Mozilla is introducing a new certificate verification library in Firefox 31. Spurred on by the Heartbleed fiasco it wants to ensure that the code bug-free before it is released in July and has launched a special $10,000 bug bounty program.

To be eligible to earn this bounty security expects have first to meet the criteria for the normal Mozilla Security Bug Bounty Program, which pays up to $3,000 for vulnerabilities discovered in Mozilla software. These are listed as 

• Security bug must be original and previously unreported.
• Security bug must be a remote exploit.
• Submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Mozilla project (such as by providing check-in reviews).
• Employees of the Mozilla Foundation and its subsidiaries are ineligible.

The extra criteria for this one-off bounty, which will go to the first person to file in case of duplicates, are that the vulnerability must: 

• be in, or caused by, code in security/pkix or security/certverifier as used in Firefox
• be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”)
• be reported in enough detail, including test cases, certificates, or even a running proof of concept server, that we can reproduce the problem
• be reported to us by 11:59pm June 30, 2014 (Pacific Daylight Time)

Clarifying what Mozilla is looking for Daniel Veditz states on the Mozilla Security blog: 

We are primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, and bugs in the new code that lead to exploitable memory corruption. Compatibility issues that cause Firefox to be unable to verify otherwise valid certificates will generally not be considered a security bug, but a bug that caused Firefox to accept forged signed OCSP responses would be.

He also notes that valid security bugs that don't fit these criterai will still be eligible for a reward under the general Security Bug Bounty scheme.

The need for testing has arisen because of the introduction of mozilla::pkix, a new certificate verification library that is designed to be more robust in that its certificate path building, attempts all potential trust chains for a certificate before giving up. It is also more maintainable than libPKIX which is already successfully in use in Gecko for Extended Validation certificated verification, in that is only 4,167 lines of C++ code compared 81,865 lines of C code which had been auto-translated from Java.

Up until now the certificate verification processing in Mozilla's Network Secuirt Service (NSS) to ensure the validity of certificates presented during a TLS/SSL handshake had two code paths - using "classic" for Domain Validated and libPKIX for Extended Validation certificated verification but the NSS team wanted to replaced the "classic"  method by a PKIX-based in order to improve the handling of cross-signed certificates.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info