Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Firefox The Internet

Firefox Will Soon Warn Users of Software That Performs MitM Attacks (zdnet.com) 79

The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.
This discussion has been archived. No new comments can be posted.

Firefox Will Soon Warn Users of Software That Performs MitM Attacks

Comments Filter:
  • by The-Ixian ( 168184 ) on Friday February 01, 2019 @11:23AM (#58055500)

    Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

    On the bright side, users will learn quickly when Superfish style shenanigans are going on.

    Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....

    • by Anonymous Coward

      Yes you're right, even common consumer AV performs SSL inspection by default (eg. Kaspersky), this surely will give some headhaches even to home end users... But it's definitely a useful feature.

    • by Ol Olsoc ( 1175323 ) on Friday February 01, 2019 @11:53AM (#58055640)

      Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.

      Hehe, you aren't kidding.They'll have to find a different way to keep track of where their employees are going.

      In practice, I am thinking this is going to cause more pain than pleasure....

      Pain can be a way of alerting you to problems.

      • Nope. They will simply ban the use of Firefox and force their employees to use
        Edge.
      • by Anonymous Coward

        This generally isn't used to track where they're going, but rather what they are downloading (or uploading) once they get there. You can track where people are going using SNI [wikipedia.org].

    • In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.
      • In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.

        Two words: Group Policy

        Chrome also has GP support for their Enterprise version of Chrome.

        Last I checked (which was a while ago) there was only 3rd party GP templates for Firefox.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Firefox added group policy support with the release of ESR version 60, including official templates [github.com].

          You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.

    • by Anonymous Coward

      The main problem with the entire X.509 system that I have, is that it just assumes everyone at the organization that makes your browser and where you get it from, is trustworthy.

      What good is a certificate from an "authority" that I have never met in person, let alone got to know enough to decide if they are trustworthy?
      What good is an "authority" just shoved down my throat by a browser maker that I have never met in person, let alone got to know enough to decide if the people there are trustworthy? (Or the

    • I am thinking this is going to cause more pain than pleasure...

      "Was she told when she was young that pain would lead to pleasure?"

  • by QuietLagoon ( 813062 ) on Friday February 01, 2019 @11:30AM (#58055530)
    Would also be nice if Firefox would check/verify TLSA/DANE is a domain/site uses it. There was a plug-in (DNSSEC/TLSA Validator [dnssec-validator.cz]) that performed this task, but the developers gave up on Firefox back when the API changed.
    • YES exactly TLSA/DANE is the answer here but sadly apart from national Security agencies...

      if only mozilla actually built a browser around security...

      TLSA/DANE effectively declares the TLS/SSL cert you should expect so you can use it even through a proxy

      • ... if only mozilla actually built a browser around security... ...

        .

        That's my hope as well. Mozilla talks up security, but does not implement one available security aspect (TLSA/DANE).

  • The linked article has no technical details.

    How does the browser know when the certificate isn't the "right" one? Presumably, the false certificate's root is installed as valid on the system. Will this warning come up any time a page is viewed that relies on a non-bundled root certificate?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Because it contacts a third party server which also looks at the website's certificate. If the certificate that your browser is presented with has a different fingerprint than the one their server sees, an error is flagged.

      See also the CheckMyHTTPS add-on for Chrome and Firefox

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        In other words, Firefox will send a list of all sites you're visiting to a third party server under the pretext of "security". Riiiiiight.

      • by zekica ( 1953180 )
        It won't: see my comment [slashdot.org].
      • That does not appear to be how it works. From reading the patch [mozilla.org]: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.

        (The code is here [searchfox.org] and here [searchfox.org].)

        The check piggy-backs on one of Firefox's existing phone home

    • It's right in the summary! :
      "The way this feature works is to show a visual error page"

    • by zekica ( 1953180 )
      From the actual bug report [mozilla.org] and commit in HG [mozilla.org]: it appears that this is only a new error page that appears instead of SEC_ERROR_UNKNOWN_ISSUER when Mozilla's update service [mozilla.org] detects a non-built-in cert.

      So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.
  • How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

    • Re:ISPs? (Score:4, Informative)

      by TechyImmigrant ( 175943 ) on Friday February 01, 2019 @11:42AM (#58055586) Homepage Journal

      How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?

      It's not mitm. That why TFA is so confusing. The attack involves changes to your trust list.

      • Most of the time it is MITM, by method of adding a new cert to your trust list. I know because my company does this and I have to add these certs to Firefox since it doesn't use the Windows cert store. Without the cert, they can't MITM your traffic and you just can't access any websites through firefox until the MITM cert is trusted.

        • That's why it isn't MITM. An essential part of it takes place at one end using privilege not available to a MITM.

          • It is a MITM in this case, a corporate-sponsored and condoned one. It's not the ISP doing it, but it's still the textbook definition of a MITM attack. A third party between the user and their requested destination that is decrypting and obtaining their network traffic.

    • By adding their own certificate to the trusted root signers list on your device. ISPs seldom try this sort of thing because it requires modifying configuration for all user devices, but it's very common in the business and education network areas, where the IT administrators can do that quite easily. It's the only way to properly monitor and filter internet access, which is a requirement in all schools and most offices: If IT could not monitor and filter their users, they wouldn't be able to provide interne

  • They're adding a feature to prevent a "Trusted Man-in-the-Middle" being setup by an application, or by your company.

    I wish they would think about this a little more carefully.... This is likely to lead to Firefox being put back on many companies' "Banned Browser List"

    • Prevent? No. Make more complicated? Yes. You will probably have to install certs manually. But if you don't have a way to deliver files to your clients, and run commands on them, then you aren't in charge of those machines anyway.

      • It doesn't even do that much. The only thing this feature does is, if an MITM is detected, to change the text on the "unrecognized issuer" error page. You won't see the MITM detected error except in situations where you would otherwise be getting an unrecognized issuer error. You're just getting a slightly nicer error message.

        'Trusted' MITM already requires you to install the MITM cert manually to avoid getting unrecognized issuer errors on every page load.

  • All I want to know is how to get rid of the three extraneous bars which appear below the address bar when I start typing an address. First started in version shitty 65 (it was forced on me at work) and the documentation for it doesn't say what these bars are for.

  • there was a post about a M$ manager who was badmouthing Mozilla. [slashdot.org]

    Mozilla/Firefox makes a product that I truly believe puts the user's interests first. This particular goal is an example of the philosophy. As long as Firefox does stuff like this, I don't care if it is 0.1% of the browser market, I will use it. F M$ and google and their browsers. I use intentionally use those companies' other services and products as little as possible and will continue to do so for as long as I can.

  • ... to a warning about a "Man in the Middle" issue will be to tell their son to stop standing in front of the WiFi. (sigh)

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...