Jump to content

Firefox Shield study to import Windows root certificates


Karlston

Recommended Posts

Mozilla wants to evaluate the impact that the importing of Windows root certificates has on Firefox.

 

Firefox uses its own certificate store when it validates certificates of site connections by default. While that is beneficial in regards to control that Mozilla has over certificates, it recently introduces an issue that caused connections to secure sites to fail in the browser.

 

Mozilla had to halt the distribution of Firefox 65 to address the issue. The issue was caused by third-party antivirus engines that installed their own certificates into the Firefox certificate store to enable SSL scanning.

 

Firefox users would receive "your connection is not secure" and "SEC_ERROR_UNKNOWN_ISSUER" connection errors if affected by the issue.

 

connection not secure firefox

 

Users could disable HTTPS scanning in the antivirus solution of choice or flip a preference in Firefox that would allow the browser to import certificates from the Windows Certificate store to mitigate the issue.

 

Mozilla discovered that the issue could have been prevented if Firefox would use certificates from the Windows Certificate store.

 

Mozilla wants to find out if using certificates from the Windows Certificate store has any negative effects on Firefox. The assumption is that there won't be any ill-effects; if that is the case, Firefox will import Windows root certificates by default going forward.

The security team confirmed that having the preference security.enterprise_roots.enabled set to true would have fixed all of these issues without known regressions and we want to validate that in the presence of an AV, enabling this preference would have a positive impact on retention and engagement

The parameters of the Shield study:

  • Version: Firefox 66
  • Platform: Windows 8.1 and Windows 10.
  • Other: Antivirus installed that is not Windows Defender.

A test group and a control group is selected. The test group will have the preference security.enterprise_roots.enabled set to True while the control group won't. The default value of the preference is false.

 

The preference defines whether Firefox will use certificates from the Windows Certificate store (True) or not (False). The parameter has been added in Firefox 49 with a default value of False.

 

Telemetry will be collected to determine the impact of the preference change. Firefox users who don't want certificates from Windows to be imported can set the parameter to False to prevent that from happening.

 

Source: Firefox Shield study to import Windows root certificates (gHacks - Martin Brinkmann)

Link to comment
Share on other sites


  • Replies 0
  • Views 225
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...