Less than a week after it made Firefox 37 available for download, Mozilla is pulling one of the security features it implemented.
Mozilla is urging users to update again, to Firefox version 37.0.1, as instead of bringing “more encryption to the web,” the newly enabled opportunistic encryption feature that encrypts HTTP traffic where the server supports HTTP/2 AltSvc actually brings less, as it breaks SSL certificate validation.
“Security researcher Muneaki Nishimura discovered a flaw in the Mozilla’s HTTP Alternative Services implementation,” the company explained in an advisory.
“If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.”
It seems obvious that a patch wasn’t enough to fix this problem, and Mozilla has rightly decided to pull the feature for now and investigate the problem in depth.
Firefox users are advised to update to the latest release as soon as possible.