Mozilla Firefox is about to add an option (which is enabled by default!) that will make it easier for anti virus software to act as man in the middlle in order to decrypt and analyze encrypted HTTPS connections.
More information can be found in the mozilla knowledgebase.
I think this fundamentally subverts the whole purpose of TLS and trusted CAs. It is sad that browser manufacturers have to add security loopholes in order to gain acceptance of clueless users who expect higher security through running useless anti virus software.
Maybe there is a security expert around who can reasonable justify and explain this step?
Top comments (4)
The security issue you seem to see is already present in a vast majority of software on most platforms. Firefox is actually a bit unusual in that it doesn't use the OS's trusted certificate store for TLS.
The simple fact is that Firefox is bowing to how most people (both users and IT professionals) expect it to behave in the first place. Most users admittedly don't know that they expect it to work this way, but that doesn't change the fact that they do indeed expect this behavior.
All Firefox is doing is importing the CA's that are already stored within your Operating System.
If you don't want a CA installed, you can simply remove it.
It's not a violation of privacy.
Maybe a move for Firefox to come back on market through the corporate route?
On by default is concerning.
It is a convenient feature though if off by default so I can easily do the import at work.