Firefox Will Soon Warn Users of Software That Performs MitM Attacks (zdnet.com) 79
The Firefox browser will soon come with a new security feature that will detect and then warn users when a third-party app is performing a Man-in-the-Middle (MitM) attack by hijacking the user's HTTPS traffic. From a report: The new feature is expected to land in Firefox 66, Firefox's current beta version, scheduled for an official release in mid-March. The way this feature works is to show a visual error page when, according to a Mozilla help page, "something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Firefox." An error message that reads "MOZILLA_PKIX_ERROR_MITM_DETECTED" will be shown whenever something like the above happens.
Will have to be don carefully (Score:5, Insightful)
Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.
On the bright side, users will learn quickly when Superfish style shenanigans are going on.
Overall, I like the idea. In practice, I am thinking this is going to cause more pain than pleasure....
Re: (Score:1)
Yes you're right, even common consumer AV performs SSL inspection by default (eg. Kaspersky), this surely will give some headhaches even to home end users... But it's definitely a useful feature.
Re: (Score:2)
You are not wrong. But there does have to be a balance. Corporations have every reasonable right to police the content that flows over their wires.
Re: (Score:3, Insightful)
Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigans.
Re: (Score:1)
This.
They should be required to inform employees that they're intercepting SSL connections. Companies should have every right to do it, of course, but employees should know that the IT department is looking when they check their bank account.
And every time some development tool I'm trying to use pukes because it won't accept the company self-signed-cert, I should be allowed to walk over to the IT department and kick some maggot admin in his balls. Hard.
Re: Will have to be don carefully (Score:2)
Re: Will have to be don carefully (Score:3)
"Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"
But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their dimi
Re: (Score:2)
firefox mgmt issues was a reason we didn't deploy ff for corporate users and instead went with Groan. i still do use it but this "feature" would kill it for me as well.
Re:Will have to be don carefully (Score:4, Insightful)
Not sure how many corporate Firefox deployments there are but this could really give some IT support groups a headache.
Hehe, you aren't kidding.They'll have to find a different way to keep track of where their employees are going.
In practice, I am thinking this is going to cause more pain than pleasure....
Pain can be a way of alerting you to problems.
Re: (Score:1)
Edge.
Re: (Score:2)
Edge! I should be so lucky where I work... still on IE11!
Re: (Score:2)
at least that still works better than edge
Re: (Score:2)
Nope. They will simply ban the use of Firefox and force their employees to use Edge.
You have to admit, Edge has the edge in MitM results.
Re: (Score:1)
This generally isn't used to track where they're going, but rather what they are downloading (or uploading) once they get there. You can track where people are going using SNI [wikipedia.org].
Re: (Score:1)
Re: (Score:3)
In the few Fortune 50 Companies I have worked with, no Firefox. They stick with IE, for only God knows why.
Two words: Group Policy
Chrome also has GP support for their Enterprise version of Chrome.
Last I checked (which was a while ago) there was only 3rd party GP templates for Firefox.
Re: (Score:2, Informative)
Firefox added group policy support with the release of ESR version 60, including official templates [github.com].
You can enable enterprise roots through this, which causes firefox to read the Windows certificate store.
Re: (Score:2)
good to know
But I don't trust Mozilla to pick CAs! (Score:1)
The main problem with the entire X.509 system that I have, is that it just assumes everyone at the organization that makes your browser and where you get it from, is trustworthy.
What good is a certificate from an "authority" that I have never met in person, let alone got to know enough to decide if they are trustworthy?
What good is an "authority" just shoved down my throat by a browser maker that I have never met in person, let alone got to know enough to decide if the people there are trustworthy? (Or the
Re: (Score:2)
I am thinking this is going to cause more pain than pleasure...
"Was she told when she was young that pain would lead to pleasure?"
TLSA/DANE (Score:3)
Yes answer is TLSA/DANE (Score:2)
YES exactly TLSA/DANE is the answer here but sadly apart from national Security agencies...
if only mozilla actually built a browser around security...
TLSA/DANE effectively declares the TLS/SSL cert you should expect so you can use it even through a proxy
Re: (Score:2)
.
That's my hope as well. Mozilla talks up security, but does not implement one available security aspect (TLSA/DANE).
Okay, I'll bite (Score:2)
The linked article has no technical details.
How does the browser know when the certificate isn't the "right" one? Presumably, the false certificate's root is installed as valid on the system. Will this warning come up any time a page is viewed that relies on a non-bundled root certificate?
Re: (Score:3, Informative)
Because it contacts a third party server which also looks at the website's certificate. If the certificate that your browser is presented with has a different fingerprint than the one their server sees, an error is flagged.
See also the CheckMyHTTPS add-on for Chrome and Firefox
Re: (Score:2, Insightful)
In other words, Firefox will send a list of all sites you're visiting to a third party server under the pretext of "security". Riiiiiight.
