Mozilla Offers $10,000 Bounty For Bugs In New SSL Certificate Library

Mozilla is offering up to $10,000 to anyone capable of exposing bugs in its new SSL certificate validation library.

The non-profit organisation has invited the community to test the ‘mozilla::pkix’ library, which replaces some of the Network Security Services (NSS) features and should  improve the security of encrypted communications across its product range.

The new library will be integrated into the latest release of Firefox browser, expected in June

The announcement follows the discovery of ‘Heartbleed’ vulnerability in the open source OpenSSL protocol earlier this month.

Hearbleed was present in OpenSSL from March 2012, allowing attackers to obtain the encryption keys used by a website, decrypt any past and future traffic to the protected services and to impersonate those services at will. It was estimated at the time of the discovery that the vulnerability affected the security of as many as two-thirds of websites, including those of social networks and banks.

Leaner certificate library

The mozilla::pkix library combines several existing technologies with some new features to optimise the way an application can establish whether an encryption certificate is valid.

“The new code is more robust because certificate path building attempts all potential trust chains for a certificate before giving up (acknowledging the fact that the certificate space is a cyclic directed graph and not a forest). The new implementation is also more maintainable, with only 4,167 lines of C++ code compared to the previous 81,865 lines of code which had been auto-translated from Java to C,” explained Camilo Viecco, systems engineer at Indiana University by day, and a bug hunter at Mozilla by night.

The new library will make its debut in Firefox 31. Mozilla had already added Transport Layer Security (TLS) 1.2 protocol support in Firefox 27.

The organisation says mozilla::pkix is fully backwards compatible, and every network security protocol currently supported by Firefox will continue to be supported. Mozilla warns that in rare cases, some website certificates will no longer validate with Firefox 31, and says such incidents should be reported.

In order to guarantee the performance of the new library, Mozilla is offering up to $10,000 to security professionals able to find vulnerabilities in mozilla::pkix code. This ‘call to arms’ is not limited to bug-hunters – Mozilla has also invited website developers to help run the new library through its paces before it hits production stages.

Are you a Firefox enthusiast? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

23 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

24 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago