1. 3
  1.  

  2. 1

    If you do NOT want your browser to automatically import OS certs… Try this about:config setting: security.certerrors.mitm.auto_enable_enterprise_roots.

    1. 1

      This is disabled by default (unless you’re a poor soul running ESR builds)

      1. 1
        1. I had to toggle the setting I named to false. I am on Nightly (FF 69).
        2. Beginning with Firefox 68, whenever a MITM error is detected, Firefox will automatically turn on the “enterprise roots” preference and retry the connection.

        3. Elsewhere in the document, they refer to ESR 68.. implying that it is distinct from 68.

        (update: added #3.)

        1. 1

          Sorry, there was a misunderstanding. I meant the enterprise roots are disabled by default. Your first comment was right. If you do not intend to use antivirus, you can switch it off :)

          1. 1

            I am required to let the antivirus run, but nobody specifically told me to let it MiTM my browser.

            Anyway, after some testing I determined that the MiTM junk I see on this network isn’t due to client-side antivirus.. it’s transparent hijacking at the network level.

            Most TLS connections go through unaltered.. Only some wind up presenting a certificate from the firewall product.. I presume that if my browser accepted the connection, it would display some “this page is blocked” content. (Or steal my cookies!)

            Strangely, that certificate doesn’t seem to be installed the OS store. Meaning that, I think all the browsers on this system will reject the MiTM-based “page is blocked” notification? This might just be a misconfiguration.

    2. 1

      I understand the author’s point that if locally executing code can update the OS cert store, it could also update Firefox’s store, so keeping a private store can’t be a boundary against local code. But I can’t help but wonder if that’s really the problem - ie., it’d be nice if Firefox could be made to only trust certs trusted by Mozilla without the possibility of a new cert being added to the list. This poses obvious challenges - eg., it can’t just be a pref since that’s a writable text file.

      It just seems to me to be intellectually disingenuous to have a technology (TLS) aimed at preventing MITM then support things like group policy whose purpose is to allow a MITM, and then trust that actor with no user warning. At a minimum users should know not to enter sensitive information when a MITM is known to be present.

      1. 1

        Well, Firefox gets the blame when websites don’t work because of buggy anti-virus (“but they work in Chrome!!”), I think it’s an interesting compromise :)