If you’re a Firefox user, you might want to think about using a different browser for the next day or so. Researchers have discovered a critical vulnerability that has yet to be patched. Mozilla is working on a fix but there’s no word on when it will be available.
Update 2016Nov30: Mozilla just released Firefox 50.0.2, which includes a fix for this vulnerability. Mozilla posted about this as well.
There’s a critical security vulnerability in Firefox 49 and 50, and Mozilla just released Firefox 50.0.1 to address it. Which is great, except for one thing: the total lack of anything resembling an announcement.
Yes, Firefox can be configured to update itself or alert you when an update is available, but that setting can also be disabled completely. Worse, it can take days for Firefox’s internal update checker to detect that there’s a new version.
I discovered the new version by way of a post on the US-CERT site.
SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.
Like this one in Edge:
(From a post on the Microsoft Edge blog.)
Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.
From a post on the Mozilla security blog.
In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.
From a post on the Google security blog.
We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.
Firefox users are advised to make sure it’s up to date: version 50 — released yesterday — addresses at least twenty-seven security vulnerabilities. To find out what version you’re running, click the ‘hamburger’ menu icon at the top right, click the question mark icon, then click ‘About Firefox’.
Aside from the security fixes, there’s not much of interest in Firefox 50. The release notes provide additional information.
A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.
Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”
WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.
Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.
The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.
On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.
Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.
Version 49.0.2 of Firefox fixes at least one security vulnerability, along with a few other minor bugs. There’s also a performance improvement for sites that use Flash.
If you’re still running an earlier version, you can usually trigger an update by going to the About page: click the ‘hamburger’ icon at the top right, click the question mark icon, then click About Firefox.
A crashing issue affecting Firefox 49 on Windows computers has been fixed in Firefox 49.0.1. No other changes are mentioned in the release notes.
I’m getting better at parsing Mozilla blog posts. I only had to read a few paragraphs of the latest post (“Latest Firefox Expands Multi-Process Support and Delivers New Features for Desktop and Android”) to be fairly certain that it’s talking about a new, just-released version of Firefox. The new version number (49) isn’t mentioned, and neither is there any definite indication of when the new version was released. But there is a link to the version 49 release notes, way down at the bottom of the post.
Why is that bad? Because the Mozilla blog also routinely includes posts that are not related to new versions of Firefox, and those posts are almost indistinguishable from posts about new Firefox versions. Of course, if your goal is to confuse and obfuscate, well, nice work, Mozilla.
According to the release notes, Firefox 49 enables multi-process tabs for even more users. After installing, you can determine whether your Firefox is using multi-process tabs by entering ‘about:support‘ in Firefox’s address bar and looking for the ‘Multiprocess Windows’ entry. In my case, that entry shows as 0/1 (Disabled by add-ons). I’m using add-ons that Mozilla hasn’t tested, I guess.
Also in Firefox 49, Reader Mode has been improved, and offline page viewing has been enabled for Android users.
Mozilla snuck a couple of Firefox releases past me again. I only noticed version 48.0.1 when Firefox offered to upgrade itself on one of my computers. On a different computer, Firefox offered to upgrade itself directly to 48.0.2. I’m currently unable to induce Firefox to update itself to 48.0.2 on the former; the About dialog insists that “Firefox is up to date.”
Come on, Mozilla. Get your crap together:
This is basic stuff, folks.
Firefox 48.0.1 was released on August 18. It’s mostly fixes for crashing problems, and doesn’t seem to include any security fixes.
Firefox 48.0.2 was released on August 24. It fixes one specific crashing problem.
Since neither of these updates include security fixes, delaying their installation (for whatever reason) isn’t going to make your computer less safe.
Update 2016Sep03: On my Windows 8.1 computer, Firefox didn’t prompt me to upgrade to version 48.0.2 until a week after the update became available. That seems an excessive delay. Of course, 48.0.2 isn’t a security release, so it’s not really urgent. Or is it? The 48.0.2 update message says “A security and stability update for Firefox is available.” Which seems weird, since the release notes don’t mention anything about security. The update message also says this: “It is strongly recommended that you apply this update for Firefox as soon as possible.” That would make sense if this was a security update, but again, it’s not. And how much sense does it make to tell people to update ASAP, when the message doesn’t appear until a week after the update becomes available? Sheesh.
There’s a lot to talk about with the release of Firefox 48. Of course, this being Mozilla, nothing is straightforward.
One of the most important new features in Firefox 48 is process separation (aka Electrolysis, aka e10s), whereby Firefox is split into separate processes, instead of running as a single process. The idea is to improve stability, responsiveness, and security. According to Mozilla: “Users should experience a Firefox that is less susceptible to freezing and is generally more responsive to input, while retaining the experience and features that users love.”
Here’s what the release notes have to say about it: “Process separation (e10s) is enabled for some of you. Like it? Let us know and we’ll roll it out to more.” What does this even mean? How do I know if process separation is enabled in my copy? What’s the difference between Firefox 48 with process separation enabled and with it disabled? How can I provide feedback on something if I don’t even know for sure I’m seeing it? If it’s not enabled in my copy, how will Mozilla ‘roll it out’ to me?
A separate Mozilla blog post answers some of these questions. Process separation will be enabled gradually in a series of Firefox releases, starting with 48 and continuing with 49. You can determine whether e10s is enabled in your copy of Firefox by entering “about:support” into the URL bar, and looking at the ‘Multiprocess Windows’ line.
A post on Asa Dotzler’s blog provides a few more answers, including this: “The groups that will have to wait a bit for E10S account for about half of our release users and include Windows XP users, users with screen readers, RTL users, and the largest group, extension users.” In case you were wondering, Asa Dotzler is the Participation Director for Firefox OS, Mozilla Corp.
With version 48, Firefox has beefed up security related to downloads. Actually, it’s more accurate to say that Google added features to its Safe Browsing service, which Firefox uses. Those new features include checking for ‘Potentially Unwanted Software’ and ‘Uncommon Downloads’. The changes are described in another Mozilla post. Unfortunately, this post is poorly worded, making the new features sound as if they watch what a downloaded software installer is doing. In fact, Firefox just checks downloads against a list of known bad or ‘uncommon’ installers (provided by Google) and warns the user if one is encountered. The new features can be disabled in Firefox’s options.
Firefox add-ons that have not been approved by Mozilla will no longer work with Firefox 48. Add-ons are a major source of instability and security issues in Firefox, and while this change will be inconvenient for people who use add-ons that have not been verified and signed by Mozilla, it’s definitely a step in the right direction.
At least twenty-three security issues were fixed in Firefox 48. That means this is an important update; if you use Firefox, you should upgrade to version 48 as soon as possible. If the new features in Firefox 48 are a problem for you, then it’s time to look at alternatives like Opera and Chrome.
The address (URL) bar now expands to the width of the screen when you’re typing in it. More matches are shown when you enter text in the address bar, and any that are already bookmarked will show an icon.
Improvements to bookmarks and history: Firefox 48 merges “your Reading Lists into Bookmarks and your Synced tabs into the History Panel. This change means your reading list items will now be available across devices alongside your bookmarks, giving you easier access to your content no matter what device you’re using, which is a major upgrade for those of you using Firefox across devices.”
boot13