Closed Bug 1553233 Opened 5 years ago Closed 5 years ago

with ImportEnterpriseRoots Enterprise Policy Firefox MUST also import and distrust the certificates Untrusted by the enterprise

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: bugzilla-mozilla-only-for-adi-20160420, Unassigned)

Details

Attachments

(4 files)

avast_root_ca_2.png
58.72 KB, image/png
Details
windows properly identifies the Root certificate as revoked.
11.60 KB, image/png
Details
but Firefox enterprise policy considers it as a trusted ROOT Certificate
58.72 KB, image/png
Details
avast_root_ca_4.png
53.22 KB, image/png
Details
Attached image avast_root_ca_2.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

This bug is related to this issue in Avast:
https://forum.avast.com/index.php?topic=227348.0

  • install Avast Antivirus Free

  • disable Avast's HTTPS scanning mode.

  • Discover that Avast still loads a Root Certificate in Firefox via Enterprise Policy in
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates\

  • open certificate manager.. verify that the certificate is still seen as a REVOKED ROOT Certification Authority

Actual results:

Firefox ignores the Untrusted Root Certificates section from the system policies, causing Root certificates to be trusted when they should be considered as REVOKED root certificates.

Expected results:

Firefox should consider local-computer Untrusted Root certificates as revoked and not blindly load as trusted those from
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates]
"ImportEnterpriseRoots"=dword:00000001

windows properly identifies the Root certificate as revoked.

Attached image avast_root_ca_4.png

Certificate Manager with the Avast Root certificate properly configured as revoked.... but which Firefox considers as a trusted root.

Component: Untriaged → CA Certificate Compliance
Product: Firefox → NSS
Version: 67 Branch → other
Component: CA Certificate Compliance → Security: PSM
Product: NSS → Core
QA Contact: wthayer
Version: other → unspecified
QA Contact: wthayer

note: i missed a bit of a step there:

  • Discover that Avast still loads a Root Certificate in Firefox via Enterprise Policy in
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates\

  • export the certificate

  • open certificate manager.. import it into the Untrusted certificates section for both current user and Local Computer. Verify that the certificate is seen as a REVOKED ROOT Certification Authority.

  • puzzled as to why Firefox still considers that enterprise policy certificate as valid even if Windows and other browsers (Edge / Internet Explorer / Chrome) see it as a properly revoked certificate.

Also note that by setting that enterprise policy Avast has forcefully enabled the entire Microsoft PKI, not just their antivirus scanner certificate, for all Firefox users that also happen to be users of Avast [Free] Antivirus.

(In reply to Adi from comment #4)

note: i missed a bit of a step there:

  • Discover that Avast still loads a Root Certificate in Firefox via Enterprise Policy in
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates\

What method does Avast use to load the root certificate? Does that registry key have an "ImportEnterpriseRoots" param or an "Install" param? Or both?

(In reply to Adi from comment #5)

Also note that by setting that enterprise policy Avast has forcefully enabled the entire Microsoft PKI, not just their antivirus scanner certificate, for all Firefox users that also happen to be users of Avast [Free] Antivirus.

What leads you to conclude this is the case?

Flags: needinfo?(bugzilla-mozilla-only-for-adi-20160420)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

What method does Avast use to load the root certificate? Does that registry key have an "ImportEnterpriseRoots" param or an "Install" param? Or both?
Yes
I was running Avast Antivirus v19.4 until today and they had an install parameter with a single certificate.

After today's update, from Avast Free Antivirus v19.4 to v19.5 they have deleted that install parameter and have instead set the ImportEnterpriseRoots parameter.

What leads you to conclude this is the case?

Because ImportEnterpriseRoots tells Firefox to trust the entire Windows certificate store according to this description:
https://github.com/mozilla/policy-templates
quote: The ImportEnterpriseRoots key will cause Firefox to import from the system certificate store.
/quote

Flags: needinfo?(bugzilla-mozilla-only-for-adi-20160420)
Blocks: 1541927

note: i added this bug as blocking bug #1541927 (even if it that is already closed) because of the ignored revocation status issue.
Maybe i should have marked this as a regression instead?

