Six security advisories – three of which are deemed critical – were addressed in the Tuesday release of Firefox 32, which also comes with some new features, including public key pinning support that is enabled by default.

Public key pinning is an extension for HTTPS/SSL that lets the browser “know” the characteristics for the legitimate certificate of a site, Wolfgang Kandek, CTO at Qualys, told SCMagazine.com in a Wednesday email correspondence, explaining that an alert is raised when going to a site where the certificates do not match.

“This mechanism defends against man-in-the-middle (MitM) attacks in SSL,” Kandek said. “A typical MitM attack that can be detected with this technology would be an entity wanting to eavesdrop on SSL communication with a site.”

Public key pinning also reduces phishing attacks, Sid Stamm, senior engineering manager of security and privacy at Mozilla, told SCMagazine.com in a Wednesday email correspondence, adding Mozilla is continuously working to stop attackers from exploiting certificates that should never have been issued.

“This can happen for many reasons, including a [certificate authority (CA)] compromise, a CA violating our policies, or even mistakes in the issuance process,” Stamm said, going on to add, “Our main goal is to reduce risk present in the CA system, and pinning will help. It makes HTTPS connections safer by providing stronger assurance that the site you think you’re on is actually the right one.”

Read the Full Article: Source – SC Magazine
http://www.scmagazine.com/firefox-32-includes-public-key-pinning-fixes-critical-vulnerabilities/article/369597/

source not found