After more than six months of constant problems with antivirus software meddling with Firefox’s configuration and certificate store only to crash HTTPS websites, Mozilla announced today a final solution for this long-pressing issue.
According to Mozilla Certificate Authority Program Manager Wayne Thayer, starting with Firefox 68, the browser will automatically enable an about:config preference that will make it less likely that antivirus software crashes an HTTPS page.
The preference is “security.enterprise_roots.enabled”, which starting with Firefox 68, the browser will set to true if it detects a “Man-in-the-Middle” TLS error, which is the typical error specific to antivirus software trying (and failing) to intercept a connection to an HTTPS website.
When this setting is enabled, Firefox will automatically import all the root certificates that have been added on top of the default root certificates included with the operating system.
These additional root certificates are usually the certificates installed by other applications, including antivirus software.
Because Firefox uses its own root certificate store that contains a list of “approved certificates” that is different from the list managed by the operating system, antivirus software needs to add its certificate to Firefox to be allowed to intercept HTTPS traffic carried out inside Firefox and check for malware or bad URLs.
However, installation errors can occur, along with many other issues, which result in Firefox showing a typical HTTPS (TLS) MITM error page, like the one below, whenever an antivirus has botched adding its root certificate to Firefox.
According to Thayer, the number of errors generated inside Firefox by antivirus products has spiked after the release of Firefox 65, this past winter.
The errors were so bad that Mozilla had to halt the Firefox 65 rollout to deal with the constant errors generated on systems where the AVG and Avast antiviruses were installed.
Other errors surfaced later, caused by other antivirus vendors, but for the same reason.
Thayer said that at one point the Firefox devs were pondering adding a “Fix It” button to this error page, so users can press it and automatically enable the “enterprise roots” setting, so they could automatically import the “additional” root certificates from the OS root store into Firefox’s private list.
Firefox engineers dropped the button idea, but they are now opting for an automatic solution instead.
“Beginning with Firefox 68, whenever a MITM error is detected, Firefox will automatically turn on the ‘enterprise roots’ preference and retry the connection,” Thayer said.
“If it fixes the problem, then the “enterprise roots” preference will remain enabled (unless the user manually sets the ‘security.enterprise_roots.enabled’ preference to false).”
“We are also recommending as a best practice that antivirus vendors enable this preference (by modifying prefs.js) instead of adding their root CA to the Firefox root store. We believe that these actions combined will greatly reduce the issues encountered by Firefox users,” Thayer added.
The Mozilla engineer also played down fears that automatically importing root certificates from the OS root store into Firefox isn’t a danger to the browser’s security, as some users might fear.
“Any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store,” he said. “Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default.”
“In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”
Firefox 68 is scheduled for release next week, on Microsoft’s normal Patch Tuesday.
More browser coverage: