A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.
Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).
At this point it seems clear that Mozilla has instructed its content writers to never mention version numbers in Firefox release announcements. The reason remains a mystery. Take yesterday’s announcement, for example. It begins “Today’s release of Firefox” – which makes it sound like Firefox is a new product.
Anyway… the mystery Firefox release yesterday was in fact version 52, which fixes at least twenty-eight security vulnerabilities. The new version also adds support for WebAssembly, which can dramatically improve the performance of web-based applications. Support for those annoying WiFi ‘captive portal’ hotspot login pages is improved in Firefox 52, and there are further improvements to the warnings you’ll see when you’re presented with a login form on an unencrypted connection.
Firefox 52 also removes almost all remaining support for the NPAPI plugin technology, with the lone exception being Flash, which means Silverlight, Java, Acrobat and other plugins that depend on NPAPI will no longer work. Support for the NPAPI version of Flash will apparently be removed in the next major Firefox release.
There were a couple of problems with Firefox 51 that prompted Mozilla to push out another new version yesterday. Firefox 51.0.1 resolves the two problems, one of which was related to the new multiprocess features.
Firefox itself seems to take a few days to notice new versions. Click the ‘hamburger’ menu button at the top right, then click the question mark icon, then click ‘About Firefox’ to see the version you’re running. In my experience, Firefox will usually say ‘Firefox is up to date’ until a couple of days after a new release becomes available. This is potentially confusing, but Mozilla doesn’t seem to understand that.
As usual, there’s nothing like a proper announcement for Firefox 51. What we get from Mozilla instead is a blog post that discusses some new features in Firefox, and mentions the new version number almost accidentally in the third paragraph. Once again, CERT does a better job of announcing the new version than Mozilla.
Starting with version 51, Firefox will flag sites that are not secured with HTTPS if they prompt for user passwords. Secure sites will show a green lock at the left end of the address bar as before, but sites that are not secure will show a grey lock with a red line through it. Previously, non-encrypted sites showed no lock icon at all. The idea is to draw the user’s attention to the fact that they are browsing without the security of encryption, which is risky when sensitive information (passwords, credit card numbers) is entered by the user.
If you’re a Firefox user, you might want to think about using a different browser for the next day or so. Researchers have discovered a critical vulnerability that has yet to be patched. Mozilla is working on a fix but there’s no word on when it will be available.
Yes, Firefox can be configured to update itself or alert you when an update is available, but that setting can also be disabled completely. Worse, it can take days for Firefox’s internal update checker to detect that there’s a new version.
SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.
Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.
In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.
We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.
Firefox users are advised to make sure it’s up to date: version 50 — released yesterday — addresses at least twenty-seven security vulnerabilities. To find out what version you’re running, click the ‘hamburger’ menu icon at the top right, click the question mark icon, then click ‘About Firefox’.
Aside from the security fixes, there’s not much of interest in Firefox 50. The release notes provide additional information.
Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”
WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.
The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.
On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.