Attached image BitDefender.gif
[Affected versions]:
Firefox 65.0a1 
Firefox 64.0b14
Firefox 63.0.3 

[Affected platforms]:
Windows 10 64bit.
Windows 10 32bit.

Install BitDefender Plus 2019.

[Steps to reproduce]:
1. Launch Firefox.
2. Access the about:config page.
3. Set the security.enterprise_roots.enabled to "true".
4. Set the security.enterprise_roots.enabled back to "false".
5. Load the webpage.

[Expected result]:
The webpage loads successfully.

[Actual result]:
An error stating that the "connection is not secured" is displayed.

1. Set the "security.enterprise_roots.enabled" pref to "true".
2. Disable the "Encrypted web scan" functionality from BitDefender.

For further information regarding this issue, please observe the attached screencast.
I didn't managed to reproduce this issue using other av's (Kaspersky or Avast).
Feel free to mark this issue as duplicate (if that's the case).
Here's my guess:

Initially, bitdefender finds the user's profile and manually adds its
root certificate to the NSS certificate DB and sets the trust bits.
Meanwhile, for every other program, it installs its root in the Windows
trust store. The enterprise roots pref is false, so Firefox completely
ignores the Windows trust store. Setting the pref to true makes Firefox
search the Windows trust store. It finds the bitdefender root and
imports it (again) and sets the trust bits. Setting the pref to false
again makes Firefox clear the trust bits for all imported enterprise
roots, so the bitdefender root gets untrusted (even though in a sense
there are two copies of the root, NSS de-duplicates certificates, so
trust changes to one happen to all copies). If bitdefender doesn't do
something to make sure the trust bits remain set in the user's profile
(and some av products do this), then it will remain untrusted and the
user's profile won't be able to browse https sites.

One way we could address this problem is to check if we're importing an
enterprise root that we already know of and either skip it or make a
note of its current trust settings so we can re-set it if the pref gets
turned off.
The missing piece here for me, though, is why so many people are having issues with bitdefender just not being recognized at all. I also don't really understand how bitdefender puts its cert into new profiles created after bitdefender is installed, and in that case, how *anyone* ends up with this being completely broken...

I also suffer from this problem. When updating from 64 to 65, all https sites got broken (Avast problem). So I turned off Avast HTTPS web shiled scanning. During investigation, I also enabled and then disabled security.entreprise_roots.enabled . Since then, I can't reach at all with this pref set to false (not even any ohter language modifications/subdomains). I even tried manually uninstalling all avast root certs. It didn't help. However, I'm unable to reproduce this issue with

I tried the same in a clean profile in nightly:

  1. open -> OK
  2. set security.entreprise_roots.enabled to true, reload the page -> OK
  3. set security.entreprise_roots.enabled to false, reload the page -> SEC_ERROR_UNKNOWN_ISSUER

The error page shows me this certificate was provided, which seems completely legit to me:

Emil, can you try this again with a recent nightly? I'm hoping bug 1514118 will have addressed this.

Hi Dana,

I have retested this issue using Firefox 67.0a1 (BuildId:20190205215922) and here are my findings:

  1. Launched Firefox with a clean profile (security.enterprise_roots.enabled pref is set to default "false").
  2. Accessed the webpage -> The "connection is not secured" message is displayed.

It seems that, now, I don't have to toggle the pref in order to trigger the "connection is not secured" message.

Is this behavior expected?

Yes, that is correct, this is reproducible while having the "Encrypted web scan" functionality enabled. The behavior, is different from comment 0 since the "connection is not secured" message doesn't need the pref toggle in order to be triggered now.

Ok - thanks. I guess since the original behavior has changed, I'll close this as "worksforme" unless/until we come across another AV product that we can use to see if bug 1514118 fixed it.

Or actually, Martin - can you reproduce the original behavior with a recent version of Nightly?

Updated nightly today, and it's still the same. With enterprise_roots disabled, I still get SEC_ERROR_UNKNOWN_ISSUER for (using together with Avast).

But following bug 1514118, I tried deleting cert9.db in the Nightly profile and that helped - I can't reproduce the behavior anymore. I'll attach the copies of the old (faulty) and new (working) certdb in case it helps.

Attached file cert9.db.old.db

Certdb which has problems verifying certificates.

Attached file

A working certdb.

Thanks. From what I can tell, the only differences between those DBs are some cached intermediates from the public PKI that wouldn't be causing this issue. I think I'd really need to look at the before/after key4.db if you're comfortable sending those to me (they'll contain any private keys you've imported as well as the key that protects your saved logins, if you use that feature).

I played around, deleted key4.db completely from nightly profile, did a few tests, and the file is still the same. It only contains one row for the password, and no rows in nss_private table. The thing that actually makes difference is really the cert9.db file. If you delete key4.db and use cert9.db.old.db, the certificate problem is there for me.

Looking more closely at those DBs, none of the trust bits for any of those certificates are set, so this would never have worked without some extra magic, presumably from avast, which is now broken (bug 1523701). I'll keep this WFM for now unless/until we can find an av product with TLS interception that actually works with Firefox.