Also see
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/MN2FKV1boDo

This isn't a regression - Firefox never behaved the way you're wanting it to behave. Also this is unrelated to bug 1541927.

No longer blocks: 1541927

it is related.. that thread is about AVG, but AVG and Avast are actually the same antivirus product.

AVG was purchased by Avast in 2016 and these days it's the same antivirus engine under the hood... only the external skin and branding logos differ.

https://blog.avast.com/avast-and-avg-become-one

(In reply to Adi from comment #7)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

What method does Avast use to load the root certificate? Does that registry key have an "ImportEnterpriseRoots" param or an "Install" param? Or both?
Yes
I was running Avast Antivirus v19.4 until today and they had an install parameter with a single certificate.

After today's update, from Avast Free Antivirus v19.4 to v19.5 they have deleted that install parameter and have instead set the ImportEnterpriseRoots parameter.

If you make a new Firefox profile, do you still see the same behavior?

Flags: needinfo?(bugzilla-mozilla-only-for-adi-20160420)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #12)

If you make a new Firefox profile, do you still see the same behavior?

i don't have Avast installed anymore on either my PC or my laptop (changed to a different antivirus on both) and after uninstalling it i have purged that root certificate from my systems... but, when it was installed the same behaviour was happening on both my PC and my laptop. (using local Firefox profiles on each machine, not connected via Firefox Sync)

When it was installed, at one time i even deleted Firefox's cert.db and key.db from the Firefox profile, (actually named cert9.db and key9.db) and i even uninstalled almost ALL of Avast's scanning modules, i only kept the file shield scanner... After the reboot required by the program, the avast! Web/Mail Shield Root certificate still got inserted into Firefox, even if at that point, there should be no Avast modules that need it since i uninstalled them.

Flags: needinfo?(bugzilla-mozilla-only-for-adi-20160420)

I just tried out the combination of enabling the enterprise roots feature (i.e. import from the OS) with one of the certificates marked as distrusted, and Firefox didn't import it, so it looks like this can only happen when the certificate is listed as an install param in the enterprise policy. In short, one part of the registry is saying one thing and another part is saying another. I don't think it's Firefox's job to sort out which part is right, so I'm going to mark this as WONTFIX.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

Oh well, WONTFIX it is then... this is my last comment on this topic:

Having Firefox ignore the presence of a root certificate in the Untrusted certificates section will make it harder to deploy rapid-response revocations company-wide when the administrator distributes that certificate via GPO policy.

This also breaks compatibility with the overall Windows PKI architecture where a certificate can be revoked by simply adding it to the Untrusted Certificates section.
Since the Untrusted section has priority over any of the other sections of the certificate store, a certificate can be present in multiple places in the certificate store, but if it is also present in the Untrusted section then Windows will consider it as revoked, no questions asked.

In some environments, this inability to recognize certificates revoked by the central system administrator via GPO + the certificate store will lead to Firefox either to be removed from that system or to seriously limit its use to less sensitive data only.

It could even be said that the current behaviour of ImportEnterpriseRoots breaks the Microsoft Root Certification Program requirements since it ignores that "panic button" mechanism that Microsoft has built in the OS:
(and yes, i know that Mozilla has different CA requirements than MS, but still... imho when ImportEnterpriseRoots is enabled then Microsoft's general requirements should also be considered)

https://aka.ms/RootCert

quote:
B. Microsoft's Rights in the Event of an Incident
In the event of a Security Incident, Microsoft may at its sole discretion, do any of the following:
1. In an Exceptional Circumstance, immediately revoke any certificate the CA or any sub-CA has enrolled in the Program, otherwise it may revoke any certificate after providing seven days' notice to the CA.
/quote

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: