Skip to main content

Firefox 37 Update Includes 'Opportunistic Encryption' And Other Security Improvements

Mozilla released version 37 of its Firefox browser to the stable channel. The company updates its browser on a six weeks schedule, just like Google.

The new version seems to be mainly about new security improvements and fixes, which comes at an ideal time, considering Firefox didn't do so well in the Pwn2Own browser security competition. Although Firefox finished among the last at Pwn2Own, Mozilla updated the browser quite quickly afterwards with the fixes for the vulnerabilities found by the security researchers attending the contest.

One of the bigger security features added to Firefox 37 is "opportunistic encryption" for servers and sites that support "HTTP/2 AltSvc." This allows Firefox to encrypt the traffic without having to authenticate it. This is better than no encryption at all, but still worse than authenticated encryption.

Unlike authenticated encryption (HTTPS), opportunistic encryption doesn't protect against active "man-in-the-middle" attacks. It only protects against passive (dragnet) surveillance (which is still of major benefit to most users).

Mozilla also added the OneCRL list of revoked certificates in Firefox 37, which is a feature similar to Chrome's CRLset. If a security incident requires the revocation of a certificate, then Mozilla can update its browser to disallow the forged certificate from being used.

The new Firefox also supports encrypted Bing search. While Google adopted HTTPS by default for its search engine years ago, Microsoft added optional encryption for Bing only last year, although recently the company made it mandatory, as well. Now, all Bing searches will be encrypted by default.

Mozilla also made some changes to the way the TLS encryption works in its browser:

Disabled insecure TLS version fallback for site securityExtended SSL error reporting for reporting non-certificate errorsTLS False Start optimization now requires a cipher suite using AEAD constructionImproved certificate and TLS communication security by removing support for DSA

Other features in Firefox 37 include Mozilla making Yandex the default search engine for Turkey, as well as adding its new Heartbeat feedback system into the browser. The Heartbeat system will randomly show some users a widget asking for a rating. Mozilla will then try to either improve or nurture the relationship with its users, depending on the ratings they give.

Follow us @tomshardware, on Facebook and on Google+.

  • PaulBags
    Updating firefox isn't worth the constant ui revamps.
    Reply
  • srap
    Few things have changed since the landing of Australis, so no idea what you complain about.
    Reply
  • PaulBags
    I'm still using the previous esr.
    Reply
  • Allen Millington
    Few things have changed since the landing of Australis, so no idea what you complain about.
    First, the change to the keyworkd.url behavior was terrible; I remedied by the extension keyword search. Australis is nearly bad enough to made me switch browsers. The revamp of the search was the final straw. It was completely broken for one of the versions of firefox too, both on my desktop and my friend's computer. I've since switched to pale moon (old UI on LTS firefox) and chrome. Not planning on returning to stock firefox anytime soon.
    Reply
  • Upgrademe
    Will this fix update flash? since only html5 videos play after 36.0.1 update
    Reply
  • tekelymailcom
    Not present in the article: HTML5 playback of youtube videos now support more resolutions (before only 360p and 720p)
    Reply
  • firefoxx04
    When they changed the search bar to include all sorts of search engines it pissed me off. Its fine to have to manually set one desktop to google only (and turn off bing, yahoo, and the other garbage) but when you have to do an entire household at random it becomes annoying.

    Almost switched to Chrome but remembered how rubbish Chrome is too.
    Reply
  • Christopher1
    Updating firefox isn't worth the constant ui revamps.
    Comments like yours aren't worth reading. There are not 'constant revamps', there are constant minor tweaks since version 20.
    Reply
  • Ryrynz
    I'm still using the previous esr.

    You should switch to Palemoon if that's the case.
    Reply
  • aweg
    Wow, article about web encryption yet I get an error on https://tomshardware.com:

    www.tomshardware.com uses an invalid security certificate.

    The certificate is only valid for the following names:
    *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net

    (Error code: ssl_error_bad_cert_domain)
    Reply