Firefox Provides Protection Against Rogue SSL Certificates

In the latest version of Mozilla’s web browser, Firefox 32, the development team have implemented a new defense mechanism which will help to prevent hackers from accessing and tampering with data intended for main online services.


The aforementioned feature is referred to as ‘certificate key pinning’ and it enables online services to state which SSL/TLS (Secure Sockets Layer/Transport Security Layer) are legitimate for the services that they are supposed to perform. The certificates are used to verify a site is not illegitimate and to encrypt data traffic.

The implication is that this update will prevent attacks such as the one that impacted Google in 2011 in which users of the Gmail service were targeted. A Dutch certificate authority (CA), Diginotar, was either hacked or tricked and issued a valid SSL certificate that would work in conjunction with a Google domain.

In theory, that enabled the hackers to generate a fake website that impersonated the appearance of Google’s Gmail and didn’t set off a browser warning of an invalid SSL certificate. For a long time, security experts have warned that attacks aimed at certificate authorities are a danger.

With the implementation of certificate pinning, these kinds of attacks wouldn’t have occurred. This is because Firefox would have known Diginotar shouldn’t have issued a certificate for Google.

In Firefox 32, “if any certificate in the verified certificate chain corresponds to one of the known good (pinned) certificates, Firefox displays the lock icon as normal,” announced Sid Samm, senior manager of security and privacy engineering at Mozilla, within a business blog.

“When the root cert for a pinned site does not match one of the known good CAs, Firefox will reject the connection with a pinning error,” he went on to say.

The “pins” in relation to the certificates of online services must be encoded into Firefox. Firefox 32, which was released this week, provides support for Mozilla sites as well as Twitter. Future build releases will support certificate pinning for Tor, Google sites, Dropbox and numerous others, according to a project wiki.