Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?

more options

Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?

Does Firefox reset all the root certificates and root certificate settings whenever an upgrade is installed?

All Replies (6)

more options

No, an update doesn't reset any of the user settings. They are stored in the profile.

more options

Root certificates are stored in the file nssckbi.dll and if you've disabled build-in root certificates then it is possible that they get re-enabled. There is however no reason to disable any of the build-in root certificates.

Tools > Options > Advanced > Encryption: Certificates > View Certificates : Authorities

more options

You say there's "no reason to disable any of the built in root certificates." Why? Please provide your reasons for this. I'd like to learn.

I disabled (but did not delete) root certificates from countries such as China, Turkey, Russia, etc. My understanding is that governments from those kind of totalitarian countries can compel certificate authorities (CA's) to issue bogus certificates for legitimate websites. I don't know the process that Firefox uses to validate those certificate authorities, therefore I can't really trust them. I became aware of this issue after listening to episode #243 the Security Now podcast. http://www.grc.com/securitynow.htm And if my browsing is not affected by disabling these CA's, then I prefer to disable them. I'm not an expert on this stuff by any means, so if someone has thoughts and feedback on this issue, please share them. I'd love to benefit from those who know more about this than me. Thanks.

more options

Related to this, I would like to see a plug in for Firefox that would make it easier to disable root certificates, and to automatically display the country that issues the certificate. That way others (like me) who are concerned about possible bogus certificates from totalitarian countries can identify and disable them easily.

more options

The only way to delete root certificates would be to compile your own version of the file that stores them (nssckbi.dll)

See https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/README

more options

I don't want to delete root certificates; just disable them. I went thru the list of root certs in my Firefox and disabled all the ones from questionable countries like China and Russia. By "disable" I mean I just unchecked all the "trust settings".