Mozilla Firefox developers are taking a different tack to recent efforts to clamp down on antivirus products that intercept HTTPS traffic to inspect it for malware.
On one hand, antivirus products can use this technique to protect end-users from malware before it reaches the browser. On the other, as Mozilla argues, the Transport Layer Security (TLS) protocol for ‘secure’ HTTPS connections to websites is meant to prevent this by using certificates issued by Certificate Authorities (CAs) trusted by the OS or in Firefox’s case, its own root store.
Part of Mozilla’s efforts to counter techniques used by antivirus products to inspect HTTPS traffic were its new warnings in Firefox 66 that told users when their connection to a website is likely broken due to an antivirus product conducting a man in the middle attack.
That issue cropped up after Firefox 65 rolled out and users running Avast software on Windows began seeing a “SEC_ERROR_UNKNOWN_ISSUER” warning. Other warnings Firefox now displays in similar situations include "MOZILLA_PKIX_ERROR_MITM_DETECTED" or "ERROR_SELF_SIGNED_CERT".
To stem the issue, Avast at the time disabled HTTPS filtering for Firefox while leaving it enabled for other browsers. Avast argues the technique of switching certificates to inspect traffic is valid and necessary.
It’s a tricky problem to solve for Mozilla, which wants to differentiate Firefox privacy features from the most dominant Windows browser, Google Chrome.
“On Windows, about 60% of Firefox users run antivirus software and most of them have HTTPS scanning features enabled by default,” said Wayne Thayer, a certification authority program manager at Mozilla.
Thayer explains the core problem from Mozilla’s perspective is caused by it using its own list of trusted CAs rather than the root certificate list used by operating systems, such as Windows.
“Other browsers often choose to rely on the root store provided by the operating system (OS) (e.g. Windows). This means that antivirus software has to properly reconfigure Firefox in addition to the OS, and if that fails for some reason, Firefox won’t be able to connect to any websites over HTTPS, even when other browsers on the same computer can,” explained Thayer.
In Firefox 68, due out later in July, Mozilla will change its approach with an automated procedure that should take the pain out of these issues. Previously, IT admins could enable a setting called “enterprise roots” on Windows and macOS. This allows Firefox to import root CAs that have been added to the OS by the user or admin.
“Whenever a MITM error is detected, Firefox will automatically turn on the “enterprise roots” preference and retry the connection,” writes Thayer.
The “enterprise roots” preference will remain enabled if it works, unless the user manually changes the setting.
Mozilla is also urging antivirus vendors to enable this preference as an alternative to adding their own root CA to the Firefox root store.
“We believe that these actions combined will greatly reduce the issues encountered by Firefox users,” said Thayer.