[Emerging-Sigs] [SMTPUTF8] - JA3 flags official Firefox distribution sites as malware

Nathan nathan at packetmail.net
Mon Oct 28 12:29:26 HDT 2019


I was kind of hoping the next version of Firefox would simply establish
a PTP VPN which could help mitigate JA3 based detections in the future.
Maybe something similar to DoH and partnered with CloudFlare using
Warp. Then all these pesky network alerts could go away and the
children, whom we think of so often, would be five-nines protected.

After the whole clandestine extension signing episode back in May and
the DoH force feeding are we 100% certain at this point Firefox is not
malware... or at least spyware?  I would classify any userland software
daemon that bypasses my system resolver settings in such a way.

Cheers,
Nathan Fowler




On Mon, 28
Oct 2019 14:19:34 -0700 Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> Anyone having any luck with those new signatures? I believe they are
> flawed by design. JA3, having tons of collisions, has never been
> intended for a detection, especially used in a signature "if A then
> ALARM".
> 
> On top of that, you're flagging official Firefox distribution sites as
> malware. I think I know what's going on, as it used to be the case in
> the past
> 
> 1. someone, somewhere, takes the official installer and backdoors it.
> This invalidates the binary's signature, but user's don't care ;)
> 2. the backdoored version downloads the Firefox from us and a malware
> from somewhere else
> 3. the sandbox that's responsible for generating signatures, just
> flags every kind of traffic egreesing from the system as "malware
> related" 4. boom, we're on the list



More information about the Emerging-sigs mailing list