New Firefox offers MITM protection via public key pinning
Posted on 03 September 2014.
Mozilla has released the latest version of Firefox (v32) for Windows, Mac, Linux, and Android, and the new browser sports some notable security improvements.

For one, the new version has public key pinning support enabled.

"Public Key Pinning is a mechanism for sites to specify which certificate authorities have issued valid certs for that site, and for user-agents to reject TLS connections to those sites if the certificate is not issued by a known-good CA. Public key pinning prevents man-in-the-middle attacks due to rogue CAs not on the site's list," the company explained, and added that the fact that Firefox didn't have support for it enabled is why they didn't detect the rogue SSL certificates created after the DigiNotar attack.

For now, the list of pinned sites include Twitter' and some of its subdomains, and Mozilla's own sites. Future versions will pin additional Twitter online assets, Google's, Dropbox, Firefox accounts and the TOR website.

Secondly, the company has removed some 1024-bit root certificates from its trust list (digital certificates that use 1024-bit RSA keys are no longer considered safe), and thirdly, three critical, two high and one moderate security vulnerability have been fixed.

This latest version also has other performance improvements, a list of which you can check out here.


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st