Closed Bug 1541012 Opened 9 months ago Closed 6 months ago

Set security.enterprise_roots.enabled to true by default on ESR

Categories

(Firefox :: Security, task, P1, major)

68 Branch
task

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr68 68+ verified

People

(Reporter: RT, Assigned: jcristau)

References

Details

User Story

Assuming that our A/B test (https://experimenter.services.mozilla.com/experiments/retentionengagement-impact-of-enabling-the-enterprise-roots-feature-in-the-presence-of-an-av/) does not identify regressions in user retention/engagement we'd like to set ecurity.enterprise_roots.enabled to true by default on the next ESR.
This removes a barrier to enterprise adoption in scenarios where our MitM detection mechanisms fail. (many enterprises hit issues with self signed certificates who are not aware of the enterprise roots feature).

Attachments

(1 file)

Assuming that our A/B test (https://experimenter.services.mozilla.com/experiments/retentionengagement-impact-of-enabling-the-enterprise-roots-feature-in-the-presence-of-an-av/) does not identify regressions in user retention/engagement we'd like to set security.certerrors.mitm.auto_enable_enterprise_roots to true by default on the next ESR.
This removes a barrier to enterprise adoption in scenarios where our MitM detection mechanisms fail. (many enterprises hit issues with self signed certificates who are not aware of the enterprise roots feature).

Did you mean security.enterprise_roots.enabled? Because security.certerrors.mitm.auto_enable_enterprise_roots depends on the MitM detection mechanism to work.

Also, note that AFAIU neither method can protect against purely self-signed certificates (with no custom root attached).

Component: General → Security
Priority: -- → P1
Flags: needinfo?(rtestard)

Apologies you're right here, now added a user story field with updated preference.

User Story: (updated)
Flags: needinfo?(rtestard)
Summary: Set security.certerrors.mitm.auto_enable_enterprise_roots to true by default on ESR → Set ecurity.enterprise_roots.enabled to true by default on ESR
Depends on: 1515608
Summary: Set ecurity.enterprise_roots.enabled to true by default on ESR → Set security.enterprise_roots.enabled to true by default on ESR

The results from the study were very positive per https://metrics.mozilla.com/protected/wbeard/exp_av/reports/index.html and we want to move forward with setting security.enterprise_roots.enabled to true by default on ESR.
I'm unsure who typically creates custom changes for ESR, Mike can you please assign to the relevant person so it gets done as ESR68 gets built?

Flags: needinfo?(mozilla)
Blocks: 1547013

Julian,

Should we handle this in code, similar to extension signing?

Flags: needinfo?(mozilla) → needinfo?(jcristau)

We can land a patch to change the default on the esr68 repo after it's created next month, that's probably easiest.

Flags: needinfo?(jcristau)

[Tracking Requested - why for this release]: Marking so we remember to do this before release.

Assignee: nobody → jhofmann
Status: NEW → ASSIGNED

We can land a patch to change the default on the esr68 repo after it's created next month, that's probably easiest.

Actually reading that comment I'm not sure if I'm the right assignee anymore, I suppose rel-man will take care of this?

Thanks!

Assignee: jhofmann → nobody
Status: ASSIGNED → NEW

per comment #5 -- Julien, who is the right person to handle this change?

Flags: needinfo?(jcristau)

Based on the results of the study, I'm confirming that we do want to move forward with shipping in 68 unless there is some risk that I'm not aware of in doing so.

I'll take this.

Assignee: nobody → jcristau
Status: NEW → ASSIGNED
Flags: needinfo?(jcristau)

We don't want to ship the MitM detection on ESR, so directly import
roots from the Windows registry instead.

Comment on attachment 9071265 [details]
Bug 1541012 - enable security.enterprise_roots.enabled for ESR68. r?johannh

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: on release we do mitm detection, on esr we don't want to do that
  • User impact if declined: cert errors when using enterprise or AV mitm
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
  • String or UUID changes made by this patch: n/a
Attachment #9071265 - Flags: approval-mozilla-esr68?
Type: defect → task

Moving tracking to esr68 now that the flags are available.

Comment on attachment 9071265 [details]
Bug 1541012 - enable security.enterprise_roots.enabled for ESR68. r?johannh

Approved for esr68

Attachment #9071265 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Flags: qe-verify+
Regressions: 1561994
QA Whiteboard: [qa-triaged]

Verified - fixed on latest ESR 68.1.0esr (Build ID: 20190826132627) on Windows 10 x64, Mac OS 10.14 and Ubuntu 16.04.
The "security.enterprise_roots.enabled" pref is enabled by default.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.