Mozilla fixes man-in-the-middle vulnerability in Firefox




Mozilla September 20 brings an update for Firefox that a man-in-the-middle leak proof. The vulnerability affects users of add-ons and was closed Friday at the Tor browser, based on Firefox and uses add-ons as Noscript.

The vulnerability in the Firefox and Tor browsers came last week to light through a posting by security researcher Ryan Duff on the Daily Dave-Seclist. The problem with the update method for add-ons. Mozilla uses https connections for automatically updating the add-ons via and additional certificaatpinning used to protect against abuse.

Attackers would include unauthorized use SSL certificates to make it appear that the update is via Mozilla’s servers, and so malicious updates to spread the extensions. Certificaatpinning must protect against this but there was a bug in the way Mozilla Preloaded Public Key Pinning updated, so certificaatpinning not work for Firefox 48 from September 10 and ESR 45.3.0 from September 3rd.

The bypass would still be a SSL certificate are required and it is Mozilla not known that such certificates are in circulation, but according to the organization, it is nevertheless a concern, especially for Tor users who want to be protected by state-sponsored attacks.

The Tor Project itself spent last Friday an update to version 6.0.5 of the browser, Mozilla Tuesday following an update of the stable version of Firefox.


In: A Technology & Gadgets Asked By: [20058 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]