Mozilla to strengthen SSL certificate verification in Firefox

The software maker will pay US$10,000 for any critical vulnerability found in its new certificate verification code

Mozilla plans to more strictly enforce industry best practices for SSL certificates in future versions of Firefox with a new certificate verification system.

The new system will be implemented as a library called "mozilla::pkix" and will start being used by Firefox 31, which is expected to be released in July.

Many of the certificate verification changes in the new library are subtle and are related to technical requirements specified in the "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates" issued by the Certification Authority/Browser (CAB) Forum. However, some of the behavior modifications also stem from changes Mozilla made to its own policy for trusting CA certificates.

For example, a document describing mozilla::pkix requirements notes that "end certificates used by servers are not allowed to have basic constraints asserting isCA=TRUE" and "certificates used as trust anchors or intermediates are now required to have the basic constraints extension and assert the isCA bit."

These two requirements are intended to prevent the misuse of subordinate CA (sub-CA) or intermediate certificates, which can be used to issue SSL certificates for any domain on the Internet.

In February 2012, Trustwave, one of the CAs trusted by browsers, publicly admitted that it had issued a sub-CA certificate for use by a third-party company to inspect SSL traffic passing through its corporate network. Mozilla said at the time that the use of sub-CA certificates for man-in-the-middle SSL traffic monitoring, even if performed on closed corporate networks, is unacceptable.

Another incident happened in January 2013, when a certificate with sub-CA status issued by Turktrust, a Turkish certificate authority trusted by browsers, was installed in a firewall appliance with SSL traffic monitoring capabilities by the Municipality of Ankara. Turktrust said the certificate in question was one of two that had been issued with sub-CA status by mistake in August 2011 and were actually supposed to be regular end-user certificates.

A month later Mozilla changed its CA policy to require all sub-CA certificates to be technically constrained to particular domain names using certificate extensions or to be publicly disclosed and audited as regular root CA certificates. The mozilla::pkix certificate verification library will begin enforcing that policy change inside the browser.

While the majority of Firefox users are unlikely to notice anything out of the ordinary as a result of the new certificate verification system, some HTTPS websites might encounter problems.

"While we have performed extensive compatibility testing, it is possible that your website certificate will no longer validate with Firefox 31," the Mozilla Security Engineering Team said Thursday in a blog post. "This should not be a problem if you use a certificate issued by one of the CAs in Mozilla's CA Program, because they should already be issuing certificates according to Mozilla's CA Certificate Policy and the BRs [the CAB Baseline Requirements]."

Mozilla also created a special bug bounty program that will pay out US$10,000 for any critical security flaw found and reported in the new library's code until the end of June.

"As we've all been painfully reminded recently (Heartbleed, #gotofail) correct code in TLS libraries is crucial in today's Internet and we want to make sure this code is rock solid before it ships to millions of Firefox users," Mozilla's security lead Daniel Veditz said Thursday in a blog post.

"We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption," Veditz said. "Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP [Online Certificate Status Protocol] responses would be."

Join the PC World newsletter!

Error: Please check your email address.

Tags online safetysecurityencryptionCompliance monitoringpkimozilla

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?