Mozilla Offers $10K For Critical Flaws In New Certificate Verification Scheme |
Written by Alex Armstrong | |||
Friday, 25 April 2014 | |||
Mozilla is introducing a new certificate verification library in Firefox 31. Spurred on by the Heartbleed fiasco it wants to ensure that the code bug-free before it is released in July and has launched a special $10,000 bug bounty program.
To be eligible to earn this bounty security expects have first to meet the criteria for the normal Mozilla Security Bug Bounty Program, which pays up to $3,000 for vulnerabilities discovered in Mozilla software. These are listed as
The extra criteria for this one-off bounty, which will go to the first person to file in case of duplicates, are that the vulnerability must:
Clarifying what Mozilla is looking for Daniel Veditz states on the Mozilla Security blog: We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption. Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be. He also notes that valid security bugs that don't fit these criterai will still be eligible for a reward under the general Security Bug Bounty scheme. The need for testing has arisen because of the introduction of mozilla::pkix, a new certificate verification library that is designed to be more robust in that its certificate path building, attempts all potential trust chains for a certificate before giving up. It is also more maintainable than libPKIX which is already successfully in use in Gecko for Extended Validation certificated verification, in that is only 4,167 lines of C++ code compared 81,865 lines of C code which had been auto-translated from Java. Up until now the certificate verification processing in Mozilla's Network Secuirt Service (NSS) to ensure the validity of certificates presented during a TLS/SSL handshake had two code paths - using "classic" for Domain Validated and libPKIX for Extended Validation certificated verification but the NSS team wanted to replaced the "classic" method by a PKIX-based in order to improve the handling of cross-signed certificates. More InformationExciting Updates to Certificate Verification in Gecko $10,000 Security Bug Bounty for Certificate Verification Related ArticlesMozDef - Mozilla's Self Defence Kit Record Payouts At Hacking Contests To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
Comments
or email your comment to: comments@i-programmer.info |
|||
Last Updated ( Friday, 25 April 2014 ) |