A new security flaw that was connected with the certificate pinning has been discovered which allows cyber attackers on the Tor Browser and the Mozilla Firefox to compromise the systems. The attackers would be making use of man in the middle attacks and some malicious add-ons.
The flaw allowed cyber attackers to enter a man in the middle position and would be able to get a forged certificate that would allow them to impersonate the Mozilla servers. After getting through this move, the attacker can then deliver a malicious product for the NoScript of various other Firefox extensions which are installed on the targeted computer. The certificate would have to be issued by one of the several hundreds of Firefox trusted certificate authorities.
The vulnerability is also believed to affect the Tor browser based on the Firefox browser. Therefore in all consideration, the Tor browser would also be susceptible to attacks. It might not have any add-ons on it, but the fact that there is HTTPS Everywhere and NoScript to makes them vulnerable.
The attacks were brought to light by one hacker who uses the name, ‘movcrx’. He said that the attacks would cost the attackers about $100,000 to launch them, and also noted that they could be used launch some mass attacks on the Tor users.
In his report, Duff said that he had been able to reproduce the results which were seen by another different security researcher, which showed that Firefox implemented protections known as ‘certificate pinning’ had been ineffective in the prevention of some of the forged attacks.
The use of certificate pinning methods is made so that they can ensure browsers can only accept some specific certificates for the specific domain or the subdomain, and has the ability to reject any other, even when they are issued by the browser trusted authorities themselves.
Duff also said that the main problem for the failure had been the link to the form of static key pinning which is not based on the HTTP Public Key Pinning Protocol. In more explainable ways, the flaw is as a result of Mozilla failing to extend expiration dates on the static keys list which would force the pinning technology to go unenforced when they expire.
The Tor project has already come out with an update to the flaw, but Mozilla officials said the one for the Firefox browser would be released on Tuesday (20th of September). Senior manager of security engineering at Mozilla, Selena Deckelman, said that they were not aware of any evidence of the existence of any malicious certificates, and in any case obtaining one would have required one compelling Certificate Authority. However such issues might be a problem for Tor users who have been wary of state sponsored attacks lately.