Mozilla Offers $10K For Critical Flaws In New Certificate Verification Scheme
Mozilla Offers $10K For Critical Flaws In New Certificate Verification Scheme
Written by Alex Armstrong   
Friday, 25 April 2014

Mozilla is introducing a new certificate verification library in Firefox 31. Spurred on by the Heartbleed fiasco it wants to ensure that the code bug-free before it is released in July and has launched a special $10,000 bug bounty program.




To be eligible to earn this bounty security expects have first to meet the criteria for the normal Mozilla Security Bug Bounty Program, which pays up to $3,000 for vulnerabilities discovered in Mozilla software. These are listed as 

  • Security bug must be original and previously unreported.
  • Security bug must be a remote exploit.
  • Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
  • Employees of the Mozilla Foundation and its subsidiaries are ineligible.

The extra criteria for this one-off bounty, which will go to the first person to file in case of duplicates, are that the vulnerability must: 

  • be in, or caused by, code in security/pkix or security/certverifier as used in Firefox
  • be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”)
  • be reported in enough detail, including test cases, certificates, or even a running proof of concept server, that we can reproduce the problem
  • be reported to us by 11:59pm June 30, 2014 (Pacific Daylight Time)

Clarifying what Mozilla is looking for Daniel Veditz states on the Mozilla Security blog: 

We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption. Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be.

He also notes that valid security bugs that don't fit these criterai will still be eligible for a reward under the general Security Bug Bounty scheme.

The need for testing has arisen because of the introduction of mozilla::pkix, a new certificate verification library that is designed to be more robust in that its certificate path building, attempts all potential trust chains for a certificate before giving up. It is also more maintainable than libPKIX which is already successfully in use in Gecko for Extended Validation certificated verification, in that is only 4,167 lines of C++ code compared 81,865 lines of C code which had been auto-translated from Java.

Up until now the certificate verification processing in Mozilla's Network Secuirt Service (NSS) to ensure the validity of certificates presented during a TLS/SSL handshake had two code paths - using "classic" for Domain Validated and libPKIX for Extended Validation certificated verification but the NSS team wanted to replaced the "classic"  method by a PKIX-based in order to improve the handling of cross-signed certificates.




AI Predicts World Cup Winners

An AI system has been used to calculate the likely winners of this year's FIFA World Cup; and the real shock is the system didn't pick Germany. The FIFA World Cup 2018 is underway at the moment in Rus [ ... ]

Are You A Typical Developer?

JetBrains has conducted a survey of 6000 developers. It found Java to be the most popular programming language followed by JavaScript and Python. Go was discovered to be the language that devs were ke [ ... ]

More News





or email your comment to:

Last Updated ( Friday, 25 April 2014 )

RSS feed of news items only
I Programmer News
Copyright © 2018 All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.