Mozilla today announced a new certificate verification library in Gecko, the web browser engine used in many of the company’s applications. At the same time, the company is also offering a special $10,000 security bug bounty specifically for certificate verification in Firefox 31, which is currently a Nightly release but is scheduled to launch on July 31.
Here is how Mozilla describes the updated library:
The new code is more robust because certificate path building attempts all potential trust chains for a certificate before giving up (acknowledging the fact that the certificate space is a cyclic directed graph and not a forest). The new implementation is also more maintainable, with only 4,167 lines of C++ code compared to the previous 81,865 lines of code which had been auto-translated from Java to C. The new library benefits from C++ functionality such as memory cleanup tools (e.g., RAII).
As for security researchers, Mozilla says it is primarily interested in bugs that allow the construction of certificate chains that are accepted as valid when they should be rejected, or anything in the code that leads to exploitable memory corruption. In general, if Firefox is unable to verify otherwise valid certificates, Mozilla does not consider this to be a security bug, but a bug that caused the browser to accept forged signed OCSP responses would definitely be.
Mozilla says security researchers can qualify for this special bounty by first meeting the guidelines of its normal security bug bounty program. There are, however, additional requirements:
- The bug must be in, or caused by, code in security/pkix or security/certverifier as used in Firefox.
- The exploit must be triggered through normal web browsing (for example “visit the attacker’s HTTPS site”).
- The issue must be disclosed in enough detail, including testcases, certificates, or even a running proof of concept server, that Mozilla can reproduce the problem.
- The report has to be filed by 11:59pm June 30, 2014 (Pacific Daylight Time).
If you find a security bug that doesn’t meet all of the above parameters, you can still submit it to bugzilla.mozilla.org and send the bug ID to firstname.lastname@example.org. Mozilla will pay up to $3,000 for a standard security bug bounty.