Spoofing SSL in Firefox 3


In just a few days the new Firefox 3 browser from the house of Mozilla will be release. Except of course if another re-build of the current release candidate has to be made, which would push the publishing of the newest browser to sometime in June. One such reason could be the ease somebody can spoof the secure mode indicator of secured sites, specially on the Linux platform.

I’m running dutifully the pre-release versions of Firefox 3 since the alpha releases and have seen the changes the browser has made during this time. A big surprise was however how something very significant changed suddenly after updating to the first release candidate. Before that, I had always the address bar colored in yellow when connected to a secure site. Needless to say that due to my job, that most sites I’m accessing are secured, being it internal administrative interfaces, our own public sites or that of our subscribers (which need some help here and there). I’m sure I’m not the only one who has his eyes trained to look for that indicator.

Firefox 2 SSL Mode

As with Firefox 3 release candidate 1 the yellow address bar is gone - the address bar remains white as with regular pages, there is no padlock to see nor any other visual indicator. The only difference between plain text and secured mode is a blueish background around the Favicon icon at the left side of the address bar.

Firefox 3 SSL Mode

Not only does it look rather unfavorable and somehow unclean, it’s hardly visible (certainly not for about 10% of the color-blind male population… true, the yellow address bar wasn’t better in that respect). But there is no padlock and no other visual indicator that this page is over SSL secured mode. The plain non-secured page looks even better:

Firefox 3 Plain Text Mode

 And here is how easy I’m going to spoof the only indication of secured mode:

 Firefox 3 Spoof Mode

One must look carefully to see the difference of a few pixels which are missing on the spoofed site. Apparently it looks a little bit better on the Windows platform because the area of the favicon icon has round shapes, which makes it somewhat harder to spoof. Originally this should have been much different but some cowboy over at Mozilla thought that it emphasizes the secured state too much and the green EV certificates don’t look favorable enough. It’s possible to use the original intended UI be typing into the address bar about:config and changing the setting browser.identity.ssl_domain_display to 1. And here is how a secured page should look:

Firefox 3 Original SSL Mode

Firefox 3 EV Mode

Was the regular SSL mode indicator too similar to that of EV? Are the developers at Mozilla willing to risk spoofing of regular SSL sites in favor of EV? Or is this on purpose in order to make SSL look bad? Not sure about the original intentions to ship Firefox 3 which such a lousy indicator because when I posted to the Bugzilla tracking tool I found that others already reported about this issue and some comments of the developers suggested that this could be really the case. One developer thought that SSL is about confidentiality and isn’t a threat these days and anyway, certificate are too cheap and sometimes even free (OMG) and another one thought that encrypted connections have nothing to do with security (sick)!

Needless to say that I posted and replied to some of these statements  from above in my typical manner ;-) In the meantime there is some understanding that it could be done better and I proposed a possible solution. However my friends at Mozilla can’t care less about this issue and indicated quite frankly that they have no intention to fix this before the official release.

Since I believe that Firefox shouldn’t be released with a spoofable UI I decided to write this article at my blog. Perhaps this will help change the course!

Read also Extended Validation - What it really means
Read also Announcing Better Trust™
Sites which published this stories and threads of discussions:
Red Hat mailing list, Linux Today, Free Software Daily, Linux.com
Planète Béranger, Firefox mailing list, Digg.com, Help Net Security

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Extended Validation - What it really means
Randomly Broken Randomness

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

I don’t understand why you call the new UI “spoof friendly”.

Dropping the yellow background in the URL bar shouldn’t be a problem. As you said yourself, color blind people might not have noticed it anway. Relying on other indicators is necessary.
The yellow background was a new indicator in Firefox, other (non-Mozilla based) browsers I know of don’t use it.
In particular, an argument for removing the yellow color is that yellow in real life indicates “beware”.

You complain that the lock icon at the right hand side in the URL bar got removed.
In fact you say “there is no padlock and no other visual indicator that this page is over SSL”.
IMHO this is wrong.

Did you notice that the lower right corner gives you the classic padlock icon and the full hostname of the site you are connected to?
You get this only on sites you’ve connected to using https / SSL.
This is the classic way to visualize SSL connection status, and it’s still there.

