Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?
Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?
All Replies (6)
No, an update doesn't reset any of the user settings. They are stored in the profile.
Root certificates are stored in the file nssckbi.dll and if you've disabled build-in root certificates then it is possible that they get re-enabled. There is however no reason to disable any of the build-in root certificates.
Tools > Options > Advanced > Encryption: Certificates > View Certificates : Authorities
You say there's "no reason to disable any of the built in root certificates." Why? Please provide your reasons for this. I'd like to learn.
I disabled (but did not delete) root certificates from countries such as China, Turkey, Russia, etc. My understanding is that governments from those kind of totalitarian countries can compel certificate authorities (CA's) to issue bogus certificates for legitimate websites. I don't know the process that Firefox uses to validate those certificate authorities, therefore I can't really trust them. I became aware of this issue after listening to episode #243 the Security Now podcast. http://www.grc.com/securitynow.htm And if my browsing is not affected by disabling these CA's, then I prefer to disable them. I'm not an expert on this stuff by any means, so if someone has thoughts and feedback on this issue, please share them. I'd love to benefit from those who know more about this than me. Thanks.
Related to this, I would like to see a plug in for Firefox that would make it easier to disable root certificates, and to automatically display the country that issues the certificate. That way others (like me) who are concerned about possible bogus certificates from totalitarian countries can identify and disable them easily.
The only way to delete root certificates would be to compile your own version of the file that stores them (nssckbi.dll)
See https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README
I don't want to delete root certificates; just disable them. I went thru the list of root certs in my Firefox and disabled all the ones from questionable countries like China and Russia. By "disable" I mean I just unchecked all the "trust settings".