Mozilla has disabled the opportunistic encryption feature in its Firefox browser after a flaw was discovered in the browser’s implementation of HTTP Alternative Services.
The move came days after Mozilla introduced the feature in Firefox 37 in late March. On April 3, it disabled the feature in the Firefox 37.0.1 update. According to a security advisory, a researcher discovered that if an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result, warnings of invalid SSL certificates would not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM) attack, replacing the original certificate with their own, the advisory states.
According to the Internet Engineering Task Force’s (IETF) draft document, HTTP Alternative Services “allow an origin’s resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration.”
“OE [opportunistic encryption] provides unauthenticated encryption over TLS for data that would otherwise be carried via clear text,” blogged Patrick McManus of Firefox March 27. “This creates some confidentiality in the face of passive eavesdropping, and also provides you much better integrity protection for your data than raw TCP does when dealing with random network noise. The server setup for it is trivial.”
In this case, a web server is telling a browser that an encrypted version of a web site is available somewhere else, said Rapid7 Engineering Manager Tod Beardsley. The idea is that if content providers can make their content available in encrypted form, and let browsers know where to find it, users don’t have to do anything special in order to enjoy a minimum level of encryption, he said.
“Now, this is truly a minimal level — there is no authentication guarantee with OE,” he said. “But, in the case where nobody cares about endpoint identity, then it’s a pretty good measure to defend against widespread, passive eavesdropping.”
“There are a couple caveats to be mentioned here,” he explained. “One, the web server must be configured to support the Alternative Services (ALTSVC) specification, which means there needs to be action from each individual website operator in order to make this work. Arguably, this is easier than rolling out both full-blown TLS with a real certificate authority and instrumenting your existing site to forward along the usual way.”
“Second, there really is no authentication,” he continued. “An attacker can easily plant an ALTSVC directive in a hijacked, plain-text HTTP response, and redirect a victim browser to basically anything he cared to do. Now, an attacker could have done this before, anyway — after all, that’s the price you pay with HTTP’s total lack of authentication — and OE doesn’t stop this focused attack. This is why it’s being described as strictly a defense against passive listeners, and not as a defense against an active, man-in-the-middle attacker.”
Firefox 38 is scheduled for release in May.