14 DAY TRIAL // The Tor Project released today version 6.0.5 of the Tor Browser which fixes a critical issue in the browser's HTTPS certificate pinning system that allows threat actors to impersonate Mozilla websites or other domains.
According to research from a security expert that goes on Twitter by the name of @movrcx, and confirmed yesterday by Ryan Duff, this issue also affects Mozilla Firefox, albeit it was patched on September 4 in Nightly builds.
Currently, Firefox stable versions remain unpatched, but Mozilla is scheduled to release Firefox 49 next Tuesday, on September 20, so the team has enough time to deliver a fix. The TOR Project took one day to address the issue, following the bug's disclosure online.
Problems in Firefox's certificate pinning procedures
The issue at the core of the problem resides in Firefox's custom method for handling certificate pinning, which is different from the IETF-approved HPKP standard.
Certificate pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a specific domain. While not very popular, HPKP is often used on websites that handle sensitive information.
According to an explanation provided by Duff, Firefox will not enforce certificate pinning after certificates expire, but won't show a verbose warning either.
Attackers could deliver fake Tor/Firefox add-on updates
Duff details an attack scenario in which an attacker in a Man-in-the-Middle position could obtain a stolen or forged certificate for the addons.mozilla.com website and push malicious updates to browser add-ons.
The Tor Browser, which is built on an older version of Firefox, also uses Firefox extensions, some of which are bundled with its default installation.
Since the browser's primary role is to hide someone's identity and location, a nation-state attacker with the technical capabilities to intercept Internet traffic and issue forged certificates could use this bug to deliver malicious add-on versions that could leak details about Tor Browser users.
Firefox add-ons such as NoScript or HTTPS Everywhere are key pieces in Tor Browser's normal mode of operation.
Tor Browser users should update to version 6.0.5, while Firefox users and Tor users who don't wish to update right now should disable automatic add-on updates, a default feature in both browsers. Duff also has some advice for the Tor Project.
“ While TorBrowser will catch the fix from the Mozilla patch, I believe they should actually change how they handle extensions overall. It seems ridiculous to me that they actually use Mozilla’s auto-update process for extensions. If NoScript or HTTPS Everywhere added a new vulnerability with an update, all Tor users would get it within a day of using the browser. Also, with the paranoia their organization seems to have, I would think Mozilla being compelled to push a malicious extension to specific Tor users would be a real concern of theirs. To me, the logical solution would be to compile NoScript and HTTPS Everywhere themselves, sign those extensions with their own key, hardcode their public key into the TorBrowser, and then do their own cryptographic validation of extensions locally. Extension updates would go out with TorBrowser updates exactly how the TorBrowser Firefox updates are delivered. ”
UPDATE: Mozilla announced today that this issue will be fixed in Firefox 49, as we initially predicted.