Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A bug found within Firefox’s new tab system is a “red herring” and only makes secured browsing data more accessible.
The bug was found in a feature within the latest version of Firefox that captured thumbnail snapshots of websites visited by users.
A reader of The Register found that the snapshots also trapped secured HTTPS browser data meaning anyone with access to a computer could view potentially sensitive information.
Mozilla was quick to announce plans to fix the bug to prevent tabs slurping HTTPS data.
But the bug was “a bit of a red herring” according to Sophos scribe and Asia Pacific technology head Paul Ducklin, because the information used to build the feature had existed in previous versions of the browser.
Ducklin pointed out that HTTPS data was always available in the browsers’ cache and switching off the new feature – touted as a workaround -- did not resolve the problem.
“In my HTTPS experiments, turning off the thumbnails didn't do anything about Firefox's cache,” Ducklin said.
“Whatever is inside an HTTPS request, and in its corresponding reply, must exist in unencrypted form at each end of the conversation in order to be of any use.
"That means both your browser and the server you're talking to may - indeed, probably will - end up with a permanent record of the transaction's content, even though it was encrypted during transmission.”
However he points out that the snapshot feature provided richer data and made it easier to access the cached information.
Users could avoid potential exposure by erasing stored browser data after each browser session.
“… if this whole issue really is a bug, it may very well be a bug in our willingness to hold on to browser data between sessions," he said.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
