Firefox will soon warn you about the Man-in-the-Middle
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Firefox will soon warn you about the Man-in-the-Middle

Firefox 65 will provide users with more information when something gets in the middle of their connection

Mozilla will now give its users more information when a Man-in-the-Middle scenario occurs with the release of Firefox 65. Previously, the browser had issued a warning when a MITM occurred, but failed to give much insight into what was happening.

That’s all about to change.

With the release of Firefox 65, users will now get more information about who may be attempting a MITM.

So today we’ll discuss this new feature, Man-in-the-Middle scenarios in general and how this may impact your organization.

Let’s hash it out.

Should we refer to Man-in-the-Middle as an attack?

If you’re a regular reader you know we talk about Man-in-the-Middle scenarios quite a bit. We’ve covered what MITM is. We’ve covered how easy it is to pull one off. Now let’s discuss whether or not it’s really accurate to refer to this as an “attack.”

And the answer is not always.

While it certainly constitutes an attack when a malicious actor gets in the middle of a connection—the Man-in-the-Middle isn’t always a bad guy. A lot of times, especially with large companies and enterprises, it’s actually just that organization itself, either inspecting HTTPS traffic or load balancing.

There are also antivirus programs that can get in the middle of a connection to inspect encrypted traffic for anything malicious.

Of course, there are also plenty of nefarious things that can be done in a MITM scenario, too. There are the obvious risks with eavesdropping, spoofing, etc. But there are also adware programs, and even some malware, that inject content – typically ads – and compromise the integrity of whatever site you’re trying to visit.

At any rate, referring to a Man-in-the-Middle scenario categorically as an attack feels a little obtuse. It can be an attack, or it could be something completely legitimate.

That’s why Mozilla is giving its users more information.

MOZILLA_PKIX_ERROR_MITM_DETECTED

In Firefox 61, Mozilla added a new error message: MOZILLA_PKIX_ERROR_MITM_DETECTED. It warned users when a MITM scenario was occurring, but it didn’t really provide much information beyond that.

Here’s a screenshot of the error courtesy of Bleeping Computer:

Firefox 65 will provide users with far more information on the scenario. You’ll now be able to get details from the certificate that’s facilitating the MITM. This will give Firefox users a better handle on whether the MITM is malicious, or just the product of an antivirus program or, as shown in the warning below (also courtesy of Bleeping Computer), an HTTP debugger like Fiddler.

 If you choose to click “Learn More…” You’re provided with the following:

Websites prove their identity via certificates, which are issued by certificate authorities.

Firefox is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security.

Firefox uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe.

Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED

[View Certificate]

How will MOZILLA_PKIX_ERROR_MITM_DETECTED affect my organization?

This section could probably also be called, “how to fix MOZILLA_PKIX_ERROR_MITM_DETECTED,” but the advice will be a bit more general so it can be more applicable to all kinds of organizations.

And here’s the thing, as long as you use a trusted certificate on any edge devices or middle boxes that intercept connections, you’ll be fine. Mozilla is looking for certificates that don’t chain back to one of the roots in its trust store.

Now, if you’re a regular internet user and you’re getting this error, the most common culprit is going to be your antivirus program. Mozilla recommends disabling SSL or HTTPS scanning and enabling it again. That should let your antivirus program add its root to Mozilla’s trust store so that it can continue protecting you without getting flagged with MOZILLA_PKIX_ERROR_MITM_DETECTED.

Do not, under any circumstances, leave SSL or HTTPS scanning off. Also, don’t leave your antivirus program off, either. These are some of your best lines of defense against the threats on the internet, you need them working for you.

If your problem persists, and it’s not the antivirus program, you’re going to need to find what is interrupting your connections. This is where running a full scan using said antivirus program should help identify any malware or adware that could be injecting ads or malicious content.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.