itman 1,786 Posted March 27, 2019 Share Posted March 27, 2019 (edited) Hopefully this will resolve users issues with Eset's SSL Protocol Scanning. Now if Chrome would do likewise; don't hold your breath on that one ………….. Quote In order to prevent future errors caused by the SSL scanning feature of many antivirus programs, Mozilla is performing a test that imports the Windows root certificates into Firefox. In order for an antivirus engine to scan SSL connections it will install their own certificates into the Firefox and Windows certificate stores. An issue since Firefox 65 had caused the antivirus program's certificates to not be used properly and would display an error instead. At the time, in order to fix these issues users could do one of two things. Either disable SSL scanning in their antivirus software, which is obviously a security risk, or enable the security.enterprise_roots.enabled flag to have Firefox use the Windows certificate store for validating the SSL connection. According to a new Firefox bug report, the Mozilla security team has stated that the issues antivirus vendors had in February would have been avoided if the Windows root certificate store was used by default. Therefore, as a test Mozilla is enabling the security.enterprise_roots.enabled feature by default, which will cause Firefox to import the Windows root certificates when the browser is started. This test is being pushed out to users of Windows 10 and Windows 8 who have an antivirus program registered other than Windows defender and do not have the security.enterprise_roots.enabled flag enabled already. If this test does not cause other issues to arise, we should expect to see this configuration setting enabled by default going forward. https://www.bleepingcomputer.com/news/software/firefox-to-import-windows-root-certs-to-avoid-antivirus-ssl-scanning-issues/ Edited March 28, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,406 Posted March 28, 2019 Administrators Share Posted March 28, 2019 We didn't have any issues importing the root CA to the Firefox nor Thunderbird trusted root CA certificate stores. Not sure why the other AVs had the mentioned issues. Link to comment Share on other sites More sharing options...
itman 1,786 Posted March 28, 2019 Author Share Posted March 28, 2019 (edited) One rather obvious issue would be if the user installed FireFox after Eset was installed. However, I believe issues could arise dependent upon how the browser vendor updates its root CA certificate store. For example, it might just delete everything and do a full replace of its root certificates. As far as I am concerned, using the built-in root CA certificate store is the less issue prone and more secure method. It also relieves the browser vendor from performing certificate "cop" activities which Google seems to revel in. Edited March 28, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts