Mozilla Foundation Security Advisory 2015-15

TLS TURN and STUN connections silently fail to simple TCP connections

Announced
February 24, 2015
Reporter
Alexander Kolesnik
Impact
Low
Products
Firefox, Firefox OS
Fixed in
  • Firefox 36
  • Firefox OS 2.2

Description

Security researcher Alexander Kolesnik reported while the Mozilla platform does not yet support TLS connections to TURN and STUN servers, the WebRTC implementation would accept turns: and stuns: URIs and then attempt plaintext connections to the servers when these were used. This can lead to disclosure of credentials through a Man-in-the-middle (MITM) attack as the connection is not encrypted.

References