Windows 10 reached EOS (end of support) on October 14, 2025. If you are on Windows 10, see this article.

Avatar for Username

Mozilla サポートの検索

サポート詐欺に注意してください。 私たちはあなたに通話やショートメッセージの送信、個人情報の共有を求めることはありません。疑わしい行為を見つけたら「迷惑行為を報告」からご報告ください。

詳しく学ぶ
Open

Access to Websites from Russia and SSL Certificates.

Firefox Web certificates
jbr replied
mikail.mishin
mikail.mishin

Dear Mozilla Support, I would like to ask about Firefox's plans regarding the recent changes affecting SSL/TLS certificates for websites hosted in Russia. As you may know, several international Certificate Authorities have announced that they will revoke or stop issuing trusted certificates for Russian domains. This may cause many legitimate websites to become inaccessible in browsers because their certificates are no longer trusted by the default root store. I understand that Mozilla places a strong emphasis on web security and maintaining a trusted certificate ecosystem. However, I would like to know whether Mozilla has considered any technical solution or mitigation for users who may need to access these websites. For example:

  • Is Mozilla planning to provide any workaround or optional feature that would allow users to continue accessing such websites safely?
  • Will Firefox receive any updates or patches related to this situation?
  • Is the current recommendation simply to manually install additional trusted root certificates, or is there another supported approach? 
I am  interested in understanding whether there are any official plans or recommendations for users affected by these certificate changes.

Thank you for your time and for your work on Firefox.

Kind regards, Mikhail M.

Dear Mozilla Support, I would like to ask about Firefox's plans regarding the recent changes affecting SSL/TLS certificates for websites hosted in Russia. As you may know, several international Certificate Authorities have announced that they will revoke or stop issuing trusted certificates for Russian domains. This may cause many legitimate websites to become inaccessible in browsers because their certificates are no longer trusted by the default root store. I understand that Mozilla places a strong emphasis on web security and maintaining a trusted certificate ecosystem. However, I would like to know whether Mozilla has considered any technical solution or mitigation for users who may need to access these websites. For example: * Is Mozilla planning to provide any workaround or optional feature that would allow users to continue accessing such websites safely? * Will Firefox receive any updates or patches related to this situation? * Is the current recommendation simply to manually install additional trusted root certificates, or is there another supported approach? I am interested in understanding whether there are any official plans or recommendations for users affected by these certificate changes. Thank you for your time and for your work on Firefox. Kind regards, Mikhail M.

すべての返信 (1)

jbr
jbr
  • Top 10 Contributor

Mozilla is a founding member of ccadb.org and its trust roots www.mozilla.org/about/governance/policies/security-group/certs/policy (esp. see chapter 4. "Common CA Database") are bound by the programme inclusion, see wiki.mozilla.org/CA for the outline of Mozilla's CA Certificate Program and Mozilla Root Store Policy. This is basically what NSS ships with, the networking dependency that e.g. Firefox uses for relying on the published certificate bundle by default. The trusted roots have their own module activity, and the discussions can be followed and are archived at:

  • Mozilla CA:

https://groups.google.com/a/mozilla.org/g/dev-security-policy

  • Linux Software Foundation CCADB:

https://groups.google.com/a/ccadb.org/g/public

Mozilla is also the pioneer of Let's Encrypt isrg.org that issues trusted certificates to domains without any regional restriction per se — only by being a U.S. subject it has to abide by laws esp. on exporting cryptographic material: community.letsencrypt.org/t/certificates-for-us-sanctioned-countries/1223 — so subjects that are not on the sanctions list can still request certificates.

As for the organizations that won't be eligible to apply for such U.S.–based cryptographic content, I'm pretty sure there are still friendly regimes that have their own roots trusted (e.g. CNNIC or BJCA) so these can be the next provider of such services.

Hopefully it won't end up with similar attempts: "Certificate cannot be trusted" warning in Kazakhstan — that gives some insight into the course of action what happens if a regime tries to mount its roots to effectively be able to MITM all the communications as a result.

質問する

投稿に返信するには あなたのアカウントにログイン する必要があります。まだアカウントをお持ちでなければ、新しい質問を開始 してください。