{"id":2450,"date":"2019-07-01T10:07:55","date_gmt":"2019-07-01T17:07:55","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2450"},"modified":"2019-07-01T10:07:55","modified_gmt":"2019-07-01T17:07:55","slug":"fixing-antivirus-errors","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/","title":{"rendered":"Fixing Antivirus Errors"},"content":{"rendered":"<p>After the release of Firefox 65 in December, we detected a significant increase in a certain <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/error-codes-secure-websites\">type of TLS error<\/a> that is often triggered by the interaction of antivirus software with the browser. Today, we are announcing the results of our work to eliminate most of these issues, and explaining how we have done so without compromising security.<\/p>\n<p>On Windows, about 60% of Firefox users run antivirus software and most of them have HTTPS scanning features enabled by default. Moreover, CloudFlare <a href=\"https:\/\/malcolm.cloudflare.com\/\">publishes statistics<\/a> showing that a significant portion of TLS browser traffic is intercepted. In order to inspect the contents of encrypted HTTPS connections to websites, the antivirus software intercepts the data before it reaches the browser. <a href=\"https:\/\/en.wikipedia.org\/wiki\/Transport_Layer_Security\">TLS<\/a> is designed to prevent this through the use of certificates issued by trusted <a href=\"https:\/\/en.wikipedia.org\/wiki\/Certificate_authority\">Certificate Authorities (CAs)<\/a>. Because of this, Firefox will display an error when TLS connections are intercepted unless the antivirus software anticipates this problem.<\/p>\n<p>Firefox is different than a number of other browsers in that we <a href=\"https:\/\/wiki.mozilla.org\/CA\/Included_CAs\">maintain our own list of trusted CAs, called a root store<\/a>. In the past we\u2019ve <a href=\"https:\/\/blog.mozilla.org\/security\/2019\/02\/14\/why-does-mozilla-maintain-our-own-root-certificate-store\/\">explained how this improves Firefox security<\/a>. Other browsers often choose to rely on the root store provided by the operating system (OS) (e.g. Windows). This means that antivirus software has to properly reconfigure Firefox in addition to the OS, and if that fails for some reason, Firefox won\u2019t be able to connect to any websites over HTTPS, even when other browsers on the same computer can.<\/p>\n<p>The interception of TLS connections has historically been referred to as a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Man-in-the-middle_attack\">\u201cman-in-the-middle\u201d<\/a>, or MITM. We\u2019ve developed a mechanism to detect when a Firefox error is caused by a MITM. We also have a mechanism in place that often fixes the problems. The <a href=\"https:\/\/support.mozilla.org\/en-US\/kb\/setting-certificate-authorities-firefox\">\u201centerprise roots\u201d preference<\/a>, when enabled, causes Firefox to import any root CAs that have been added to the OS by the user, an administrator, or a program that has been installed on the computer. This option is available on Windows and MacOS.<\/p>\n<p>We considered adding a \u201cFix it\u201d button to MITM error pages (see example below) that would allow users to easily enable the \u201centerprise roots\u201d preference when the error is displayed. However, we realized that this was something we want users to do rather than an \u201coverride\u201d button that allows a user to bypass an error at their own risk.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-large wp-image-2451\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-600x444.png\" alt=\"\" width=\"600\" height=\"444\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-600x444.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-252x187.png 252w, https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-768x569.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png 1334w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a>Example of a MitM Error Page in Firefox<\/p>\n<p>Beginning with Firefox 68, whenever a MITM error is detected, Firefox will automatically turn on the \u201centerprise roots\u201d preference and retry the connection. If it fixes the problem, then the \u201centerprise roots\u201d preference will remain enabled (unless the user manually sets the \u201csecurity.enterprise_roots.enabled\u201d preference to false). We\u2019ve tested this change to ensure that it doesn\u2019t create new problems. We are also recommending as a best practice that antivirus vendors enable this preference (by modifying prefs.js) instead of adding their root CA to the Firefox root store. We believe that these actions combined will greatly reduce the issues encountered by Firefox users.<\/p>\n<p>In addition, in <a href=\"https:\/\/www.mozilla.org\/en-US\/firefox\/organizations\/\">Firefox ESR<\/a> 68, the \u201centerprise roots\u201d preference will be enabled by default. Because extended support releases are often used in enterprise settings where there is a need for Firefox to recognize the organization\u2019s own internal CA, this change will streamline the process of deploying Firefox for administrators.<\/p>\n<p>Finally, we\u2019ve added an indicator that allows the user to determine when a website is relying on an imported root CA certificate. This notification is on the site information panel accessed by clicking the lock icon in the URL bar.<\/p>\n<p>It might cause some concern for Firefox to automatically trust CAs that haven\u2019t been audited and gone through the rigorous <a href=\"https:\/\/wiki.mozilla.org\/CA\/Application_Process\">Mozilla process<\/a>. However, any user or program that has the ability to add a CA to the OS almost certainly also has the ability to add that same CA directly to the Firefox root store. Also, because we only import CAs that are not included with the OS, Mozilla maintains our ability to set and enforce the highest standards in the industry on publicly-trusted CAs that Firefox supports by default. In short, the changes we\u2019re making meet the goal of making Firefox easier to use without sacrificing security.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After the release of Firefox 65 in December, we detected a significant increase in a certain type of TLS error that is often triggered by the interaction of antivirus software &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/\">Read more<\/a><\/p>\n","protected":false},"author":1574,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[45499],"coauthors":[320076],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Fixing Antivirus Errors - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Wayne Thayer\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/\",\"name\":\"Fixing Antivirus Errors - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-600x444.png\",\"datePublished\":\"2019-07-01T17:07:55+00:00\",\"dateModified\":\"2019-07-01T17:07:55+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png\",\"width\":1334,\"height\":988},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fixing Antivirus Errors\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a\",\"name\":\"Wayne Thayer\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g\",\"caption\":\"Wayne Thayer\"},\"sameAs\":[\"https:\/\/x.com\/wthayer\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fixing Antivirus Errors - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/","twitter_misc":{"Written by":"Wayne Thayer","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/","url":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/","name":"Fixing Antivirus Errors - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error-600x444.png","datePublished":"2019-07-01T17:07:55+00:00","dateModified":"2019-07-01T17:07:55+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2019\/07\/av-error.png","width":1334,"height":988},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2019\/07\/01\/fixing-antivirus-errors\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Fixing Antivirus Errors"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/e9d30f6a04fd425b92ce414efb490f7a","name":"Wayne Thayer","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/9d66cb7b8ff76e006a6f0af6fa7d949a","url":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2bd1ca829153b238eca5f4da201857f9?s=96&d=identicon&r=g","caption":"Wayne Thayer"},"sameAs":["https:\/\/x.com\/wthayer"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2450"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/1574"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2450"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2450\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2450"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}