The Tor Project released today version 6.0.5 of the Tor Browser which fixes a critical issue in the browser’s HTTPS certificate pinning system that allows threat actors to impersonate Mozilla websites or other domains.
According to research from a security expert that goes on Twitter by the name of @movrcx, and confirmed yesterday by Ryan Duff, this issue also affects Mozilla Firefox, albeit it was patched on September 4 in Nightly builds.
Currently, Firefox stable versions remain unpatched, but Mozilla is scheduled to release Firefox 49 next Tuesday, on September 20, so the team has enough time to deliver a fix. The Tor Project took one day to address the issue, following the bug’s disclosure online.
The issue at the core of the problem resides in Firefox’s custom method for handling certificate pinning, which is different from the IETF-approved HPKP standard.
Certificate pinning is an HTTPS feature that makes sure the user’s browser accepts only a specific certificate key for a specific domain. While not very popular, HPKP is often used on websites that handle sensitive information.
According to an explanation provided by Duff, Firefox will not enforce certificate pinning after certificates expire, but won’t show a verbose warning either.
Duff details an attack scenario in which an attacker in a Man-in-the-Middle position could obtain a stolen or forged certificate for the addons.mozilla.com website and push malicious updates to browser add-ons.
The Tor Browser, which is built on an older version of Firefox, also uses Firefox extensions, some of which are bundled with its default installation.
Since the browser’s primary role is to hide someone’s identity and location, a nation-state attacker with the technical capabilities to intercept Internet traffic and issue forged certificates could use this bug to deliver malicious add-on versions that could leak details about Tor Browser users.
Please take time to comment your opinion