Mozilla’s Firefox web browser maintains its own root certificate store by default. The browser uses these as “trust anchors” and the functionality is essential for making sure that only trusted SSL/TLS certificates are used by the browser.
Starting in Firefox 120, Firefox will automatically trust operating sysdtem certificates installed by the user or an administrators.
The beta release notes offer the following explanation:
By default, Firefox now uses TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the “Privacy & Security” section of Firefox settings, under “Certificates”.
Administrators may add certificates to the operating system for a number of reasons. Some applications and devices may require them to work properly, and they may also be required in development environments. Antivirus solutions on Windows may try and register with Firefox to monitor data.
Blocking Firefox from trusting OS certificates
Firefox users may disable the functionality in Firefox 120 and newer versions. It is enabled by default. To modify this setting, follow these instructions:
- Load about:preferences#privacy in the Firefox address bar to open the Privacy settings.
- Scroll down to the Security section.
- Locate Certificates there.
- Remove the checkmark from “Allow Firefox to automatically trust third-party root certificates you install”.
You can undo the change at any time by checking the box again.
Another certificate preference
Firefox supports an Enterprise root preference already. When the browser runs into a TLS connection error, it will enable this Enterprise Roots preference automatically. This imports “any root certificate authorities” that users or administrators have added to the operating system.
Firefox tries to connect again to the site that threw the error. If successful, Firefox will keep the preference enabled and thus also the imported certificates.
Here is how this automatic behavior gets disabled:
- Load about:config in the Firefox address bar.
- Click “Accept the Risk and Continue” if the warning page is displayed.
- Search for security.certerrors.mitm.auto_enable_enterprise_roots.
- Change the value from True to False with a double-click or by using the button.
- Search for security.enterprise_roots.enabled.
- Change the value from True to False.
- Restart the Firefox web browser.
Closing Words
Most Firefox users may want to keep the default as these are designed to minimize connection errors and issues. Users who want to be in full control may disable the functionality, on the other hand.
This “security.certerrors.mitm.auto_enable_enterprise_roots” is not new though Firefox 120beta may plan to set it to “true” as default. This pref has been available for years now and for sure here on Firefox 115+ ESR the pref is available such as in about:config and as an Enterprise Policy in about:policies#documentation which links to its definition at [https://mozilla.github.io/policy-templates/#certificates] which states :
“Trust certificates that have been added to the operating system certificate store by a user or administrator.”. I’ve always set it to “false”, though “false” may have been up to FF120beta the default value, not sure.