back to article Can't patch this: Mozilla pulls Firefox encryption feature after just a week

Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation. A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption. Going …

  1. Brewster's Angle Grinder Silver badge

    Bugs happen

    "Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances."

    So they dig the right thing and you're gonna slag them off anyway. Nice.

    1. Fuzz

      Re: Bugs happen

      I didn't realise 37 had gone stable

    2. sabroni Silver badge

      Re: So they dig the right thing and you're gonna slag them off anyway.

      They deserve it. The explanation of the problem makes it pretty clear they they didn't think this "security feature" through properly.

    3. Just Enough
      Facepalm

      Re: Bugs happen

      They're not getting slagged off for doing the right thing. They're getting slagged off for rolling out a feature that was fundamentally a terrible idea from the very start.

      This went all the way from "neat idea" to roll out, and no-one involved noticed the problem with it. That's about as embarrassing as it gets.

  2. Tree

    Why do this?

    I hate those mysterious and confusing warnings of invalid SSL certificates. This is a real improvement to do away with them so I can get back to girlie images.

    1. Preston Munchensonton
      Facepalm

      Re: Why do this?

      This is great news. A Nigerian prince will be reaching out to you soon for your bank account information to confirm.

  3. Anonymous Coward
    Anonymous Coward

    Mozilla backtracking on new features

    I wish they did that a lot more often.

    1. Mark 85

      Re: Mozilla backtracking on new features

      I wish other software companies/organizations <cough>Microsloth<cough> would follow suit when they've cobbled something.

      1. Oninoshiko

        Re: Mozilla backtracking on new features

        They did on TIFKAM

        1. Old Handle

          Re: Mozilla backtracking on new features

          Yeah, but it took them much longer than a week to come around.

        2. Anonymous Coward
          Anonymous Coward

          Re: Mozilla backtracking on new features

          They did on TIFKAM

          Actually, they haven't, yet… Windows 10 will represent a backtrack on TIFKAM but isn't yet released. Windows 8.1 is still 90% TIFKAM-centric out-of-the-box.

  4. Conrad Longmore

    100% False Positive rate

    As far as almost all users are concerned, certificate warnings are almost 100% false positives. Usually it's either a legitimate self-signed certificate, a server somewhere has changed its name, the certificate has expired or some other annoyance. And although they are not common, most users just ignore them, so that they will eventually ignore ALL certificate errors..

    1. David Pollard

      Re: 100% False Positive rate

      Perhaps what's needed is an opportunity to log the details and check with a database/forum that other people have also seen the warning and/or that the owner is correcting the problem. That would go some way towards making the warnings meaningful to everyday users.

      1. Anonymous Coward
        Anonymous Coward

        Re: 100% False Positive rate

        How about having the details uploaded to mozilla, so they can check the server name against the list of domains registered with one of the major registries to give the user an indication how serious it may be.

        If I get a warning from yahoo.com, I may know that is something to be very concerned about (or someone at Yahoo is about to get fired) but the average person doesn't know the difference between that and a warning for myblog.myvanitydomain.com.

    2. Crazy Operations Guy

      Re: 100% False Positive rate

      Perhaps use a DNS-like system for certificates? Where the certificate authority publishes which certificates it hands out, issue dates, expiration date, and various checksums. Then require that 30-days before a new certificate can be used, it must be listed in the database. This would prevent issues someone from hijacking the company's account.

      1. Charles 9

        Re: 100% False Positive rate

        Aren't many hijackings the result of social engineering (AKA identity theft), which no amount of safeguarding will prevent (because the miscreant will simply glean enough credentials to pass any test)?

    3. Old Handle
      Thumb Up

      Re: 100% False Positive rate

      You know how most browsers have a Private Browsing or "Incognito" mode? What we need is to move those heavy-handed warning into an optional Paranoid mode. You could turn this on for banking etc. The rest of the time, a little red warning icon would suffice.

      I've said it before, but what I find hugely irritating is that https sites with irregular certificates are treated as if they were more dangerous than plain http sites I visit all the time. Clearly that isn't actually the case, but browser makers apparently can't understand this.

    4. Anonymous Coward
      Anonymous Coward

      Re: 100% False Positive rate

      As far as almost all users are concerned, certificate warnings are almost 100% false positives. Usually it's either a legitimate self-signed certificate,

      Acceptable for some websites, but I wouldn't want to do business with a bank that was using a self-signed certificate unless they provided me the certificate to me on a USB stick supplied to me at a branch.

