Firefox Certificate Store
With the release of Mozilla Firefox 65 in February 2019, when connecting to HTTPS sites, some users like “Your Connection is not secure” or “SEC_ERROR_UNKNOWN_ISSUER”. The reason turned out to be in antiviruses such as Avast, Bitdefender and Kaspersky, which install their root certificates on the computer for MiTM implementation in the user's HTTPS traffic. And since Firefox has its own certificate store, they try to infiltrate it too.
Browser Developers users to refuse to install third-party antiviruses that interfere with the operation of browsers and other programs, but the mass audience has not yet heeded the calls. Unfortunately, working as a transparent proxy, many antiviruses reduce the quality of cryptographic protection on client computers. For this purpose, developing , which on the server side detect the presence of a MiTM, such as an antivirus, in the channel between the client and the server.
One way or another, but in this case, antiviruses again interfered with the browser, and Firefox had no choice but to solve the problem on its own. There is a setting in the browser configs security.enterprise_roots.enabledIf you enable this flag, Firefox will start using the certificate store. Windows to validate SSL connections. If someone experiences the above-mentioned errors when visiting HTTPS websites, they can either disable SSL connection scanning in their antivirus software or manually enable this flag in their browser settings.
Problem in the Mozilla bug tracker. The developers decided to activate the flag for the purpose of the experiment security.enterprise_roots.enabled by default, to store certificates Windows used without any additional action from the user. This will happen starting with Firefox 66 on systems Windows 8 and Windows 10, on which third-party antiviruses are installed (the API allows you to detect the presence of an antivirus in the system only from version Windows 8).
Source: habr.com
