Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

Posted by & filed under Security News.

Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections.

Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser.

To achieve this, security software replaces websites’ TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs).

Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox.

In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their antivirus attempts to intercept an HTTPS-enabled page by adding its root certificate to Firefox store.

To let users easily fix this issue, starting with Firefox 68, the browser will now automatically enable the “enterprise roots” preference and retry the connection whenever it detects a “Man-in-the-Middle” TLS error.

Enabling the “security.enterprise_roots.enabled” setting configures Firefox to trust certificates in the operating system certificate store by importing “any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer.”

According to the company, this option is available on Windows and MacOS.

The company has also recommended antivirus vendors to enable the “enterprise roots” preference instead of adding their own root CA to the Firefox root store.

Moreover, the company also says that with Firefox ESR 68, the “enterprise roots” preference setting will come enabled by default.

“Because extended support releases are often used in enterprise settings where there is a need for Firefox to recognize the organization’s own internal CA, this change will streamline the process of deploying Firefox for administrators,” Mozilla explains.

 

While talking about users concerns over Firefox automatically trusting certificates that haven’t been audited and gone through the rigorous Mozilla process, the company says “any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store.”

“Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default.”

 

“In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”

Besides this, starting with Firefox 68, which has been scheduled to be released on 9th July, the sensitive device features like the camera and microphone will require an HTTPS connection to work with the browser.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.