      Given the technological prowless of the general public, I don't see this happening.

      a server somewhere has changed its name,

      Man in the middle mean anything to you?

      the certificate has expired

      Every day a key pair is used is an extra day people have to either brute-force or steal the private part of it. Rotating them on a regular basis is a healthy thing to do.

      or some other annoyance. And although they are not common, most users just ignore them, so that they will eventually ignore ALL certificate errors..

      In my experience the certificate errors can be a right pain to try and bypass. Especially for the illiterate (and yes, they do sometimes use computers).

  5. Anonymous Coward
    Anonymous Coward

    Mozilla and Firefox are in a downward spiral, it's a great pity but I won't use it now on my PC or Android, bloated crap, unstable.

    They seem to be in IT meltdown and more concerned with being politically correct, neo-Marxist, gender-benders.

    FFS Mozilla, you were bloody great once upon a time.

    1. Anonymous Coward
      Anonymous Coward

      Firefox usage

      I use Firefox on my laptop but make sure that I do not use the latest and greatest, for contrary to Mozilla's 'writing on the tin' you are only another one of their Beta testers (as this story proves). I tried Firefox for Android. I used it for a month and tried to like, really I did. It has some neat features, like plugin support for example.

      Too bad that you NEED that plugin support, because the UI is a miserable, utter failure. No scroll to top. NO TEXT REFLOW (on a portable device. Really??!). Search from the URL bar...which means that once your search has been inputted and receives a reply from the engine you can't go back to change your search query as your input is gone and replace with the reply URL. Crashes on a whim, sucks batteries dry like Whitney Houston at a free coke party (ouch!). Can't handle text reply boxes on a variety of websites, one of which being one of the top 1500 websites on the planet.

      Both the scroll to top and text reflow can be fixed with plugins, but the text reflow plugin is beta and certainly does not work properly, sometimes not worth a damn on some websites. The cookie whitelist and Bluhell firewall are nice, but both eat up CPU cycles and severely impact performance.

      In other words, Firefox for Android is a disaster and not ONLY does Mozilla wish to deny this truth I also caught them deleting poor or 'negative' reviews in Google Play, masking their failure and padding their satisfaction score (I wrote FIVE poor reviews, with details what was wrong, with NO bad language, and not a ONE made it past review). So, I complained to Google, seemed to improve, now some negative reviews do actually show up.

      1. Gene Cash Silver badge
        FAIL

        Re: Firefox usage

        And it's gotten even worse. With the revision rolled out yesterday, mobile Firefox now crashes if you try to take a picture for a tweet. Nice.

        Also, I have a very simple webcam page, one 640x480 image, 4 links. That's it. Mobile Firefox decides to double zoom the image 50% of the time (i.e. on alternate refreshes) without scrollbars, losing the ability to see the links or the whole image.

        That's pretty incompetent.

    2. Crazy Operations Guy

      Not like the other browsers are much better:

      *Safari is still full of holes (See: Carpet Bombing Attack)

      *Google's Chrome is untrustworthy (Yeah, not trusting an advertising company with a piece of software that updates itself without user-intervention)

      *Opera might comes with ad-blocking and script-blocking out of the box, but damned if I can find them... Also, is there a way to disable that "speed-dial" bullshit?

      *SeaMonkey is very old and creaky. BUt at this point I"ll take old and stable over anything else nowadays...

      1. Charles 9

        Chrome is perhaps not trustworthy, but about about Chromium, which IIRC is the open-source fork of Chrome, with most of the Google-centric stuff stripped out?

    3. asdf

      >FFS Mozilla, you were bloody great once upon a time.

      Hmm need a little bit of a time frame you are talking about because honestly FF 3.x was slow, bloaty (nearly IE so at the time), buggy memory leaking shit in comparison to FF today. Chrome actually really helped them focus on getting their shit together. Perhaps they are starting to slip again but they have had their ups and downs over time.

  6. ecofeco Silver badge

    derp derp

    That is all.

  7. Pinko_Commie

    This Crypto update also broke a lot of appliance management pages that use self signed certificates.

    Checkpoint GAIA based firewalls for instance. Generally quite a bad thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like