The company has corrected very quickly serious vulnerabilities introduced with Firefox 37 that would allow access to false secure connections.
This past March, Mozilla released Firefox 37, the latest version of the available publicly by the famous web browser. Among the new reports from the company, we find support for HTTP/2, a voting system called Heartbeat to promote the software and provide feedback to the company, and use the default of a security protocol for searches Bing.
Introducing the most obvious, but perhaps also the less substantial at the time of this writing, has full support for HTTP / 2. It is a new protocol more efficient and designed for the modern web, a project aimed at all who is already spreading mainly to involve developers and web professionals. It is the first real revolution of the HTTP protocol for 16 years now.
We speak of an introduction, critical that could leave room for various kinds of vulnerabilities in the implementation phase. And that is what has happened in the case of Firefox, in which the news was accompanied by a serious security bug on the encryption used in the HTTPS protocol. The company still managed to fix the leak quickly, releasing a fix in version 37.0.1 few days ago.
If you use the automatic update feature, you’re probably already safe with the latest version, but otherwise is strictly recommended to install the latest version from the official site. Specifically, the bug allowed to bypass validation processes HTTPS certificates in case the server reindirizzava Web page through a header Alt-Svc (HTTP Alternative Services).
Element compounded by the fact that with version 37 of Firefox page was proposed as safe: at a site of a bank, for example, the HTTPS protocol is not operated until the credentials to log in, your user name and password usually. Once entered, usually takes a redirect to the secure page, and Firefox 37 can exploit the vulnerability to gain access to a false secure connection with the server.
In this case, the good goes to developers Firefox, which have corrected the vulnerability even before it became public officially and could somehow be exploited by cyber-criminal to turn.