Browser Watch: Firefox to Require HTTPS for Application Cache (AppCache)
Firefox 62 to deny AppCache access to HTTP pages
In line with its recent announcement to restrict all-web exposed features to HTTPS, Firefox has announced that AppCache must be served over HTTPS, too. Application Cache (AppCache) facilitates a caching mechanism for the website admins who want to run their sites offline. Right now, it can be availed for HTTP as well as HTTPS pages. However, with the launch of Firefox 62 in September 2018, only the HTTPS pages will be able to include this feature. In other words, Firefox has restricted AppCache to Secure Contexts.
Not only to run the sites offline, but many website admins also implement AppCache to increase loading speed and reduce server load.
This is why it’s happening
If AppCache is run on HTTP sites, it could pose some serious security concerns. That’s because “AppCache has limitations in revalidating its cache, which allows attackers to trick the browser into never revalidate the cache by setting a manifest to a malformed cache file” – in Mozilla’s terms.
If that sounded like a load of jargon, I wouldn’t blame you. Let me put it in simpler words.
When your browser loads an AppCache-enabled site, it stores that website’s data in the form of cache. The AppCache API has its own limitations when it comes to verifying the cache files. So when a user opens such a site, the browser would serve data from the stored cache without validating that the stored cache is in the same format.
I hope this has made the picture a bit clearer to you. Let me make it even more transparent.
Let’s say you’re connected to a Wi-Fi network, and an attacker is connected as well. Your browser must have a stored cache if you had visited a site with AppCache. Now as the attacker is connected to the same network, he/she could somehow manipulate this stored cache, and the browser (AppCache) wouldn’t be able to notice it as it cannot validate the cache. So, if the attacker manages to maneuver the cache and add iframes (which is kind of like embedding), he/she could potentially trick users into giving their confidential information – even after the user is disconnected from that network.
Imagine an AppCache-enabled, HTTP site named example.com and a perpetrator manages to insert a fake Facebook login page. If you type in your e-mail id and password, it’s going to be captured. That’s why Firefox is going to restrict this AppCache feature to HTTPS.
Bottom Line: HTTP is dying a slow, painful death
If you keep up with the latest tech updates, you must have heard that Google Chrome is going to mark all HTTP sites as “Not Secure.” Similarly, all other major browsers are upping their game in the hunt to deprecate the insecure protocol that is HTTP. This move to restrict AppCache to Secure Contexts marks another milestone in this direction.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown