X
Tryk her for at gå til webstedets mobilversion.
Scheduled maintenance: Wednesday, April 1, between 3:30pm and 5:30pm UTC. This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn’t solve your issue and you want to ask a question, we have our support community waiting to help you at @firefox on Twitter

Supportforum

In my opinion, a critical security issue

Skrevet

I'm using FF 72.0.2 64-Bit and I've Avast installed (issue is related to Firefox! not just Avast).

1) Firefox brand new installation (English language) 2) "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla" deleted in the regedit 3) in "about:config" I have "security.enterprise_roots.enabled"=false and "security.certerrors.mitm.auto_enable_enterprise_roots"=false 4) in "Certificate Manager" I have deleted "Avast Web/Mail Shield Root" certificate 5) I didn't have any active plug-in (only OpenH264 codec is listed and is disabled), I have no extensions installed, privacy policy set to strict, private browsing mode, all permissions disabled, checked "prevent accessibility services from accessing your brower", blocked "Deceptive Content and Dangerous Software Protection" and certificates set to "Ask you every time" 6) "Connection settinges" set to "No proxy" 7) NO active policy listed in "about:policies" ("about:policies#active" is empty) and NO "Your browser is being managed by your organization" message is shown

Why if I enabled "Enable HTTPS scanning" inside Avast Web Shield, and I go to https://2016.eicar.org/85-0-Download.html trying to download "eicar.com" using SSL, is this test-virus detected by Avast BEFORE (!) downloading? I was expecting that, at most, Firefox will not be able to surf the web if no direct HTTPS connection is allowed by Avast. Why does Firefox allow a MITM connection (even if Avast certificate has been deleted, even if there isn't any active policy listed in "about:policies#active") and I'm not able to avoid this behavior?

Moreover, once I restart the PC, security.enterprise_roots.enabled is forced to True (locked), "Avast Web/Mail Shield Root" reinstalled inside "Certificate Manager" and "Your browser is being managed by your organization" message is back.

Why can't the user have full control on Firefox? In my opinion, this is a critical security issue. I mean, how could an external software so easily take full control of Firefox? Additionally, using this approach a MITM attack can be done quite easily from an organization having an active certificate and without the user even knowing it (I repeat, "about:policies#active" was empty). Tested on Windows 10 and Windows 7.

Thank you

I'm using FF 72.0.2 64-Bit and I've Avast installed (issue is related to Firefox! not just Avast). 1) Firefox brand new installation (English language) 2) "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla" deleted in the regedit 3) in "about:config" I have "security.enterprise_roots.enabled"=false and "security.certerrors.mitm.auto_enable_enterprise_roots"=false 4) in "Certificate Manager" I have deleted "Avast Web/Mail Shield Root" certificate 5) I didn't have any active plug-in (only OpenH264 codec is listed and is disabled), I have no extensions installed, privacy policy set to strict, private browsing mode, all permissions disabled, checked "prevent accessibility services from accessing your brower", blocked "Deceptive Content and Dangerous Software Protection" and certificates set to "Ask you every time" 6) "Connection settinges" set to "No proxy" 7) NO active policy listed in "about:policies" ("about:policies#active" is empty) and NO "Your browser is being managed by your organization" message is shown Why if I enabled "Enable HTTPS scanning" inside Avast Web Shield, and I go to https://2016.eicar.org/85-0-Download.html trying to download "eicar.com" using SSL, is this test-virus detected by Avast BEFORE (!) downloading? I was expecting that, at most, Firefox will not be able to surf the web if no direct HTTPS connection is allowed by Avast. Why does Firefox allow a MITM connection (even if Avast certificate has been deleted, even if there isn't any active policy listed in "about:policies#active") and I'm not able to avoid this behavior? Moreover, once I restart the PC, security.enterprise_roots.enabled is forced to True (locked), "Avast Web/Mail Shield Root" reinstalled inside "Certificate Manager" and "Your browser is being managed by your organization" message is back. Why can't the user have full control on Firefox? In my opinion, this is a critical security issue. I mean, how could an external software so easily take full control of Firefox? Additionally, using this approach a MITM attack can be done quite easily from an organization having an active certificate and without the user even knowing it (I repeat, "about:policies#active" was empty). Tested on Windows 10 and Windows 7. Thank you
Citér

Yderligere systemdetaljer

Installerede plugins

No

Program

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0

Yderligere information

Luk
jscher2000
  • Top 10 Contributor
8950 løsninger 73362 svar

Nyttigt svar

Starting in Firefox 68, to address user frustration with the complexity of configuring security software, a workaround was added for MITM's. You can disable the automatic workaround. The steps are in this article:

How to disable the Enterprise Roots preference

If those two preference changes do not resolve the issue, you could check for either an autoconfig file or a policies.json file forcing the enterprise cert preference.

