Firefox and SSL-decryption

Glenn

I have worked with SSL-decryption for several years, and one of my biggest issues during that time was the abundance of browsers that people use.
We have IE, Chrome, Firefox, Safari, Opera and many more, and they all have their own ideas on how things should work.

But the biggest issue I had was Firefox.
All the other browsers uses the built in certificate stores of both Mac OS X and Windows, this made it trivial to push out Certificates that would be used for SSL-decryption via GPO.
But not Firefox, they uses their own internal certificate store, that is not that trivial to push certificates to in an enterprise environment. This lead to companies to just discontinue any support for Firefox, why waste time on complex scripts or 3rd party products to manage at free browser, when both IE and Chrome just works?

A lot of users was not happy about this, old habits are hard to change, and browsers are one of the hardest it seems based on all the complaints I saw..

But finally, Mozilla has made some recent changes that will finally enable enterprises to support Firefox in environments with SSL-decryption! Let’s see how it works:

decrypt1

Lets start with my current decrypt policy:

  1. Rule based on data from MineMeld that updates my PA-200 with IP’s that Office365 runs on.
  2. Can’t decrypt my XboxOne traffic.. what if I disconnect in a FIFA 17 game? Would be devastating!
  3. My own list of IP’s based on applications that won’t work with SSL-decryption
  4. Catch all rule on port 443, even my online bank is being decrypted. You can never be to safe! 🙂

This policy works without any issues on Chrome and IE, since I have imported the “ssl.test.no” certificate into my Trusted Root Certificate Store. But let’s see what happens when I put Firefox to the test?:

decrypt2

Yeah, just as expected. Firefox have no knowledge of the imported certificate, so it stops me from even getting to the site, since it’s clearly a man-in-the-middle(MitM) attack!

The next step in the old days would to import the certificate manually, or get some 3rd party product installed in your domain to do it via GPO..
But now in version 49 and upwards, we have a new cool feature!

Browse to about:config in the search bar:

decrypt3

Right click anywhere in the list, and choose “New -> Boolean”

Enter the following text into the popup:
decrypt4

security.enterprise_roots.enabled

Then set it to “true”, and it should look like this:

decrypt5

This setting will make Firefox actually go and check the Windows\Mac OSX certificate store for any Root certificates that it does not have. So basically, it will work like IE and Chrome does!

Restart Firefox, and then browse to a https:// site to see if it works!

decrypt6

And behold, it worked like a charm. I did not have to import anything into Firefox, so it just works! The only downside is that you are not able to see any of the imported certificates in Firefox. This is something that will be added down the line.

But this is one BIG step in the right direction to get Firefox easier to work in environments where SSL-decryption is active.  Just remember this is for version 49 and newer!

If you want more information about how to tune Firefox for your enterprise look here:

https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment

Customizing Firefox – Default Preference Files

74 thoughts on “Firefox and SSL-decryption

  5. Hmm, it seems like your own site ate my very first comment (it
    was really long) so I speculate I’ll just sum that upp thee things myy partner and i had
    written and state, I’m thoroughky enjoying your own blog.

    I aas effectively is an aspiring bblog site writer, but I’m nevertheless new
    to the entire thing. Do you possess any advice
    for newbie blog authors? I’d appreciate it.

    My blog; situs judi sabung ayam

  11. A new company in which over half a year more than 9 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  18. I’m amazed, I have to admit. Seldom do I come across a blog that’s
    equally educative and entertaining, and without a doubt, you’ve
    hit the nail on the head. The issue is something too few people are speaking intelligently about.
    I am very happy that I stumbled across this during my search for something concerning this.

  37. A new company in which over half a year more than 9 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  62. Все для лестниц, погонаж оптом! http://35stupenek.ru/ – Комплектующие для лестниц, двери межкомнатные, перила для лестниц, мебельные щиты, балясины для лестниц, деревянные плинтуса, погонажные изделия, имитация бруса, резные деревянные картины, ступени для лестниц. Поможем с доставкой в любой регион!

  64. На сайте http://viagraorderuk.com можно заказать и купить для потенции Виагру, Левитру, Сиалис не только по Киеву, а и по всей Украине. Есть препарат Poxet (Дапоксетин) для продление полового акта. Мужские и женские возбудители для горячего секса. Силденафил. Тадалафил. Варденафил. Анонимная доставка Новой почтой

  65. Комбинированные балясины для лестниц! http://td-ekolestnica.ru/ – Комбинированные балясины из дерева и металла от производителя. Мебельный щит оптом, резные балясины, перила для лестниц – поможем с доставкой в любой регион!

  66. Total no risk http://toglobax.com/en/id543485529 You can participate and receive money without any investments. Money does not linger and does not accumulate in the system. No need to order a withdrawal, they are distributed immediately. Instantly. You get money for your own details the very second as soon as paid members appear on your network

  68. Комбинированные балясины для лестниц! http://td-ekolestnica.ru/ – Комбинированные балясины из дерева и металла от производителя. Мебельный щит оптом, резные балясины, перила для лестниц – поможем с доставкой в любой регион!

  69. A new company in which over half a year more than 12 million people https://crowd1.com/signup/tatyanaflorida have registered. Profit comes from the shares of the world’s largest gaming channels. Gambling, mobile share with us 50%. Passive and active income. Viber/WhatsApp +12487304178 Skype tatyana.kondratyeva2

  70. The Norwegian Miracle It’s NOT LAMININE anymore! AminoBoosters are 4 times more affordable, the concentration is twice as strong as Laminine by LPGN http://www.getyourboomback.com/#_l_2ps Норвежский ламинин от д-ра Dr. Bjodne Eskeland в 4 раза дешевле американского Laminine и в 2 раза сильнее

  72. Элементы лестниц оптом, кухни на заказ, двери из массива дуба – https://www.ekolestnica.ru На сайте большой выбор изделий из дерева (дуб, бук, ясень, береза, сосна): балясины для лестниц, перила для лестниц, ступени для лестниц, двери из массива дуба, мебельный щит! На рынке более 15 лет, отгружаем товар в любые регионы!

  73. ZandCell COVID-19 Saliva Antigen Test https://diamont.ee/en/hot Nitrile gloves, FFP 2 Mask. Large wholesale, from a warehouse in Europe. All documents and certificates are available. Sending samples on request. Contract supplies for government and commercial organizations and individuals

  74. Авиабилеты дешево от проверенных авиакомпаний! https://avia-bilet.online/ – купить авиабилеты недорого. Купить авиабилеты дешево, авиабилеты онлайн. Поиск от 728 проверенных авиакомпаний по всему миру! Самые популярные направления перелетов по самым низким ценам в интернете!

Comments are closed.