The new release also adds patches for 13 different security advisories along with some new security improvements as well as user-experience features.
The biggest security feature added to Firefox 37 among others is the "Opportunistic Encryption" (OE) for servers and websites that support "HTTP/2 AltSvc."
Opportunistic Encryption (OE) allows Firefox browser to encrypt the traffic over plaintext HTTP connection without any need to authenticate it. This will help you to create, not complete, but some confidentiality from attackers to eavesdrop on your connection.
So Opportunistic encryption can be implemented with very minimal changes to an existing IPsec implementation.
The move by Mozilla is really a bonus for HTTP users with no encryption measure at all, but still it is not as good as authenticated encryption (HTTPS).
So, if you are running HTTPS, there is no need to switch to opportunistic encryption. Because unlike HTTPS, OE does not protect you against active "man-in-the-middle" (MITM) attacks. It only protects you against passive eavesdropping, which is a major benefit to most online users.
In a blog post published Friday, Mozilla developer Patrick McManus offered some technical details behind the reason to support HTTP 2 in Firefox.
McManus provides two easy steps to configure a server for OE:
- Install a TLS based h2 or SPDY server on a separate port. 443 is an excellent choice. You can also use a self-signed certificate if you like because OE is not authenticated.
- Add a response header Alt-Svc: h2=":443" or spdy/3.1, if you are using SPDY enabled server like Nginx.
In addition to Opportunistic Encryption, Firefox Version 37 also introduces the Heartbeat user rating system, which will gather feedback from users of its browser. The response from its users will be of great help to Firefox developers to feed the needs of its users into future Firefox releases.
UPDATE (7/4/2015): FIREFOX DISABLED OPPORTUNISTIC ENCRYPTION
Firefox has disabled Opportunistic Encryption feature to fix a critical security bug that allowed malicious websites to bypass HTTPS protections.
Opportunistic Encryption vulnerability resides in functionality of crypto, which allows attackers to present fake TLS certificates that wouldn't be detected by the browser.
The Opportunistic crypto exploit could be triggered by a malicious website by embedding an "Alt-Svc" header in the responses sent to vulnerable visitors, enables attackers to perform man-in-the-middle attack.
Mozilla Firefox users recommended to update again to version 37.0.1.
UPDATE (7/4/2015): FIREFOX DISABLED OPPORTUNISTIC ENCRYPTION
Firefox has disabled Opportunistic Encryption feature to fix a critical security bug that allowed malicious websites to bypass HTTPS protections.
Opportunistic Encryption vulnerability resides in functionality of crypto, which allows attackers to present fake TLS certificates that wouldn't be detected by the browser.
The Opportunistic crypto exploit could be triggered by a malicious website by embedding an "Alt-Svc" header in the responses sent to vulnerable visitors, enables attackers to perform man-in-the-middle attack.
Mozilla Firefox users recommended to update again to version 37.0.1.
