Firefox Shield study to import Windows root certificates
Mozilla wants to evaluate the impact that the importing of Windows root certificates has on Firefox.
Firefox uses its own certificate store when it validates certificates of site connections by default. While that is beneficial in regards to control that Mozilla has over certificates, it recently introduces an issue that caused connections to secure sites to fail in the browser.
Mozilla had to halt the distribution of Firefox 65 to address the issue. The issue was caused by third-party antivirus engines that installed their own certificates into the Firefox certificate store to enable SSL scanning.
Firefox users would receive "your connection is not secure" and "SEC_ERROR_UNKNOWN_ISSUER" connection errors if affected by the issue.
Users could disable HTTPS scanning in the antivirus solution of choice or flip a preference in Firefox that would allow the browser to import certificates from the Windows Certificate store to mitigate the issue.
Mozilla discovered that the issue could have been prevented if Firefox would use certificates from the Windows Certificate store.
Mozilla wants to find out if using certificates from the Windows Certificate store has any negative effects on Firefox. The assumption is that there won't be any ill-effects; if that is the case, Firefox will import Windows root certificates by default going forward.
The security team confirmed that having the preference security.enterprise_roots.enabled set to true would have fixed all of these issues without known regressions and we want to validate that in the presence of an AV, enabling this preference would have a positive impact on retention and engagement
The parameters of the Shield study:
- Version: Firefox 66
- Platform: Windows 8.1 and Windows 10.
- Other: Antivirus installed that is not Windows Defender.
A test group and a control group is selected. The test group will have the preference security.enterprise_roots.enabled set to True while the control group won't. The default value of the preference is false.
The preference defines whether Firefox will use certificates from the Windows Certificate store (True) or not (False). The parameter has been added in Firefox 49 with a default value of False.
Telemetry will be collected to determine the impact of the preference change. Firefox users who don't want certificates from Windows to be imported can set the parameter to False to prevent that from happening.
Now You: Did you run into SSL connection issues recently? (via Bleeping Computer)Advertisement