Firefox Update to Address Antivirus TLS Errors
Mozilla revealed on Monday that the upcoming Firefox 68 will address TLS issues caused by antiviruses by automatically making changes to the browser’s configuration when a man-in-the-middle (MitM) error is detected.
The problems began in December, when Mozilla released Firefox 65. After the launch of this version, the organization started seeing a significant rise in TLS errors that are often triggered by how security software interacts with Firefox.
Security software in many cases needs to inspect the content of HTTPS connections in order to detect threats, and it does this by installing its own root certificates on the device.
Unlike other web browsers, which rely on the operating system’s root store to determine if a certificate is trusted, Firefox maintains its own list of trusted certificate authorities (CAs). This means that the developers of security solutions need to properly configure Firefox for their software to be able to analyze encrypted traffic.
Firefox is designed to warn users when a potential MitM attack is detected and antiviruses have been increasingly triggering these types of warnings, preventing users from accessing websites over HTTPS.
The problem can be addressed by enabling the “enterprise roots” preference in Firefox, which causes the browser to import any root CAs added to the OS.
Mozilla said it initially considered adding a “Fix it” button to the MitM error pages to make it easy for users to enable the “enterprise roots” option, but ultimately decided to add a mechanism that would automatically enable the option and reload the page whenever a MitM error is detected.
The preference will remain enabled if the problem is fixed, unless it’s manually disabled by the user. Mozilla has also advised antivirus vendors to enable this preference themselves instead of adding their root CA to the browser’s root store.
This change will be implemented starting with Firefox 68, which is scheduled for release on July 9.
Version 68 of Firefox Extended Support Release (ESR), which is often used in enterprise environments, will enable this preference by default to make it easier for administrators, who often require Firefox to recognize their organization’s own CA.
Mozilla also noted that users can see if a website is using an imported root CA certificate by clicking on the lock icon in the URL bar.
“It might cause some concern for Firefox to automatically trust CAs that haven’t been audited and gone through the rigorous Mozilla process,” said Wayne Thayer, CA program manager at Mozilla. “However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we’re making meet the goal of making Firefox easier to use without sacrificing security.”