You argue the new UI makes it possible to spoof.
But:
- you don’t present a way to introduce yellow color for the URL bar
- you don’t present a way to make a lock icon appear at the right hand side of the URL bar
- you don’t present a way to make a lock icon appear on the lower right hand side of the status bar without being connected using SSL

Your claim that spoofing is possible focuses on the ability for sites to use a site icon which a blue background on plain http connections.
But personally I don’t expect anybody in the world to rely on those few blue pixels for indicating a SSL connection.

You argue that having a highlighted domain name on the left hand URL bar would be better than what is currently being planned for Firefox 3.
IMHO it is not necessary, because it would be highly redundant.
The full hostname is already shown in the URL itself (ok, might be scrolled out), and it’s clearly visible in the lower right hand corner of the window.

I personally wouldn’t mind to remove that little blue background, and/or to keep the lock icon on the right hand side of the URL bar. But in my opinion, not doing so is not making it possible to spoof.

I would like to add:

You argue that it is possible to use a site icon (to the left of the URL) that looks like a padlock icon. That idea isn’t new and not specific to the upcoming new version 3 of Firefox. You can achieve such a site icon with any browser software that supports site icons (favicon).

Kai, this isn’t new, but now the indicator would be even in the right place, e.g. the favicon. Just using a padlock as favicon wasn’t effective because you expect it on the right side of of the address bar, not the favicon itself. As I said, it wasn’t supposed to look like this!

Concerning your first comment: There is no yellow colored address bar anymore and there is no indicator (padlock, larry or anything else) on the RIGHT side of the address bar. How can I present a way if it doesn’t exist? Or am I missing something?

> “- you don’t present a way to […]”
> “- you don’t present a way to […]”
> “- you don’t present a way to […]”
As these elements were present in FF2, the “way” is simple: ROLLBACK. Use the f-ing old code for the address bar!

Oh, the new address bar is soooo smart! But if this is the price to pay… I’d rather be using Opera.

The padlock icon on the right hand side is no longer there, there is no way to spoof it.

I think people are used to the fact that the little icon to the left of the URL is a “site avatar” and does not indicate a SSL connection.

If users are incorrectly drawing conclusions based on a site’s avatar icon, that’s not specific to Firefox.

Using a plain http site, you have always been able to use a favicon to show a padlock icon on the left hand side of the URL bar, so I don’t see why this ability is news for version 3 or news for browsers in general.

Actually the new UI with Larry (when you click on the favicon) is nice, I like it a lot. I intended to blog about it, but not before this issue gets resolved. Because one doesn’t verify each secured site, specially not the ones you know. Besides that, most users won’t click on the favicon because nothing indicates that there is something beneath it. A rollback isn’t what I expect, turning browser.identity.ssl_domain_display to 1 should be the solution.

Kai, I think you are missing the point!

Perhaps I shouldn’t have used the StartSSL site for drawing the images, because our site uses a padlock as favicon. It’s the StartCom CA site…maybe this confuses you?

You said:

I think people are used to the fact that the little icon to the left of the URL is a “site avatar” and does not indicate a SSL connection.

Exactly! But now this is the only place where Mozilla decided to make the difference by using a blueish background as the indicator for SSL. With FF3 it DOES indicate SSL.

If users are incorrectly drawing conclusions based on a site’s avatar icon, that’s not specific to Firefox.

But this is what the UI does! It changes the favicon background to blueish. Look at the examples again: plain versus secured versus spoofed…

I updated the images in this post, please refresh. This time I used this site for comparison in order to avoid confusion with the padlock icons I used before.

The link https://blog.startcom.org/show_bug.cgi?id=430790#c12
in:
“another one thought that encrypted connections have nothing to do with security (sick)!”
seems to be broken.

Try:
https://bugzilla.mozilla.org/show_bug.cgi?id=430790#c12

I do heavily rely on Firefox’ little yellow bar to rapidly check if a web page is secure or not. I know I would be an easy phising target if that feature was to disappear in FF3.