No replies to this topic

[Chachazz]

Attack against TLS-protected communications
09.27.11 - 10:29am

Issue
Juliano Rizzo and Thai Duong recently presented a paper detailing an information stealing attack against TLS-protected communications. The attack is not Firefox specific, and Firefox is not vulnerable in default configurations, however some plugins may be.

Impact to users
A successful application of this man-in-the-middle attack would allow an attacker to steal information from encrypted communications. This could include cookie data, which may allow the attacker to impersonate the victim.

Status
Firefox itself is not vulnerable to this attack.
While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser which Firefox does not allow.

The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Javafrom the Firefox Add-ons Manager as a precaution. We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.

This bug was reported by Juliano Rizzo and Thai Duong.
Mozilla Security Blog