Firefox is the second most popular web-browser and it has held this title for too long. Projected figures show that it is going to lose the title in December. However, an ongoing discussion by Mozilla might accelerate the fact. The discussion is on whether Firefox should allow the Java plugin, which is used for almost all transactions (not just online banking transactions) across the world.
A new attack has been identified that decrypts web-traffic and can dig through sensitive and personal information being sent over a transaction. The attack has been termed as the BEAST (Browser Exploit Against SSL/TLS) attack and it has been demonstrated successfully in a proof-of-concept hack.
Dan Goodin from The Register talks about the BEAST exploit:
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
The Public Key Infrastructure has three core services to take care of- Authentication, Integrity and Confidentiality. Authentication makes sure that the people at either end of the transaction are indeed who they claim to be. Integrity ensures that the data being transmitted is sent and received in the same form without alteration. Confidentiality deals with hiding the data from prying eyes, making the data comprehensible only to the people at either end. The BEAST attack goes after confidentiality and breaks it successfully.
The bug 689661 on Bugzilla at Mozilla lists out a favorite solution of blacklisting all versions of the Java plugin. This will affect all corporate businesses (ones that are transaction based) and some regular features of services that explicitly rely on the Java plugin, ones like Facebook video chat.
Currently, the only web-browser that is attempting to secure against this attack (without removing Java support) is Google Chrome.