Firefox Beta 120 trusts OS certificates by default

This isn't the right summary. Firefox uses it own root store still and ignores any certificates distributed by default in the OS. However, if the user installs their root to the OS, Firefox will also pick it up. This is how other browsers work.

gbil · 2 years ago

https://bugzilla.mozilla.org/show_bug.cgi?id=1848815#c8

> By default, Firefox will now use TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".

what you state "ignores any certificates distributed by default in the OS." is the as-is situation which is changing in the next weeks and you need specifically to opt-out and will include ALL the certificates no matter if they come from the user or the system. So please elaborate why you think it is the wrong summary

galadran · 2 years ago

There's a difference between certificates distributed with the OS and certificates added to the OS by a user. Right now Firefox ignores both. This change ONLY picks up the certificates added to the OS by a user.

lifthrasiir · 2 years ago

https://support.mozilla.org/ko/kb/how-disable-enterprise-roo...

Apparently this was done to please annoying AV softwares [1].

[1] https://static.googleusercontent.com/media/research.google.c...

extraduder_ire · 2 years ago

You mean like a local MiTM? I vaguely remember firefox disabling the OS-wide trust store years ago for this very reason.

musicale · 2 years ago

Forged certificates (for gmail, etc.) are a terrible idea. I thought certificate stapling was implemented to shut this awful practice down.