Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections.
The problems began in December, when Mozilla released Firefox 65. After the launch of this version, the organization started seeing a significant rise in TLS errors that are often triggered by how security software interacts with Firefox.
Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox.
Security software in many cases needs to inspect the content of HTTPS connections in order to detect threats, and it does this by installing its own root certificates on the device.
To let users easily fix this issue, starting with Firefox 68, the browser will now automatically enable the “enterprise roots” preference and retry the connection whenever it detects a “Man-in-the-Middle” TLS error.
Enabling the “security.enterprise_roots.enabled” setting configures Firefox to trust certificates in the operating system certificate store by importing “any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer.”
This change will be implemented starting with Firefox 68, which is scheduled for release on July 9.
Version 68 of Firefox Extended Support Release (ESR), which is often used in enterprise environments, will enable this preference by default to make it easier for administrators, who often require Firefox to recognize their organization’s own CA.
Mozilla also noted that users can see if a website is using an imported root CA certificate by clicking on the lock icon in the URL bar.
“It might cause some concern for Firefox to automatically trust CAs that haven’t been audited and gone through the rigorous Mozilla process,” said Wayne Thayer, CA program manager at Mozilla. “However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”
Besides this, starting with Firefox 68, which has been scheduled to be released on 9th July, the sensitive device features like the camera and microphone will require an HTTPS connection to work with the browser.