• browser
  • security
  • Technology
  • web

Malwarebytes flags Firefox as malicious for checking Certificates?

For many years I have been pushing out Firefox through Active Directory to 150+ Windows machines. Currently all the machines are running Firefox 55.03. One user who runs the Professional version of Malwarebytes for additional security noticed a strange detection appearing yesterday. Malwarebytes was identifying Firefox as making outbound connections to gn.symcd.com which, as it turns out is a domain owned by Symantec. In Firefox, there is an option (under Advanced | Certificates) to "Query OCSP responder servers to confirm the current validity of certificates".

Certificates are issued and verified by Certificate Authorities. A certificate is a small data file can be used to identify websites, people, and devices. If a website's certificate is stolen it can be used to impersonate that website and a web browser would not be able to tell the difference between the real website and a fake one. A Certificate can thus be "revoked" so that a Certificate Authority can let web browsers know that there is a problem. Traditionally this was done through the publishing of a CRL (Certificate Revocation List) but Firefox switched to using OCSP in Firefox version 28. OCSP (Online Certificate Status Protocol) is an alternative method which transmits less information and so uses less bandwidth and puts less of a burden on client resources. However, since OCSP is not encrypted it is possible for an interested to party to intercept the communication and so, build a list of websites that a client visits. Google Chrome switched away from using OCSP in about 2012 and replaced it with their own proprietary method citing "latency and privacy issues".

This issue was identified last December although it resolved itself right away and remained a mystery to that poster. A similar issue with Malwarebytes was reported in January but against Digicert. A very thorough writeup from August, 2017 describes how someone else stumbled on the Firefox outbound communication. Another post about OCSP which really just verifies that the method works as advertised also happens to mention the Firefox checkbox.

But perhaps the ultimate read on this topic is Scott Helme's post on Ars Technica. What's frightening about this post is that he demonstrates that Revocation appears to be broken and that the methods being used right now by all the browers are not adequate. I don't believe his test website is currently using a revoked certificate since he's using Let's Encrypt and those only last 90 days. Both Firefox and the latest Chrome showed green lock for SSL in my test today.

The question remains open regarding Malwarebytes current false? positive on Firefox's connection to Symantec, but its happened before and its only the tip of the iceberg concerning how our browsers determine if the sites we visit are valid or not and how or even if they let us know when they're not.