Starting in Firefox 68, to address user frustration with the complexity of configuring security software, a workaround was added for MITM's. You can disable the automatic workaround. The steps are in this article: [[How to disable the Enterprise Roots preference]] If those two preference changes do not resolve the issue, you could check for either an autoconfig file or a policies.json file forcing the enterprise cert preference. * [[Customizing Firefox Using AutoConfig]] * [[Customizing Firefox Using policies.json]]
Fandt du dette nyttigt? 2
Citér
cor-el
  • Top 10 Contributor
  • Moderator
17851 løsninger 161562 svar

It is likely that your security software uses GPO rules to enforce adding its root certificate to Firefox if you enable HTTPS scanning. It is not Firefox's fault if you have (security) software that (mis)uses GPO rules in the Windows Registry to configure Firefox. If you do not trust this software then you need to look for other security software or keep this feature disabled.

It is likely that your security software uses GPO rules to enforce adding its root certificate to Firefox if you enable HTTPS scanning. It is not Firefox's fault if you have (security) software that (mis)uses GPO rules in the Windows Registry to configure Firefox. If you do not trust this software then you need to look for other security software or keep this feature disabled. *https://support.mozilla.org/en-US/kb/error-codes-secure-websites
Fandt du dette nyttigt?
Citér

Spørgsmålsstiller

@jscher2000: thank you for you answer. https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference was part of the solution I tried and illustrated in the first post. Unfortunately, not only it doesn't work, but as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck ("eicar.com" test-virus is always detected by Avast before downloading it using SSL)

@cor-el: yes, in my opinion is Firefox's fault to allow an external software to misuses GPO rules WITHOUT notifying the user ("about:policies#active" empty, and I repeat I also deleted Avast certificate) ..or without letting the user choose if an external software can use GPO rules. I made this test NOT because I want to go on using Avast (after https://www.cnet.com/news/antivirus-firm-avast-is-reportedly-selling-users-web-browsing-data/ I personally do not trust anymore in this company, although at least in my case I had taken steps to disable personal data sharing). I was trying to understand how is it possible that an external software can change some key configurations in Firefox and allowing MITM, without the user knowing.

@jscher2000: thank you for you answer. https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference was part of the solution I tried and illustrated in the first post. Unfortunately, not only it doesn't work, but as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck ("eicar.com" test-virus is always detected by Avast before downloading it using SSL) @cor-el: yes, in my opinion is Firefox's fault to allow an external software to misuses GPO rules WITHOUT notifying the user ("about:policies#active" empty, and I repeat I also deleted Avast certificate) ..or without letting the user choose if an external software can use GPO rules. I made this test NOT because I want to go on using Avast (after https://www.cnet.com/news/antivirus-firm-avast-is-reportedly-selling-users-web-browsing-data/ I personally do not trust anymore in this company, although at least in my case I had taken steps to disable personal data sharing). I was trying to understand how is it possible that an external software can change some key configurations in Firefox and allowing MITM, without the user knowing.

Ændret af giotangi den

Fandt du dette nyttigt?
Citér
Matthew Thomas
  • Top 25 Contributor
13 løsninger 90 svar

Hi giotangi,

Yes it's annoying, but look at the flip side. If you're an IT admin and you want to install a root CA, then you don't really want Firefox to earn all your users about it. First, because it will confuse them. And more importantly, because telling them to ignore the warning is dangerous as it teaches your staff to ignore security warnings. This warning fatigue is a real security issue in and if itself.

As powerusers, we empathize with your position. However, we have to make systems that work well for everyone what. That is hard.

Hi giotangi, Yes it's annoying, but look at the flip side. If you're an IT admin and you want to install a root CA, then you don't really want Firefox to earn all your users about it. First, because it will confuse them. And more importantly, because telling them to ignore the warning is dangerous as it teaches your staff to ignore security warnings. This warning fatigue is a real security issue in and if itself. As powerusers, we empathize with your position. However, we have to make systems that work well for everyone what. That is hard.
Fandt du dette nyttigt?
Citér
jscher2000
  • Top 10 Contributor
8950 løsninger 73362 svar

giotangi said

...as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck...

It sounds as though Avast is overwriting your Autoconfig file with its own instructions at startup.

''giotangi [[#answer-1286780|said]]'' <blockquote>...as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck... </blockquote> It sounds as though Avast is overwriting your Autoconfig file with its own instructions at startup.
Fandt du dette nyttigt?
Citér

Spørgsmålsstiller

@Matthew Thomas: in some ways I could agree with your point of view, but in general I think that the security issues of such an approach are higher than the advantages it can give in some specific cases. Obviously it's just my point of view. It would be enough to give the user the possibility to choose (even as like now by default) through a checkbox somewhere (for example in about:policies) or through an entry in the about:config (that obviously cannot be overwritten from outside/regedit). Sorry but a similar approach seems to me the easiest way for a mass surveillance.. ads, behavior statistics, NSA and similar. Well, just joking, but not so far from what an antivirus or similar third party software could actually do without the user even knowing it (for example "about:policies#active" was empty). I speak as a fan of Firefox, not to denigrate it.

@jscher2000: yes, seems to be in fact

@Matthew Thomas: in some ways I could agree with your point of view, but in general I think that the security issues of such an approach are higher than the advantages it can give in some specific cases. Obviously it's just my point of view. It would be enough to give the user the possibility to choose (even as like now by default) through a checkbox somewhere (for example in about:policies) or through an entry in the about:config (that obviously cannot be overwritten from outside/regedit). Sorry but a similar approach seems to me the easiest way for a mass surveillance.. ads, behavior statistics, NSA and similar. Well, just joking, but not so far from what an antivirus or similar third party software could actually do without the user even knowing it (for example "about:policies#active" was empty). I speak as a fan of Firefox, not to denigrate it. @jscher2000: yes, seems to be in fact
Fandt du dette nyttigt?
Citér
crankygoat
  • Top 10 Contributor
40 løsninger 471 svar

Firefox can't disallow anything which your operating system allows, especially to a program (or the OS) which has SYSTEM privilege level, which is something AVs rather tend to have. (An AV operates entirely by being a MITM in your OS, with system-level drivers and hooks.)

Firefox can't disallow anything which your operating system allows, especially to a program (or the OS) which has SYSTEM privilege level, which is something AVs rather tend to have. (An AV operates entirely by being a MITM in your OS, with system-level drivers and hooks.)
Fandt du dette nyttigt?
Citér

Spørgsmålsstiller

I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used)

I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used)
Fandt du dette nyttigt?
Citér
Matthew Thomas
  • Top 25 Contributor
13 løsninger 90 svar

giotangi said

I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used)

It's all related though. With the system access that Avast has, it could just replace Firefox with a keylogging version that contains no warnings.[1] From a "bad-actor" security perspective, such a warning doesn't really add to your security. It is, however, mildly annoying.

Basically, as crankygoat implied, there is nothing Firefox can do about a bad actor with system access.

Additionally Windows does not notify you about registry edits. Firefox does not do this either because it is a browser -- not a registry monitoring utility, anti-virus, or security suite.

[1] One of my friends actually had such an issue with a fake build of Chromium disguised as Chrome.

''giotangi [[#answer-1287446|said]]'' <blockquote> I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used) </blockquote> It's all related though. With the system access that Avast has, it could just replace Firefox with a keylogging version that contains no warnings.[1] From a "bad-actor" security perspective, such a warning doesn't really add to your security. It is, however, mildly annoying. Basically, as crankygoat implied, there is nothing Firefox can do about a bad actor with system access. Additionally Windows does not notify you about registry edits. Firefox does not do this either because it is a browser -- not a registry monitoring utility, anti-virus, or security suite. [1] One of my friends actually had such an issue with a fake build of Chromium disguised as Chrome.
Fandt du dette nyttigt?
Citér
Stil et spørgsmål

Du skal logge ind på din konto for at svare på et indlæg. Start et nyt spørgsmål, hvis du ikke har en konto endnu.