Firefox to Automatically Trust OS-Installed CA Certificates to Prevent TLS Errors

Mozilla has finally introduced a mechanism to let Firefox browser automatically fix certain TLS errors, often triggered when antivirus software installed on a system tries to intercept secure HTTPS connections.

Most Antivirus software offers web security feature that intercepts encrypted HTTPS connections to monitor the content for malicious web pages before it reaches the web browser.

To achieve this, security software replaces websites’ TLS certificates with their own digital certificates issued by any trusted Certificate Authorities (CAs).

Since Mozilla only trusts those CAs that are listed in its own root store, the antivirus products relying on other trusted CAs provided by the operating system (OS) are not allowed to intercept HTTPS connections on Firefox.

In recent months, this limitation continually crashed HTTPS pages for many Firefox users showing them SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT error codes when their antivirus attempts to intercept an HTTPS-enabled page by adding its root certificate to Firefox store.

To let users easily fix this issue, starting with Firefox 68, the browser will now automatically enable the “enterprise roots” preference and retry the connection whenever it detects a “Man-in-the-Middle” TLS error.

Enabling the “security.enterprise_roots.enabled” setting configures Firefox to trust certificates in the operating system certificate store by importing “any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer.”

According to the company, this option is available on Windows and MacOS.

The company has also recommended antivirus vendors to enable the “enterprise roots” preference instead of adding their own root CA to the Firefox root store.

For more, click here.

Share