Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors
Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections.
Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser.
To achieve this, security software replaces websites’ TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs).
Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox.
In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their antivirus attempts to intercept an HTTPS-enabled page by adding its root certificate to Firefox store.
To let users easily fix this issue, starting with Firefox 68, the browser will now automatically enable the “enterprise roots” preference and retry the connection whenever it detects a “Man-in-the-Middle” TLS error.
Enabling the “security.enterprise_roots.enabled” setting configures Firefox to trust certificates in the operating system certificate store by importing “any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer.”
According to the company, this option is available on Windows and MacOS.
The company has also recommended antivirus vendors to enable the “enterprise roots” preference instead of adding their own root CA to the Firefox root store.
Moreover, the company also says that with Firefox ESR 68, the “enterprise roots” preference setting will come enabled by default.
“Because extended support releases are often used in enterprise settings where there is a need for Firefox to recognize the organization’s own internal CA, this change will streamline the process of deploying Firefox for administrators,” Mozilla explains.
While talking about users concerns over Firefox automatically trusting certificates that haven’t been audited and gone through the rigorous Mozilla process, the company says “any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store.”
“Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default.”
“In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”
Besides this, starting with Firefox 68, which has been scheduled to be released on 9th July, the sensitive device features like the camera and microphone will require an HTTPS connection to work with the browser.