Mozilla Issues Fix For Nasty HTTPS Encryption Bug In Firefox 37 Browser
The latest version of Firefox came out at the end of March and brought a lot to the table, although like most browser version jumps nowadays, spotting all of what's new can be difficult. At the forefront, Firefox 37 introduced a "heartbeat" user rating system, which helps you provide useful feedback to Mozilla, and for those Bing users among you, searches now default to a secure protocol.
And speaking of protocols, that ties into a significant addition to Firefox 37: HTTP/2 support. At the moment, HTTP/2 in general is not widely supported, and in fact, it's not even "finalized" quite yet. But, for developers wanting to toy around with it, the option is now there.
Unfortunately, though, this HTTP/2 introduction brought with it a critical bug. There's an upside, though: you're probably already using an unaffected version, as 37.0.1 was released a few days ago and Firefox's auto-updater has surely kicked-in since then.
The bug found by a security researcher involved being able to bypass HTTPS certificate validation if a Web server redirected you via the "Alt-Svc" header. What makes this critical is that to the user, it'd look like the connection is indeed secure. On a bank's website, for example, no security may be in place until the user logs in, and it's at that point that this redirect could occur and present a fake secure connection to the user.
It's somewhat calming to be able to talk about this and not have to say "hopefully a fix will come soon". It's already here, patched before you even knew it existed. If only that'd happen more often!