Earlier this month, Mozilla released Firefox 32, the latest version of the open source web browser. While it has a lot of neat features, one of the ones that interest us the most is the improved SSL security. It does this by providing support for public-key pinning. This helps with enhanced security with Secure Sockets Layer (SSL) certificate authenticity.
Sean Michael Kerner recently wrote about the newest Firefox over at eWeek online. He’s not the only one who’s been talking about it. There’s also an article at PC World as well as other blogs and news sources. There’s also a post on the official Mozilla security blog, of course, that explains more about the latest version of Firefox released to the world.
Sid Stamm, Sr. Manager of Security and Privacy Engineering at Mozilla, talks more about why this is a good thing at the Mozilla Security Blog. He wrote:
Public Key Pinning helps ensure that people are connecting to the sites they intend. It allows site operators to specify which CAs issue valid certificates for them, rather than accepting any one of the hundreds of built-in root certificates that ship with Firefox. If any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal. When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error. This type of error can also occur if a CA mis-issues a certificate. In this way, key pinning can be used by sites to add another layer of trust to their servers’ deployment of TLS.
The Monica at Mozilla blog has a very good explanation of the changes with some graphics to help make it more clear for those who don’t understand it. Basically, it’s yet another way to help prevent man-in-the-middle (MITM) attacks by going a step further to verify that an SSL certificate is valid.
Recent changes to Firefox are not surprising. As you may or may not know, Mozilla has supported the Online Certificate Status Protocol (OCSP) for a long time now. OCSP is used by browsers to check with a Certificate Authority about the status of a particular SSL certificate.
While rogue SSL certificates have been a problem in the past, the latest Firefox release shows that a lot of very smart people are working on making the web a safer place.
According to Jeremy Kirk at PC World, “The idea is to prevent attacks such as one that affected Google in 2011, targeting Gmail users. A Dutch certificate authority (CA), Diginotar, was either tricked or hacked and issued a valid SSL certificate that would work for a Google domain.”
What browser do you use? Do you make a decision on which one is more secure or do you base it on something else? We’d like to know, so leave a comment below and join the conversation. There’s nothing better than talking SSL, security and technology on a website with like minded people!