Firefox and SSL-decryption

I have worked with SSL-decryption for several years, and one of my biggest issues during that time was the abundance of browsers that people use.
We have IE, Chrome, Firefox, Safari, Opera and many more, and they all have their own ideas on how things should work.

But the biggest issue I had was Firefox.
All the other browsers uses the built in certificate stores of both Mac OS X and Windows, this made it trivial to push out Certificates that would be used for SSL-decryption via GPO.
But not Firefox, they uses their own internal certificate store, that is not that trivial to push certificates to in an enterprise environment. This lead to companies to just discontinue any support for Firefox, why waste time on complex scripts or 3rd party products to manage at free browser, when both IE and Chrome just works?

A lot of users was not happy about this, old habits are hard to change, and browsers are one of the hardest it seems based on all the complaints I saw..

But finally, Mozilla has made some recent changes that will finally enable enterprises to support Firefox in environments with SSL-decryption! Let’s see how it works:

decrypt1

Lets start with my current decrypt policy:

  1. Rule based on data from MineMeld that updates my PA-200 with IP’s that Office365 runs on.
  2. Can’t decrypt my XboxOne traffic.. what if I disconnect in a FIFA 17 game? Would be devastating!
  3. My own list of IP’s based on applications that won’t work with SSL-decryption
  4. Catch all rule on port 443, even my online bank is being decrypted. You can never be to safe! 🙂

This policy works without any issues on Chrome and IE, since I have imported the “ssl.test.no” certificate into my Trusted Root Certificate Store. But let’s see what happens when I put Firefox to the test?:

decrypt2

Yeah, just as expected. Firefox have no knowledge of the imported certificate, so it stops me from even getting to the site, since it’s clearly a man-in-the-middle(MitM) attack!

The next step in the old days would to import the certificate manually, or get some 3rd party product installed in your domain to do it via GPO..
But now in version 49 and upwards, we have a new cool feature!

Browse to about:config in the search bar:

decrypt3

Right click anywhere in the list, and choose “New -> Boolean”

Enter the following text into the popup:
decrypt4

security.enterprise_roots.enabled

Then set it to “true”, and it should look like this:

decrypt5

This setting will make Firefox actually go and check the Windows\Mac OSX certificate store for any Root certificates that it does not have. So basically, it will work like IE and Chrome does!

Restart Firefox, and then browse to a https:// site to see if it works!

decrypt6

And behold, it worked like a charm. I did not have to import anything into Firefox, so it just works! The only downside is that you are not able to see any of the imported certificates in Firefox. This is something that will be added down the line.

But this is one BIG step in the right direction to get Firefox easier to work in environments where SSL-decryption is active.  Just remember this is for version 49 and newer!

If you want more information about how to tune Firefox for your enterprise look here:

https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment

Customizing Firefox – Default Preference Files

About Glenn

Pre-Sales Engineer for Palo Alto Networks in Norway. Always looking for new ways to secure your organization!
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *