Firefox and SSL-decryption

I have worked with SSL-decryption for several years, and one of my biggest issues during that time was the abundance of browsers that people use.
We have IE, Chrome, Firefox, Safari, Opera and many more, and they all have their own ideas on how things should work.

But the biggest issue I had was Firefox.
All the other browsers uses the built in certificate stores of both Mac OS X and Windows, this made it trivial to push out Certificates that would be used for SSL-decryption via GPO.
But not Firefox, they uses their own internal certificate store, that is not that trivial to push certificates to in an enterprise environment. This lead to companies to just discontinue any support for Firefox, why waste time on complex scripts or 3rd party products to manage at free browser, when both IE and Chrome just works?

A lot of users was not happy about this, old habits are hard to change, and browsers are one of the hardest it seems based on all the complaints I saw..

But finally, Mozilla has made some recent changes that will finally enable enterprises to support Firefox in environments with SSL-decryption! Let’s see how it works:

decrypt1

Lets start with my current decrypt policy:

  1. Rule based on data from MineMeld that updates my PA-200 with IP’s that Office365 runs on.
  2. Can’t decrypt my XboxOne traffic.. what if I disconnect in a FIFA 17 game? Would be devastating!
  3. My own list of IP’s based on applications that won’t work with SSL-decryption
  4. Catch all rule on port 443, even my online bank is being decrypted. You can never be to safe! πŸ™‚

This policy works without any issues on Chrome and IE, since I have imported the “ssl.test.no” certificate into my Trusted Root Certificate Store. But let’s see what happens when I put Firefox to the test?:

decrypt2

Yeah, just as expected. Firefox have no knowledge of the imported certificate, so it stops me from even getting to the site, since it’s clearly a man-in-the-middle(MitM) attack!

The next step in the old days would to import the certificate manually, or get some 3rd party product installed in your domain to do it via GPO..
But now in version 49 and upwards, we have a new cool feature!

Browse to about:config in the search bar:

decrypt3

Right click anywhere in the list, and choose “New -> Boolean”

Enter the following text into the popup:
decrypt4

security.enterprise_roots.enabled

Then set it to “true”, and it should look like this:

decrypt5

This setting will make Firefox actually go and check the Windows\Mac OSX certificate store for any Root certificates that it does not have. So basically, it will work like IE and Chrome does!

Restart Firefox, and then browse to a https:// site to see if it works!

decrypt6

And behold, it worked like a charm. I did not have to import anything into Firefox, so it just works! The only downside is that you are not able to see any of the imported certificates in Firefox. This is something that will be added down the line.

But this is one BIG step in the right direction to get Firefox easier to work in environments where SSL-decryption is active. Β Just remember this is for version 49 and newer!

If you want more information about how to tune Firefox for your enterprise look here:

https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment

Customizing Firefox – Default Preference Files

71 thoughts on “Firefox and SSL-decryption

  1. Hmm, it seems like your own site ate my very first comment (it
    was really long) so I speculate I’ll just sum that upp thee things myy partner and i had
    written and state, I’m thoroughky enjoying your own blog.

    I aas effectively is an aspiring bblog site writer, but I’m nevertheless new
    to the entire thing. Do you possess any advice
    for newbie blog authors? I’d appreciate it.

    My blog; situs judi sabung ayam

  2. A new company in which over half a year more than 9 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  3. I’m amazed, I have to admit. Seldom do I come across a blog that’s
    equally educative and entertaining, and without a doubt, you’ve
    hit the nail on the head. The issue is something too few people are speaking intelligently about.
    I am very happy that I stumbled across this during my search for something concerning this.

  4. Π Ρ”Π Β°Π Β·Π Ρ‘Π Π…Π Ρ• Π‘β€žΠ Β°Π‘Π‚Π Β°Π Ρ•Π Π… Π Ρ‘Π Ρ–Π‘Π‚Π Β°Π‘β€šΠ‘ΠŠ Π Ρ•Π Π…Π Β»Π Β°Π β„–Π Π… Π Π† Π Ρ‘Π Ρ–Π‘Π‚Π Ρ•Π Π†Π‘β€ΉΠ Β΅ Π Β°Π Π†Π‘β€šΠ Ρ•Π Ρ˜Π Β°Π‘β€šΠ‘β€Ή

    Π Ρ‘Π Π…Π‘β€šΠ Β΅Π‘Π‚Π Π…Π Β΅Π‘β€š Π Ρ”Π Β°Π Β·Π Ρ‘Π Π…Π Ρ• Π‘β€žΠ Β°Π‘Π‚Π Β°Π Ρ•Π Π…

  5. A new company in which over half a year more than 9 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  6. ВсС для лСстниц, ΠΏΠΎΠ³ΠΎΠ½Π°ΠΆ ΠΎΠΏΡ‚ΠΎΠΌ! http://35stupenek.ru/ – ΠšΠΎΠΌΠΏΠ»Π΅ΠΊΡ‚ΡƒΡŽΡ‰ΠΈΠ΅ для лСстниц, Π΄Π²Π΅Ρ€ΠΈ ΠΌΠ΅ΠΆΠΊΠΎΠΌΠ½Π°Ρ‚Π½Ρ‹Π΅, ΠΏΠ΅Ρ€ΠΈΠ»Π° для лСстниц, ΠΌΠ΅Π±Π΅Π»ΡŒΠ½Ρ‹Π΅ Ρ‰ΠΈΡ‚Ρ‹, балясины для лСстниц, дСрСвянныС плинтуса, ΠΏΠΎΠ³ΠΎΠ½Π°ΠΆΠ½Ρ‹Π΅ издСлия, имитация бруса, Ρ€Π΅Π·Π½Ρ‹Π΅ дСрСвянныС ΠΊΠ°Ρ€Ρ‚ΠΈΠ½Ρ‹, ступСни для лСстниц. ПомоТСм с доставкой Π² любой Ρ€Π΅Π³ΠΈΠΎΠ½!

