Jump to content

Firefox to Import Windows Root Certs To Avoid Antivirus SSL Scanning Issues


itman

Recommended Posts

Hopefully this will resolve users issues with Eset's SSL Protocol Scanning. Now if Chrome would do likewise; don't hold your breath on that one …………..
 

Quote

In order to prevent future errors caused by the SSL scanning feature of many antivirus programs, Mozilla is performing a test that imports the Windows root certificates into Firefox.

In order for an antivirus engine to scan SSL connections it will install their own certificates into the Firefox and Windows certificate stores.  An issue since Firefox 65 had caused the antivirus program's certificates to not be used properly and would display an error instead.

At the time, in order to fix these issues users could do one of two things. Either disable SSL scanning in their antivirus software, which is obviously a security risk, or enable the security.enterprise_roots.enabled flag to have Firefox use the Windows certificate store for validating the SSL connection.

According to a new Firefox bug report, the Mozilla security team has stated that the issues antivirus vendors had in February would have been avoided if the Windows root certificate store was used by default. Therefore, as a test Mozilla is enabling the security.enterprise_roots.enabled feature by default, which will cause Firefox to import the Windows root certificates when the browser is started.

This test is being pushed out to users of Windows 10 and Windows 8 who have an antivirus program registered other than Windows defender and do not have the security.enterprise_roots.enabled flag enabled already.

If this test does not cause other issues to arise, we should expect to see this configuration setting enabled by default going forward.

https://www.bleepingcomputer.com/news/software/firefox-to-import-windows-root-certs-to-avoid-antivirus-ssl-scanning-issues/

Edited by itman
Link to comment
Share on other sites

  • Administrators

We didn't have any issues importing the root CA to the Firefox nor Thunderbird trusted root CA certificate stores. Not sure why the other AVs had the mentioned issues.

Link to comment
Share on other sites

One rather obvious issue would be if the user installed FireFox after Eset was installed.

However, I believe issues could arise dependent upon how the browser vendor updates its root CA certificate store. For example, it might just delete everything and do a full replace of its root certificates.

As far as I am concerned, using the built-in root CA certificate store is the less issue prone and more secure method. It also relieves the browser vendor from performing certificate "cop" activities which Google seems to revel in.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...