Security problems force Mozilla to drop security feature Credit: Areta do Bem Less than a week after it was introduced in Firefox 37, Opportunistic Encryption (OE) has been removed by Mozilla due to a flaw that was discovered in their HTTP Alternative Services implementation.OE offered unauthenticated encryption over TLS, boosting the level of security for data that would’ve otherwise been transmitted via clear text. Thus the feature, wrote Patrick McManus, a network developer for Mozilla, created some level of confidentiality in the face of passive eavesdropping.Security experts were pleased by OE, commenting that Firefox had taken a step in the right direction, removing almost all barriers to encrypting Web traffic.However, in order for OE to work, website administrators needed to implement support for the Alternative Services specification, and that’s where the problem came from. “If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own,” a security advisory from Mozilla explained.Given that HTTP/2 AltSvc breaks SSL certificate validation, Mozilla was really left with no other alternative than to remove OE and fix the issue offline. They’re encouraging all users to update to version 37.0.1 as quickly as possible in order to avoid potential problems. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe