{"id":2636,"date":"2020-11-13T14:53:20","date_gmt":"2020-11-13T22:53:20","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=2636"},"modified":"2020-11-13T14:53:20","modified_gmt":"2020-11-13T22:53:20","slug":"preloading-intermediate-ca-certificates-into-firefox","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/","title":{"rendered":"Preloading Intermediate CA Certificates into Firefox"},"content":{"rendered":"<p>Throughout 2020, Firefox users have been seeing fewer secure connection errors while browsing the Web. We\u2019ve been improving connection errors overall for some time, and a new feature called Intermediate Certificate Authority (CA) Preloading is our latest innovation. This technique reduces connection errors that users encounter when web servers forget to properly configure their TLS security.<\/p>\n<p>In essence, Firefox pre-downloads all trusted Web Public Key Infrastructure (PKI) intermediate CA certificates into Firefox via Mozilla\u2019s <a href=\"https:\/\/wiki.mozilla.org\/Firefox\/RemoteSettings\">Remote Settings<\/a> infrastructure. This way, Firefox users avoid seeing an error page for one of the most common server configuration problems: not specifying proper intermediate CA certificates.<\/p>\n<p>For Intermediate CA Preloading to work, we need to be able to enumerate every intermediate CA certificate that is part of the trusted Web PKI. As a result of Mozilla\u2019s leadership in the CA community, each CA in Mozilla\u2019s Root Store Policy is required to disclose these intermediate CA certificates to the multi-browser <a href=\"https:\/\/www.ccadb.org\/\">Common CA Database (CCADB)<\/a>. Consequently, all of the relevant intermediate CA certificates are available via the CCADB <a href=\"https:\/\/www.ccadb.org\/resources\">reporting mechanisms<\/a>. Given this information, we periodically synthesize a list of these intermediate CA certificates and place them into Remote Settings. Currently the list contains over two thousand entries.<\/p>\n<p>When Firefox receives the list for the first time (or later receives updates to the list), it enumerates the entries in batches and downloads the corresponding intermediate CA certificates in the background. The list changes slowly, so once a copy of Firefox has completed the initial downloads, it\u2019s easy to keep it up-to-date. The list can be examined directly using your favorite JSON tooling at this URL: <a href=\"https:\/\/firefox.settings.services.mozilla.com\/v1\/buckets\/security-state\/collections\/intermediates\/records\">https:\/\/firefox.settings.services.mozilla.com\/v1\/buckets\/security-state\/collections\/intermediates\/records<\/a><\/p>\n<p>For details on processing the records, see the <a href=\"https:\/\/github.com\/Kinto\/kinto-attachment\/\">Kinto Attachment<\/a> plugin for Kinto, used by Firefox Remote Settings.<\/p>\n<p>Certificates provided via Intermediate CA Preloading are added to a local cache and are not imbued with trust. Trust is still derived from the standard Web PKI algorithms.<\/p>\n<p>Our collected telemetry confirms that enabling Intermediate CA Preloading in Firefox 68 has led to a decrease of unknown issuers errors in the TLS Handshake.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-2638 size-large\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-600x468.png\" alt=\"unknown issuer errors declining after Firefox Beta 68\" width=\"600\" height=\"468\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-600x468.png 600w, https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-300x234.png 300w, https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-768x599.png 768w, https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph.png 993w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/p>\n<p>While there are other factors that affect the relative prevalence of this error, this data supports the conclusion that Intermediate CA Preloading is achieving the goal of avoiding these connection errors for Firefox users.<\/p>\n<p>Intermediate CA Preloading is reducing errors today in Firefox for desktop users, and we\u2019ll be working to roll it out to our mobile users in the future.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Throughout 2020, Firefox users have been seeing fewer secure connection errors while browsing the Web. We\u2019ve been improving connection errors overall for some time, and a new feature called Intermediate &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/\">Read more<\/a><\/p>\n","protected":false},"author":525,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320796,69,45499],"tags":[327150,45499,454647],"coauthors":[45543],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Preloading Intermediate CA Certificates into Firefox - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dana Keeler\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/\",\"name\":\"Preloading Intermediate CA Certificates into Firefox - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-600x468.png\",\"datePublished\":\"2020-11-13T22:53:20+00:00\",\"dateModified\":\"2020-11-13T22:53:20+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph.png\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph.png\",\"width\":993,\"height\":774},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Preloading Intermediate CA Certificates into Firefox\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736\",\"name\":\"Dana Keeler\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g\",\"caption\":\"Dana Keeler\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Preloading Intermediate CA Certificates into Firefox - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/","twitter_misc":{"Written by":"Dana Keeler","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/","url":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/","name":"Preloading Intermediate CA Certificates into Firefox - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph-600x468.png","datePublished":"2020-11-13T22:53:20+00:00","dateModified":"2020-11-13T22:53:20+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph.png","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2020\/11\/intermediate-preloading-graph.png","width":993,"height":774},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2020\/11\/13\/preloading-intermediate-ca-certificates-into-firefox\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Preloading Intermediate CA Certificates into Firefox"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ceb71f5b00305c4b5fd2028deb101736","name":"Dana Keeler","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8a8a12f35e73f4f9942eb18d86c4828b","url":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/72636a193847f1a9c45521d07eb0dc6e?s=96&d=identicon&r=g","caption":"Dana Keeler"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2636"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/525"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=2636"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/2636\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=2636"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=2636"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=2636"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=2636"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}