Mozilla announced that it will resolve the issues that caused antivirus apps crashing HTTPs websites with the release of Firefox 68 version.
The problems began after the release of Firefox 65 in December 2018, since then experts observed a significant increase in a certain type of TLS error that is triggered by the interaction of antivirus software with the browser. Mozilla finally has solved these problems without impacting on the security.
Security apps often inspect the content of HTTPS connections in order to detect malicious activities. This is possible by installing root certificates on the device.
Unlike most common web browsers that leverage the operating system’s root store to determine if a certificate is trusted, Firefox maintains its own list of trusted certificate authorities (CAs). Developers of security solutions that need to inspect the traffic have to properly configure Firefox to avoid that the browser will raise a MitM attack warning every time users are accessing websites over HTTPS.
The issue could be addressed by enabling the “enterprise roots” preference in Firefox, in this way it is possible to force the browser to import any root CAs added to the OS.
“The interception of TLS connections has historically been referred to as a “man-in-the-middle”, or MITM. We’ve developed a mechanism to detect when a Firefox error is caused by a MITM. We also have a mechanism in place that often fixes the problems.” reads the blog post published by Mozilla. “The “enterprise roots” preference, when enabled, causes Firefox to import any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer. This option is available on Windows and MacOS. “
When this setting is enabled, Firefox will automatically import all the root certificates, including the certificates installed by antivirus software.
Mozilla initially evaluated the possibility to add a “Fix it” button to the MitM error pages to allow users to easily enable the “enterprise roots” option, but finally, it opted out to add a mechanism that would automatically enable the option and reload the page whenever the MitM error is displayed.
The preference will remain enabled unless it’s manually disabled by the user. Mozilla urges antivirus companies to enable this preference instead of adding their root CA to the browser’s root store.
This change will be implemented with the release of Firefox 68 that is scheduled for July 9.
Users can determine if a website is using an imported root CA certificate by clicking on the lock icon in the address bar.
“It might cause some concern for Firefox to automatically trust CAs that haven’t been audited and gone through the rigorous Mozilla process,” concludes Mozilla.“However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”
(SecurityAffairs – Firefox, digital certificates)