Firefox boosts protection vs. rogue SSL certificates

Mozilla is aiming to protect users of its Firefox browser from rogue SSL certificates by adding support for public key pins, effectively creating a whitelist of acceptable certificate authorities.

 

In a blog post, Mozilla's Sid Stamm said the first batch of protected domains include addons.mozilla.org and Twitter, with Google in the next batch.

 

"That means that Firefox users will be even safer when visiting Mozilla and Twitter (and soon, Google)," Stamm said.

 

Also, Stamm said sites may advertise their support for pinning with the Public Key Pinning Extension for HTTP, which Mozilla plans to implement soon.

 

Public Key Pinning allows site operators to specify which CAs issue valid certificates for them, instead of accepting any one of the built-in root certificates that ship with Firefox.

 

"If any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal. When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error. This type of error can also occur if a CA mis-issues a certificate. In this way, key pinning can be used by sites to add another layer of trust to their servers’ deployment of TLS," Stamm said.

 

A separate article on PC World said the aim is to prevent attacks similar to what targeted Gmail users and affected Google in 2011.

 

In that incident, a Dutch certificate authority was either tricked or hacked, issuing a valid SSL certificate that would work for a Google domain.

 

"In theory, that allowed the hackers to set up a fake website that looked like Gmail and didn’t trigger a browser warning of an invalid SSL certificate. Security experts have long warned that attacks targeting certificate authorities are a threat," PC World said. — Joel Locsin/TJD, GMA News