The new opportunistic encryption feature in Firefox, Mozilla has had to disable it because of a security vulnerability in the browser’s implementation of the HTTP Alternative Services specification. Here to comment on this news is Russ Spitler, VP of product strategy for AlienVault.
Russ Spitler, VP of product strategy for AlienVault:
“The root of this issue is the fact that our current system has rather tightly coupled authentication with encryption. While that seems like a good thing that coupling is what is giving rise to the alternatives like what Firefox has just built.
“To break that down a little further authentication is knowing who you are talking to, encryption is knowing nobody else is listening. The state of the world right now is that if you can’t confirm who you are talking to, you cannot ensure that no one else is listening. Opportunistic encryption provided a path to ensure nobody is listening without necessarily authenticating who you are talking to. This bug allowed attackers to exploit opportunistic encryption (which does not authenticate who you are talking to) so that users believe they have authenticated the other end (by presenting a certificate to the browser). This allows an attacker to establish a connection with a user that appears to originate from a trusted entity (such as Google), but is controlled by the attacker.
“This issue is simply an evolution in our technology. We have dealt with issues in this system for years and years, getting this done correctly and without bugs is a process that will take decades (consider how long some of the recent OpenSSL bugs existed in code before discovery). The introduction with new systems will be fraught with issues, careful design and iteration is the only path to maturing new systems like this. It is critical that someone takes the lead on establishing new paths such as this, but it is even more important that they are broadly reviewed and tested.
“As for opportunistic encryption: why build a new system when there is one that already exists? Projects like ‘Let’s Encrypt’ are making it easy to achieve the same goals as above without reinventing a new system. While the goal is noble, rebuilding encryptions systems should be done only when absolutely necessary, not when there are viable improvements to existing standards.”
About AlienVault
AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence. Its products are designed and priced to ensure that mid-market organizations can effectively defend themselves against today’s advanced threats. By building the best open source security tools into one Unified Security Management platform, and then powering the platform with up-to-the-minute threat intelligence from AlienVault Labs and its Open Threat Exchange—the world’s largest crowd-sourced collaborative threat exchange—AlienVault provides its customers with a unified, simple and affordable solution for threat detection and compliance management.
While the perfect threat deflector shield has yet to be invented, AlienVault is able to provide its customers with an out-of-this-world threat detection product that ensures even the smallest ‘planets’ in the galaxy can fend off attackers.For more information visit www.AlienVault.com
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.