Firefox Beta 120 trusts OS certificates by default

33 points by gbil ↗ HN
Seems that Firefox Beta 120 is changing the default behavior for certificate trust from its own repo to the OS repo. This is stated in the release notes:https://www.mozilla.org/en-US/firefox/120.0beta/releasenotes/

and here is the relevant bugzilla link: https://bugzilla.mozilla.org/show_bug.cgi?id=1858531

so anyone relying in the existing Firefox behavior needs to opt-out of this new behavior

10 comments

[ 1409 ms ] story [ 3213 ms ] thread
You mean like a local MiTM? I vaguely remember firefox disabling the OS-wide trust store years ago for this very reason.
Forged certificates (for gmail, etc.) are a terrible idea. I thought certificate stapling was implemented to shut this awful practice down.
If you meant certificate pinning, HPKP is long gone and even when browsers supported HPKP they allowed enterprise certs anyway. In retrospect it was never satisfactorily solved because you can't distinguish a person willingly install them from an employee forced to install them.
It'd be nice to get a warning where the lock symbol goes at least, telling you that the connection is only secure because an additional cert got added. Maybe with an option to get warned when it first happens, so your browser doesn't just send along cookies.

Worst thing to me about enterprise certs is when people get tricked into installing them because a captive portal says that's the only way they can get their iphone on the free wifi.

I think it would be sense that the browser should never send cookies if the certificate changed unless the user specifies that the new certificate is valid for the existing cookies (or manually copies them if necessary, e.g. due to a different domain name or a different computer). This way, it willl be secure. HSTS is no good, but cookies being secure-only can help (although I dislike that cookie flag and think instead, it should be if the connection that sent the cookies to you is secure instead).

I also think that, to save energy (and to work-around compatibility issues), you should be allowed to configure it to use insecure proxies for secure connections (usually these insecure proxies would run on your computer, or LAN, but this is not strictly required).

I wonder if cookies could be encrypted with the public key of the sites certificate - then when/if the certificate rotates, the cookies are worthless. You’d have to login again, but they couldn’t be stolen silently.
This isn't the right summary. Firefox uses it own root store still and ignores any certificates distributed by default in the OS. However, if the user installs their root to the OS, Firefox will also pick it up. This is how other browsers work.
https://bugzilla.mozilla.org/show_bug.cgi?id=1848815#c8

> By default, Firefox will now use TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".

what you state "ignores any certificates distributed by default in the OS." is the as-is situation which is changing in the next weeks and you need specifically to opt-out and will include ALL the certificates no matter if they come from the user or the system. So please elaborate why you think it is the wrong summary

There's a difference between certificates distributed with the OS and certificates added to the OS by a user. Right now Firefox ignores both. This change ONLY picks up the certificates added to the OS by a user.