(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

September 4, 2014 Comments closed

Latest Firefox Version Supports Public Key Pinning

in ssl certificates

Firefox 32, the latest version by Firefox comes with a newly added defense feature known as Public Key Pinning. This feature helps in preventing hackers from stealing online data.

On its company blog, the senior manager of security and privacy engineering at Mozilla, Sid Stamm wrote, “In Firefox 32, any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal.” To this, he also adds that if the root certificate for a pinned site does not correspond to any names on the list of ‘known’ and reputable Certificate Authorities, Firefox will terminate the connection right away with a pinning error.

Basically, the process of ‘Public Key Pinning’ is intended to allow online services to specify which SSL (Secure Socket Layer) or TLS (Transport Security Layer) certificates are considered valid for their services. Both of these certificates are used to encrypt data sent from a browser to a server and verify a site’s identity.

The recent attacks that targeted Google and affected Gmail users have been an ‘inspiration’ for Firefox to come up with an innovative defense feature like Public Key Pinning. In 2011, a Dutch certificate authority (CA), Diginotar, was tricked by attackers into issuing valid SSL certificates that were compatible for their Google domain. Theoretically, it allowed the hackers to create a fake website similar to Gmail, but did not trigger am ‘Invalid Certificate’ browser warning. Industry experts have already warned in the past about such attacks targeting certificate authorities as a potential cyber threat.

Security experts believe that ‘Public Key Pinning’ would have easily prevented the attack, as Firefox would already have known that Diginotar should not have issued a certificate for Google sites. Let’s dive deeper into ‘Public Key Pinning’.

About Public Key Pinning

Public Key Pinning assures users that they are connecting to the intended site. It allows site-operators to specify which Certificate Authorities (CAs) issue valid certificates for them, instead of accepting any of the built-in root certificates that ship (match) with Firefox.

The updated version of Firefox tends to display a ‘lock’ icon, if the certificate in the verified certificate chain matches with one of the ‘known’ certificate that is on the list. This scenario is depicted in the following image

However, if the root certificate of the pinned site does not correspond with any of the known (CAs), then Firefox shall dismiss the connection with a pinning error, as shown in the image below. Users should also note that this type of error can occur if there is any fault in the certificate issuance procedure by authorities.

Cyber threats like ‘Man-in-the-middle’ attacks or ‘Rogue’ certificate authorities can be easily avoided with the help of Public Key Pinning. Users would come across an error message similar to the one shown below, whether a CA errs while issuing a certificate or the root certificate for a pinned site does not match the list of known Certificate Authorities.

Firefox 32 supports Mozilla sites (addons.mozilla.org) and Twitter. It is projected that the Google domains will be added to the Firefox 33 version, with many more domains yet to come.