The Tor Project released on Friday version 6.0.5 of the Tor Browser. The update eliminates a critical issue in the browser’s HTTPS certificate pinning system that previously allowed the impersonation of Mozilla websites, as well as other domains.
The issue also affects Mozilla Firefox, claimed a security expert that goes by the alias @movrcx on Twitter. A patch was released to fix the issue on September 4, but it only took care of the bug in Nightly builds, leaving Firefox stable versions unpatched.
However, the issue is likely to be taken care of on September 20 with the release of Firefox 49.
Apparently, the genesis of the issue lies in Firefox’s unique method for handling certificate pinging, which happens to be totally different from the IETF-approved HPKP standard.
For the uninitiated, certificate pinging is basically an HTTPS feature that allows the browser to accept only one certificate key per domain.
According to Ryan Duff who confirmed the existence of the bug, Firefox doesn’t enforce certificate pinning after a certificate expires, but at the same time, it doesn’t show any verbose warning either.
Duff recommends that Tor Browser users should update to version 6.0.5 immediately. But just in case you are a Tor/Firefox user who doesn’t wish to upgrade right away, you might want to disable your automatic add-on update (which happens to be a feature in both these browsers).