Mozilla Foundation Security Advisory 2015-44
Certificate verification bypass through the HTTP/2 Alt-Svc header
- Announced
- April 3, 2015
- Reporter
- Muneaki Nishimura
- Impact
- Critical
- Products
- Firefox, SeaMonkey
- Fixed in
- 
        - Firefox 37.0.1
- SeaMonkey 2.35
 
Description
Security researcher Muneaki Nishimura discovered a flaw in
the Mozilla's HTTP
Alternative Services implementation. If an Alt-Svc header is
specified in the HTTP/2 response, SSL certificate verification can be bypassed
for the specified alternate server. As a result of this, warnings of invalid SSL
certificates will not be displayed and an attacker could potentially impersonate
another site through a man-in-the-middle (MTIM), replacing the original
certificate with their own.