  7. На сайтС http://viagraorderuk.com ΠΌΠΎΠΆΠ½ΠΎ Π·Π°ΠΊΠ°Π·Π°Ρ‚ΡŒ ΠΈ ΠΊΡƒΠΏΠΈΡ‚ΡŒ для ΠΏΠΎΡ‚Π΅Π½Ρ†ΠΈΠΈ Π’ΠΈΠ°Π³Ρ€Ρƒ, Π›Π΅Π²ΠΈΡ‚Ρ€Ρƒ, Биалис Π½Π΅ Ρ‚ΠΎΠ»ΡŒΠΊΠΎ ΠΏΠΎ ΠšΠΈΠ΅Π²Ρƒ, Π° ΠΈ ΠΏΠΎ всСй Π£ΠΊΡ€Π°ΠΈΠ½Π΅. Π•ΡΡ‚ΡŒ ΠΏΡ€Π΅ΠΏΠ°Ρ€Π°Ρ‚ Poxet (ДапоксСтин) для ΠΏΡ€ΠΎΠ΄Π»Π΅Π½ΠΈΠ΅ ΠΏΠΎΠ»ΠΎΠ²ΠΎΠ³ΠΎ Π°ΠΊΡ‚Π°. ΠœΡƒΠΆΡΠΊΠΈΠ΅ ΠΈ ТСнскиС Π²ΠΎΠ·Π±ΡƒΠ΄ΠΈΡ‚Π΅Π»ΠΈ для горячСго сСкса. Π‘ΠΈΠ»Π΄Π΅Π½Π°Ρ„ΠΈΠ». Π’Π°Π΄Π°Π»Π°Ρ„ΠΈΠ». Π’Π°Ρ€Π΄Π΅Π½Π°Ρ„ΠΈΠ». Анонимная доставка Новой ΠΏΠΎΡ‡Ρ‚ΠΎΠΉ

  8. ΠšΠΎΠΌΠ±ΠΈΠ½ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹Π΅ балясины для лСстниц! http://td-ekolestnica.ru/ – ΠšΠΎΠΌΠ±ΠΈΠ½ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹Π΅ балясины ΠΈΠ· Π΄Π΅Ρ€Π΅Π²Π° ΠΈ ΠΌΠ΅Ρ‚Π°Π»Π»Π° ΠΎΡ‚ производитСля. ΠœΠ΅Π±Π΅Π»ΡŒΠ½Ρ‹ΠΉ Ρ‰ΠΈΡ‚ ΠΎΠΏΡ‚ΠΎΠΌ, Ρ€Π΅Π·Π½Ρ‹Π΅ балясины, ΠΏΠ΅Ρ€ΠΈΠ»Π° для лСстниц – ΠΏΠΎΠΌΠΎΠΆΠ΅ΠΌ с доставкой Π² любой Ρ€Π΅Π³ΠΈΠΎΠ½!

  9. Total no risk http://toglobax.com/en/id543485529 You can participate and receive money without any investments. Money does not linger and does not accumulate in the system. No need to order a withdrawal, they are distributed immediately. Instantly. You get money for your own details the very second as soon as paid members appear on your network

  10. 1000 ΠΏΡ€ΠΎΠ΄Π°ΠΆ Π·Π° мСсяц Π½Π° Etsy Ρ‡Π΅Ρ€Π΅Π· Pinterest https://youtu.be/qg-3C_7W1kM послС ΡƒΠΆΠ°ΡΠ°ΡŽΡ‰Π΅Π³ΠΎ падСния количСства посСтитСлСй Π² мСсяц

  11. ΠšΠΎΠΌΠ±ΠΈΠ½ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹Π΅ балясины для лСстниц! http://td-ekolestnica.ru/ – ΠšΠΎΠΌΠ±ΠΈΠ½ΠΈΡ€ΠΎΠ²Π°Π½Π½Ρ‹Π΅ балясины ΠΈΠ· Π΄Π΅Ρ€Π΅Π²Π° ΠΈ ΠΌΠ΅Ρ‚Π°Π»Π»Π° ΠΎΡ‚ производитСля. ΠœΠ΅Π±Π΅Π»ΡŒΠ½Ρ‹ΠΉ Ρ‰ΠΈΡ‚ ΠΎΠΏΡ‚ΠΎΠΌ, Ρ€Π΅Π·Π½Ρ‹Π΅ балясины, ΠΏΠ΅Ρ€ΠΈΠ»Π° для лСстниц – ΠΏΠΎΠΌΠΎΠΆΠ΅ΠΌ с доставкой Π² любой Ρ€Π΅Π³ΠΈΠΎΠ½!

  12. A new company in which over half a year more than 12 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  13. The Norwegian Miracle It’s NOT LAMININE anymore! AminoBoosters are 4 times more affordable, the concentration is twice as strong as Laminine by LPGN http://www.getyourboomback.com/#_l_2ps НорвСТский Π»Π°ΠΌΠΈΠ½ΠΈΠ½ ΠΎΡ‚ Π΄-Ρ€Π° Dr. Bjodne Eskeland Π² 4 Ρ€Π°Π·Π° дСшСвлС амСриканского Laminine ΠΈ Π² 2 Ρ€Π°Π·Π° сильнСС

Leave a Reply

Your email address will not be published. Required fields are marked *