Mozilla recently published its scheduled release of Firefox 37.0.That was a pre-planned "fortytwosday" release, as we've taken to calling them.They come out on Tuesdays, just like patches from Microsoft and Adobe, but rather than appearing on the same Tuesday every month, they come out every six weeks.
That means the updates wander through the calendar months, lunar style, over the course of a year.
And, yes, this is a nod to Douglas Adams and the HHGttG, because six weeks just happens to be 42 days.
Firefox 37.0 introduced support for HTTP/2, the not-quite-finalised-yet update to the venerable HTTP protocol.Currently, almost all web servers speak a dialect of HTTP known as HTTP/1.1, first standardised as RFC2068 in January 1997.That standard was updated by RFC2616
in June 1999, and you'll still hear "RFC2616" and "HTTP/1.1" used
synonymously, even though the official specification was updated in June
2014.Following the truism that "nothing ever gets simpler," RFC2616 was
obsoleted by not one, but six separate standards documents running from RFC7230 to RFC7235:
With HTTP/2, Alternative Services deal with redirections and alternative ways to get to your site.
So, with a special header in the reply from your web server, you can
cleanly deal with all sorts of redirects, such as moving visitors to
temporary servers during maintenance, or shifting unencrypted traffic
over to an encrypted connection instead.
Unfortunately, Mozilla's brand-new support for HTTP/2 included a brand-new bug, documented in Mozilla Foundation Security Advisory 2015-44.
A security researcher worked out a way to bypass HTTPS certificate validation if a web server redirected you via the Alt-Svc header.That's very bad, and here's why.If you had a phishing site that pretended to be yourbank.example, and handled HTTP connections directly, you'd have difficulty presenting a legitimate-looking connection.You'd either have to use HTTP and hope your victims wouldn't notice
the lack of a secure connection, or use HTTPS and hope they wouldn't
notice the certificate warnings telling them that you probably weren't
the lawful owner and operator of the yourbank.example domain.
Some users would probably end up getting tricked anyway, but
well-informed users ought to spot the ruse at once, and remove
themselves from harm's way.But this Alt-Svc bug could be used by crooks to redirect victims to a secure connection (thus making the connection "look right") without producing a certificate warning to say that the site looked like an imposter.
In other words, even a well-informed user might accept a phishing site as the real thing.
The good news is that the bug was quickly found, and just as quickly
dealt with, with Firefox 37.0.1 coming out over the Easter weekend.
(Technically, the bug wasn't fixed, just turned off along with Alternate Services support.)
Even though HTTP/2 isn't yet finalised, and very few legitimate
servers actually use it in real life, it is already supported by popular
web servers such as Apache and Nginx, and by Microsoft's IIS (Internet
Information Services) in Windows 10 Preview.
So crooks who want to use HTTP/2, perhaps in the hope of exploiting
bugs in the comparatively new code that supports it in the major
browsers, are free to do so.
In short, if you're a Firefox user, make sure you've got 37.0.1.
0 comments:
Post a Comment