Posted on 04/09/2015 10:42:18 AM PDT by Utilizer
Attackers could use fake certificate to get around protections.
Mozilla has disabled an "opportunistic encryption" feature added to its Firefox browser last week, in order to fix a critical security flaw that allowed attackers to bypass HTTPS protections.
The company last week released Firefox 37, which came with a new feature allowing connections to be encrypted even if a server didn't support HTTPS.
This so-called "opportunistic encryption" acted as a bridge between plaintext HTTP and HTTPS connections based on either transport layer security (TLS) or the older secure sockets layer protocol.
It allowed website owners who are unable to fully encrypt their sites through traditional web-based encryption measures to have their data encrypted over TLS where it otherwise would have been carried in clear text.
The feature was well-received due to its potential to make it harder for attackers to spy on or hack into communications of end users.
But Mozilla developers have now disabled opportunistic encryption in Firefox 37 after discovering that the feature had introduced a critical bug.
(Excerpt) Read more at itnews.com.au ...
I love the Mozilla community. I don’t care about their politics. I know they’re doing the right thing in tech, and that’s important to IT professionals.
I don’t like their politics, but their browser is a back-up for if I have any problems with the main browser on this linux OS.
At least it’s not Explorer.
Plus, others are using firefox so thus the new thread pointing out the update/bugfix.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.