On March 31, Mozilla released the latest version of Firefox, 37.0 — but the foundation has already issued a significant patch for that update, after discovering a critical security bug that broke HTTPS encryption in a way that was invisible to the end user. Ironically, one of the original points of the Firefox 37 update was to add security through the use of a feature known as opportunistic encryption.

One of the challenges of Internet security is that encrypted HTTPS connections aren’t the default connection type for a majority of websites or businesses. In most cases, only websites that have a reason to use HTTPS, like your bank, default to it. Opportunistic encryption doesn’t offer quite as much security as full HTTPS, but it does protect against passive eavesdropping, and at trivial setup cost.

Another feature of Firefox 37 is support for HTTP/2, the new HTTP standard update. The flaw, in this case, is triggered by an exploit in Mozilla’s implementation of HTTP/2’s “Alt-Svc” capability. Alt-Svc (Alternative Service) allows the Web server to tell your PC it needs to perform a redirect or offer an alternative access method for a particular website. Alt-Svc could be used to redirect users to a temporary server location while primary servers were down, or to issue instructions for opportunistic encryption, as Firefox intended to do. Mozilla’s OE system only functioned on HTTP/2-enabled websites — the capability wasn’t available on sites that only supported HTTP 1.1.

Security researcher Muneaki Nishimura discovered the flaw in FF 37.0, as detailed in Mozilla’s own threat summary: “If an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. As a result of this, warnings of invalid SSL certificates will not be displayed and an attacker could potentially impersonate another site through a man-in-the-middle (MTIM), replacing the original certificate with their own.”

In other words: Hackers could make someone think they were accessing a secure website, when in reality they had been switched over to an insecure, hacked version. This kind of issue has the potential to explode if a company isn’t careful — Lenovo’s Superfish debacle is evidence of that — so Mozilla’s prompt response to the problem is welcome. The 37.0.1 version of Firefox has disabled the opportunistic encryption system; Mozilla says it will re-enable the feature at an undisclosed future date.

Exactly how much protection OE really offers is open to debate. The new systems wouldn’t prevent dedicated hackers, much less the NSA, from spying on individuals. What it might do, however, is force malware authors and more passive data-gathering arrangements to expend more energy to see the same information. That may not be as sexy as a complete one-stop solution. But anything that makes the spying process more difficult also increases the chance that operations like the NSA would need to target individuals, as opposed to engaging in mass, undiscriminating surveillance.