Closed Bug 1659893 Opened 5 years ago Closed 8 months ago

Enterprise policy messaging should offer more details when it's specifically AV adding enterprise roots and nothing else

Categories

(Firefox :: Enterprise Policies, defect, P3)

Product:
Firefox
Component:
Enterprise Policies
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1987180

People

(Reporter: saschanaz, Unassigned)

References

(Depends on 1 open bug)

Details

There is a report that Firefox suddenly showed mysterious "Your browser is being managed by your organization" message in the Options page without saying which organization it is. about:policies showed "ImportEnterpriseRoots" and the security.enterprise_roots.enabled was locked and couldn't be disabled.

Bug 1533397 says it can be autoenabled for external antivirus products, but the lack of details can confuse users.

Dana, do you have details of how much of this is expected / whether we're experimenting with something or... something?

Component: Security → Security: PSM
Flags: needinfo?(dkeeler)
Product: Firefox → Core

(In reply to :Gijs (he/him) from comment #1)

Dana, do you have details of how much of this is expected / whether we're experimenting with something or... something?

Or Mike... maybe some AV is using policy to force enterprise roots being imported?

:saschanaz, do you know what (if any) AV the user is using?

Flags: needinfo?(mozilla)

They said they were using TotalAV.

Yes, AV does this. We told them to use this method because before they were manipulating user preferences in the profile directory and this was more visible.

If they uninstall the AV, it will go away.

Flags: needinfo?(mozilla)

Looks like AV. I don't think we're running an experiment with this and we wouldn't be using the policy to do it (so that text wouldn't show up).

Flags: needinfo?(dkeeler)

(In reply to Mike Kaply [:mkaply] from comment #4)

Yes, AV does this. We told them to use this method because before they were manipulating user preferences in the profile directory and this was more visible.

If they uninstall the AV, it will go away.

Do we need better messaging around this and was that considered when we told AV to do this? Do we know how many users are impacted?

Component: Security: PSM → Enterprise Policies
Flags: needinfo?(mozilla)
Product: Core → Firefox

Do we need better messaging around this and was that considered when we told AV to do this? Do we know how many users are impacted?

Romain was involved in the original communication I think. I'll bring him in.

This was done quite a while ago (years), and it has only come up a couple times since then, so I'm not sure we need to message now.

Based on telemetry, there are a lot of people that have this flipped (Looking at folks that only have one policy set). We believe those are all AV. Romain has the actual number

Flags: needinfo?(mozilla) → needinfo?(rtestard)

We ended-up recommending AVs enabled enterprise roots through policy given that AVs used to try to manage addition of their own certs into the cert store themselves, leading to several breakage in the past (this is to support MITMing of traffic, a feature of their products).
This data shows share of Win8+ users on July 1st having policies enabled, per AV: https://sql.telemetry.mozilla.org/queries/74111/source#185314

You'll notice the following:

  • WebRoot, AVG and Avast all have high share of users with 1 policy enabled, hinting towards these enabling enterprise roots by default. We know Avast does it. Note that many users run older versions of AVs that may not have the patch to enable enterprise roots.
  • TotalAV has about 10% with 1 policy enabled, it may be that they recently started doing it. QA should be able to confirm this?

Overall Avast and AVG are where volumes are and we're talking several millios ofn DAU so something significant.
I have not seen many complaints (any?) around this but perhaps something simpler than creating a new policy just for AVs could be to customize the message in the case of (1) being on release and (2) having only enterprise roots policy enabled to something like "A third party software (likely to be your antivirus) customized your Firefox experience on your behalf" ?

Flags: needinfo?(rtestard)

customize the message in the case of (1) being on release and (2) having only enterprise roots policy enabled to something like "A third party software (likely to be your antivirus) customized your Firefox experience on your behalf" ?

I like that idea in the short term. I think longer term, it might be worth giving AVs a custom registry entry outside of policy.

Summary: Sudden enabling of Enterprise Roots without details → Enterprise policy messaging should offer more details when it's specifically AV adding enterprise roots and nothing else

(In reply to Mike Kaply [:mkaply] from comment #9)

customize the message in the case of (1) being on release and (2) having only enterprise roots policy enabled to something like "A third party software (likely to be your antivirus) customized your Firefox experience on your behalf" ?

I like that idea in the short term. I think longer term, it might be worth giving AVs a custom registry entry outside of policy.

Let's use this bug for the messaging.

Severity: -- → S3
Priority: -- → P3

Now that ImportEnterpriseRoots is the default, I'm just going to make this policy a noop if it is by itself (it won't even enable the policy engine)

Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1987180
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.