[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*
OVAL

Mozilla Products: Key pinning bypasses - mfsa2014-80 (Mac OS X)

ID: oval:org.secpod.oval:def:21426Date: (C)2014-10-21   (M)2023-12-07
Class: PATCHFamily: macos




Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connection. This leads to possible man-in-the-middle attacks if an attacker has control of the DNS connection and the ability to obtain a fraudulent certificate that browsers would accept in the absence of the pin. Mozilla security engineer David Keeler discovered that when there are specific problems verifying the issuer of an SSL certificate, the checks necessary for key pinning would not be run. As a result, the user is then presented with the Untrusted Connection error page, which they can use to bypass the key pinning process on a site that should be pinned. This error message is always shown to the user and cannot be used to silently bypass key pinning on affected sites.

Platform:
Apple Mac OS 14
Apple Mac OS 13
Apple Mac OS 12
Apple Mac OS 11
Apple Mac OS X 10.15
Apple Mac OS X 10.14
Apple Mac OS X 10.13
Apple Mac OS X 10.11
Apple Mac OS X 10.12
Product:
Mozilla Firefox
Reference:
MFSA 2014-80
CVE-2014-1582
CVE-2014-1584
CVE    2
CVE-2014-1582
CVE-2014-1584
CPE    5
cpe:/a:mozilla:firefox:32.0
cpe:/a:mozilla:firefox:30.0
cpe:/a:mozilla:firefox:31.0
cpe:/a:mozilla:firefox:31.1.0
...

© SecPod Technologies