosday” release, as we’ve taken to calling them.

They come out on Tuesdays, just like patches from Microsoft and Adobe, but rather than appearing on the same Tuesday every month, they come out every six weeks.

That means the updates wander through the calendar months, lunar style, over the course of a year.

And, yes, this is a nod to Douglas Adams and the HHGttG, because six weeks just happens to be 42 days.

Firefox 37.0 introduced support for HTTP/2, the not-quite-finalised-yet update to the venerable HTTP protocol.

Currently, almost all web servers speak a dialect of HTTP known as HTTP/1.1, first standardised as RFC2068 in January 1997.

That standard was updated by RFC2616 in June 1999, and you’ll still hear “RFC2616” and “HTTP/1.1” used synonymously, even though the official specification was updated in June 2014.

Following the truism that “nothing ever gets simpler,” RFC2616 was obsoleted by not one, but six separate standards documents running from RFC7230 to RFC7235:

But HTTP/2 is coming, some time soon, and one of the things it offers is a feature called HTTP Alternative Services, abbreviated to Alt-Svc.

At the moment, if you want to redirect vistors to your website somewhere else, you send a special sort of HTTP reply to tell them to do just that.

As we do, for example, if you browse to http://nakedsecurity.​sophos.​com/:

We tell your browser to try again, connecting instead via HTTPS, the secure version of HTTP.

We use HTTPS because you get encryption, which means no-one sitting nearby in the coffee shop can see what you’re reading.

Even though the content of our website isn’t secret, there’s something appealing about not letting other people get an unnecessary sniff at your interests.

Additionally, we use HTTPS because you get authentication, which means you can be pretty certain that the security advice you’re getting came from us, and not some shabby imposter who wants to use our good name to talk you into bad practices.

With HTTP/2, Alternative Services deal with redirections and alternative ways to get to your site.

So, with a special header in the reply from your web server, you can cleanly deal with all sorts of redirects, such as moving visitors to temporary servers during maintenance, or shifting unencrypted traffic over to an encrypted connection instead.

Unfortunately, Mozilla’s brand-new support for HTTP/2 included a brand-new bug, documented in Mozilla Foundation Security Advisory 2015-44.

A security researcher worked out a way to bypass HTTPS certificate validation if a web server redirected you via the Alt-Svc header.

That’s very bad, and here’s why.

If you had a phishing site that pretended to be yourbank.example, and handled HTTP connections directly, you’d have difficulty presenting a legitimate-looking connection.

You’d either have to use HTTP and hope your victims wouldn’t notice the lack of a secure connection, or use HTTPS and hope they wouldn’t notice the certificate warnings telling them that you probably weren’t the lawful owner and operator of the yourbank.example domain.

Some users would probably end up getting tricked anyway, but well-informed users ought to spot the ruse at once, and remove themselves from harm’s way.

But this Alt-Svc bug could be used by crooks to redirect victims to a secure connection (thus making the connection “look right”) without producing a certificate warning to say that the site looked like an imposter.

In other words, even a well-informed user might accept a phishing site as the real thing.

The good news is that the bug was quickly found, and just as quickly dealt with, with Firefox 37.0.1 coming out over the Easter weekend. (Technically, the bug wasn’t fixed, just turned off along with Alternate Services support.)

Even though HTTP/2 isn’t yet finalised, and very few legitimate servers actually use it in real life, it is already supported by popular web servers such as Apache and Nginx, and by Microsoft’s IIS (Internet Information Services) in Windows 10 Preview.

So crooks who want to use HTTP/2, perhaps in the hope of exploiting bugs in the comparatively new code that supports it in the major browsers, are free to do so.

In short, if you’re a Firefox user, make sure you’ve got 37.0.1.

→ Go to the About Firefox menu item to force an update check. Use the [Show Update History] button on the Preferences | Advanced | Update page to check whether you’ve got the latest version.