disable enterprise roots

[PhoenixClank]

There is a pref, security.enterprise_roots.enabled, that when true, causes Firefox to trust CA certificates in the OS's cert store that aren't found in Firefox's own cert store.

There is behavior that automatically sets this pref to true when a TLS error occurs. The assumption is that the browser accesses the internet through a corporate proxy, or through some virus protection software, that feels the need to MitM the user's TLS traffic. So Firefox lets it.

The pref security.certerrors.mitm.auto_enable_enterprise_roots controls this behavior.

I suggest that both of these prefs should be set to false.

[pyllyukko]

Yeah we don't want/need any automatically added CAs. Thank you!

[PhoenixClank]

That was quick! Thanks!

[PhoenixClank]

(Fun fact: on my machine, Firefox's cert store is the OS's cert store. But the trust goes the opposite way: the Arch Linux maintainers trust that Mozilla doesn't let any bogus CAs into their certificate program.)

[pyllyukko]

(Fun fact: on my machine, Firefox's cert store is the OS's cert store. But the trust goes the opposite way: the Arch Linux maintainers trust that Mozilla doesn't let any bogus CAs into their certificate program.)

It's the same with many distros and OSs that they use the Mozilla's NSS cert store.

Debian

Package: ca-certificates
Version: 20230311
Installed-Size: 384
Maintainer: Julien Cristau <[email protected]>
Architecture: all
Depends: openssl (>= 1.1.1), debconf (>= 0.5) | debconf-2.0
Enhances: openssl
Breaks: ca-certificates-java (<< 20121112+nmu1)
Description-en: Common CA certificates
 Contains the certificate authorities shipped with Mozilla's browser to allow
 SSL-based applications to check for the authenticity of SSL connections.
 .
 Please note that Debian can neither confirm nor deny whether the
 certificate authorities whose certificates are included in this package
 have in any way been audited for trustworthiness or RFC 3647 compliance.
 Full responsibility to assess them belongs to the local system
 administrator.

Slackware

http://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/source/ca-certificates/get-certdata.txt.sh:

lftpget https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

FreeBSD

Name           : ca_root_nss
Version        : 3.104
Installed on   : Sat Jan  4 21:34:53 2025 EET
Origin         : security/ca_root_nss
Architecture   : FreeBSD:13:*
Prefix         : /usr/local
Categories     : security
Licenses       : MPL20
Maintainer     : [email protected]
WWW            : UNKNOWN
Comment        : Root certificate bundle from the Mozilla Project
Options        :
	ETCSYMLINK     : on
Annotations    :
	build_timestamp: 2024-10-31T01:20:13+0000
	built_by       : poudriere-git-3.4.2
	port_checkout_unclean: no
	port_git_hash  : b14f2244f85
	ports_top_checkout_unclean: no
	ports_top_git_hash: 35e33b5b918
	repo_type      : binary
	repository     : iocage-plugins
Flat size      : 792KiB
Description    :
Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.

This port directly tracks the version of NSS in the security/nss port.

[Gitoffthelawn]

@PhoenixClank I just have to say it was such a pleasure to read your issue report. You explained the issue clearly, provided details of why it is happened, and suggested a solution. I wish every issue report was presented so well in every repo!

[nodiscc]

I think this pref should come with a warning that it will break (or won't it?) support for custom certificates added by the user to their OS trust store (on Debian /usr/local/share/ca-certificates/ + sudo update-ca-certificates)

[pyllyukko]

I think this pref should come with a warning that it will break (or won't it?) support for custom certificates added by the user to their OS trust store (on Debian /usr/local/share/ca-certificates/ + sudo update-ca-certificates)

We can add a warning, sure, but IMO it's better and maybe even expected for Firefox to only trust it's own CA store.