Firefox 3 Updates and SSL Blocklist extension
At the heals of yesterday's Firefox 4 release, we today got 3.6.16 and 3.5.18. As usual, Mozilla will provide security updates for some older browsers after the release of a new major version. If you are not planning to update to Firefox 4 soon, you should update to the newest 3.x version.
This wouldn't be worth a full diary (usually we just publish a "one liner") if it wouldn't be for one interesting change: Mozilla decided to add some new blocklisted SSL certificates.
SSL certificates are usually considered valid if signed by a trusted certificate authority. My version of Firefox 4 on a Mac includes certificates from about 80 trusted organizations. If a certificate authority finds out tht a certificate was signed by mistake, they may add the bad certificate to a revocation list. Each certificate includes a URL for a revocation list, and the browser may check if the certificate is listed as revoked.
However, browsers are not required to check revocation lists. In addition, if a certificate authority is compromised, it may lead to compromised revocation lists as well. The black list feature in Firefox (same feature exists in Chrome) lists a small number of certificates that the browser will not trust.
The recent addition is rumored to be due to a compromised certificate authority, which has been used to issue fraudulent certificates. [1] In particular it is suggested that a certificate for "addons.mozilla.org", the site used for Firefox plugins, was created using the compromised CA.
[1] https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
Also see:
https://github.com/ioerror/crlwatch#readme
https://www.eff.org/observatory
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Firefox 3.6.16 April 19
Firefox 3.5.18 April 19
The check for updates for my 3.6.15 isn't showing a new version other than 4.0, are you sure these are live releases not betas?
baillard
Mar 23rd 2011
1 decade ago
http://www.mozilla.com/en-US/firefox/3.6.16/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.18/releasenotes/
baillard
Mar 23rd 2011
1 decade ago