Re: (Score:1)
Well, if Firefox has a reasonably secure encryption system, then that isn't trivial. Presumably, the folks at Mozilla have thought of that, and aren't using the computers root certificate store to trust this connection.
Re: Okay, I'll bite (Score:2)
Or just block it ...
Re: (Score:2)
Does that mean all SSL connections have to wait for this other new connection to succeed?
If that other service is out, do all SSL connections fail? Or is defeating this new "feature" as simple as blocking those connections?
Re: (Score:2)
Re: (Score:3)
That does not appear to be how it works. From reading the patch [mozilla.org]: if it fails to connect to the Firefox update service then it records the issuer of the cert that the update service presented. Then, if a future TLS connection fails with an unrecognized issuer and the unrecognized issuer matches the issuer that was recorded from the update service, then it displays the MITM error instead of the unrecognized issuer error.
(The code is here [searchfox.org] and here [searchfox.org].)
The check piggy-backs on one of Firefox's existing phone home
Re: (Score:1)
It's right in the summary! :
"The way this feature works is to show a visual error page"
Re: (Score:2)
So: this error will only appear if the current version displays unknown issuer error, and mozilla's update service detects that it has a MitM proxy.
ISPs? (Score:2)
How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?
Re:ISPs? (Score:4, Informative)
How does an ISP inject certs? The whole point of SSL/TLS is to stop that. Is this some new attack vector? Why aren't we just patching the flaw in TLS?
It's not mitm. That why TFA is so confusing. The attack involves changes to your trust list.
Re: (Score:2)
Most of the time it is MITM, by method of adding a new cert to your trust list. I know because my company does this and I have to add these certs to Firefox since it doesn't use the Windows cert store. Without the cert, they can't MITM your traffic and you just can't access any websites through firefox until the MITM cert is trusted.
Re: (Score:2)
That's why it isn't MITM. An essential part of it takes place at one end using privilege not available to a MITM.
Re: (Score:2)
It is a MITM in this case, a corporate-sponsored and condoned one. It's not the ISP doing it, but it's still the textbook definition of a MITM attack. A third party between the user and their requested destination that is decrypting and obtaining their network traffic.
Re: (Score:2)
I'm not at all confused. I understand PKI just fine, my day job is crypto system design and I understand how this particular slight of hand works down to the packet level.
A MITM attack is performed between the end points. This particular attack cannot work solely between the end points. An essential element is a modified trust list at one end point. There's a MITM component, but it's not sufficient on its own.
I've done my share of ranting about X.509, PKI and all that goes along with it. This is one of the
Re: (Score:2)
>Then you must understand that It's MITM.
It's really not complicated - There's a MITM component, but it DOES NOT WORK if it is solely MITM. There's and endpoint component too - so it's not just a man in the middle MITM.
It's like saying - (You) "Here's my red car", (onlooker):" But the front half is yellow". (You):"It's still just red", (onlooker): "No it isn't, it's red and yellow, it's not just red".
Re: (Score:2)
By adding their own certificate to the trusted root signers list on your device. ISPs seldom try this sort of thing because it requires modifying configuration for all user devices, but it's very common in the business and education network areas, where the IT administrators can do that quite easily. It's the only way to properly monitor and filter internet access, which is a requirement in all schools and most offices: If IT could not monitor and filter their users, they wouldn't be able to provide interne
So, Basically (Score:2)
They're adding a feature to prevent a "Trusted Man-in-the-Middle" being setup by an application, or by your company.
I wish they would think about this a little more carefully.... This is likely to lead to Firefox being put back on many companies' "Banned Browser List"
Re: (Score:2)
Prevent? No. Make more complicated? Yes. You will probably have to install certs manually. But if you don't have a way to deliver files to your clients, and run commands on them, then you aren't in charge of those machines anyway.
Re: (Score:2)
It doesn't even do that much. The only thing this feature does is, if an MITM is detected, to change the text on the "unrecognized issuer" error page. You won't see the MITM detected error except in situations where you would otherwise be getting an unrecognized issuer error. You're just getting a slightly nicer error message.
'Trusted' MITM already requires you to install the MITM cert manually to avoid getting unrecognized issuer errors on every page load.
Re:Pain in the ass (Score:4, Interesting)
Don't care (Score:2)
All I want to know is how to get rid of the three extraneous bars which appear below the address bar when I start typing an address. First started in version shitty 65 (it was forced on me at work) and the documentation for it doesn't say what these bars are for.
Re: Don't care (Score:1)
Last week on /., (Score:2)
there was a post about a M$ manager who was badmouthing Mozilla. [slashdot.org]
Mozilla/Firefox makes a product that I truly believe puts the user's interests first. This particular goal is an example of the philosophy. As long as Firefox does stuff like this, I don't care if it is 0.1% of the browser market, I will use it. F M$ and google and their browsers. I use intentionally use those companies' other services and products as little as possible and will continue to do so for as long as I can.
The average user response ... (Score:2)
... to a warning about a "Man in the Middle" issue will be to tell their son to stop standing in front of the WiFi. (sigh)