Mozilla has pulled Firefox 37's opportunistic encryption feature after less than a week when it learned that tech designed to enhance security actually broke SSL certificate validation.
A simple patch wouldn't do the trick, so Mozilla opted to release an update, Firefox 37.0.1, that removed opportunistic encryption.
Going into reverse ferret mode and stripping out technology that evidently wasn't ready for prime time is a little embarrassing for Mozilla even though this is the responsible action to take in the circumstances.
Mozilla correctly labels Firefox 37.0.1 as a critical update.
Opportunistic encryption offers some basic encryption of data previously sent as clear text. The vulnerability arises in security flaws within the Alternative Services capability that underpins opportunistic encryption.
The CVE-2015-0799 bug in Mozilla's HTTP Alternative Services implementation – discovered by security researcher Muneaki Nishimura – left surfers vulnerable to man-in-the-middle attacks that involved hackers impersonating genuine sites.
Chromium Browser is looking better and better everyday.