In my opinion, a critical security issue
I'm using FF 72.0.2 64-Bit and I've Avast installed (issue is related to Firefox! not just Avast).
1) Firefox brand new installation (English language) 2) "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla" deleted in the regedit 3) in "about:config" I have "security.enterprise_roots.enabled"=false and "security.certerrors.mitm.auto_enable_enterprise_roots"=false 4) in "Certificate Manager" I have deleted "Avast Web/Mail Shield Root" certificate 5) I didn't have any active plug-in (only OpenH264 codec is listed and is disabled), I have no extensions installed, privacy policy set to strict, private browsing mode, all permissions disabled, checked "prevent accessibility services from accessing your brower", blocked "Deceptive Content and Dangerous Software Protection" and certificates set to "Ask you every time" 6) "Connection settinges" set to "No proxy" 7) NO active policy listed in "about:policies" ("about:policies#active" is empty) and NO "Your browser is being managed by your organization" message is shown
Why if I enabled "Enable HTTPS scanning" inside Avast Web Shield, and I go to https://2016.eicar.org/85-0-Download.html trying to download "eicar.com" using SSL, is this test-virus detected by Avast BEFORE (!) downloading? I was expecting that, at most, Firefox will not be able to surf the web if no direct HTTPS connection is allowed by Avast. Why does Firefox allow a MITM connection (even if Avast certificate has been deleted, even if there isn't any active policy listed in "about:policies#active") and I'm not able to avoid this behavior?
Moreover, once I restart the PC, security.enterprise_roots.enabled is forced to True (locked), "Avast Web/Mail Shield Root" reinstalled inside "Certificate Manager" and "Your browser is being managed by your organization" message is back.
Why can't the user have full control on Firefox? In my opinion, this is a critical security issue. I mean, how could an external software so easily take full control of Firefox? Additionally, using this approach a MITM attack can be done quite easily from an organization having an active certificate and without the user even knowing it (I repeat, "about:policies#active" was empty). Tested on Windows 10 and Windows 7.
Thank you
All Replies (10)
Starting in Firefox 68, to address user frustration with the complexity of configuring security software, a workaround was added for MITM's. You can disable the automatic workaround. The steps are in this article:
How to disable the Enterprise Roots preference
If those two preference changes do not resolve the issue, you could check for either an autoconfig file or a policies.json file forcing the enterprise cert preference.
It is likely that your security software uses GPO rules to enforce adding its root certificate to Firefox if you enable HTTPS scanning. It is not Firefox's fault if you have (security) software that (mis)uses GPO rules in the Windows Registry to configure Firefox. If you do not trust this software then you need to look for other security software or keep this feature disabled.
@jscher2000: thank you for you answer. https://support.mozilla.org/en-US/kb/how-disable-enterprise-roots-preference was part of the solution I tried and illustrated in the first post. Unfortunately, not only it doesn't work, but as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck ("eicar.com" test-virus is always detected by Avast before downloading it using SSL)
@cor-el: yes, in my opinion is Firefox's fault to allow an external software to misuses GPO rules WITHOUT notifying the user ("about:policies#active" empty, and I repeat I also deleted Avast certificate) ..or without letting the user choose if an external software can use GPO rules. I made this test NOT because I want to go on using Avast (after https://www.cnet.com/news/antivirus-firm-avast-is-reportedly-selling-users-web-browsing-data/ I personally do not trust anymore in this company, although at least in my case I had taken steps to disable personal data sharing). I was trying to understand how is it possible that an external software can change some key configurations in Firefox and allowing MITM, without the user knowing.
Modified
Hi giotangi,
Yes it's annoying, but look at the flip side. If you're an IT admin and you want to install a root CA, then you don't really want Firefox to earn all your users about it. First, because it will confuse them. And more importantly, because telling them to ignore the warning is dangerous as it teaches your staff to ignore security warnings. This warning fatigue is a real security issue in and if itself.
As powerusers, we empathize with your position. However, we have to make systems that work well for everyone what. That is hard.
giotangi said
...as soon as I restart the pc, all changes are ignored and previous values restored. I tried also using AutoConfig and policies.json, anyway until now without luck...
It sounds as though Avast is overwriting your Autoconfig file with its own instructions at startup.
@Matthew Thomas: in some ways I could agree with your point of view, but in general I think that the security issues of such an approach are higher than the advantages it can give in some specific cases. Obviously it's just my point of view. It would be enough to give the user the possibility to choose (even as like now by default) through a checkbox somewhere (for example in about:policies) or through an entry in the about:config (that obviously cannot be overwritten from outside/regedit). Sorry but a similar approach seems to me the easiest way for a mass surveillance.. ads, behavior statistics, NSA and similar. Well, just joking, but not so far from what an antivirus or similar third party software could actually do without the user even knowing it (for example "about:policies#active" was empty). I speak as a fan of Firefox, not to denigrate it.
@jscher2000: yes, seems to be in fact
Firefox can't disallow anything which your operating system allows, especially to a program (or the OS) which has SYSTEM privilege level, which is something AVs rather tend to have. (An AV operates entirely by being a MITM in your OS, with system-level drivers and hooks.)
I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used)
giotangi said
I wasn't speak about this. I said that the user must be notified (at a certain point, after regedit modification, I wasn't) and that I don't understand why there is no way to force Firefox not going through Avast, for example uninstalling the Avast certificate (apparently it is deleted but in fact it is used)
It's all related though. With the system access that Avast has, it could just replace Firefox with a keylogging version that contains no warnings.[1] From a "bad-actor" security perspective, such a warning doesn't really add to your security. It is, however, mildly annoying.
Basically, as crankygoat implied, there is nothing Firefox can do about a bad actor with system access.
Additionally Windows does not notify you about registry edits. Firefox does not do this either because it is a browser -- not a registry monitoring utility, anti-virus, or security suite.
[1] One of my friends actually had such an issue with a fake build of Chromium disguised as Chrome.
I had Avast on my last computer, and it basically ruined it. It installed Chrome, which I didn't want, and I deleted it but, as you said about Avast, it didn't really go away. I had the same problem with Avast. First thing you might want to do is delete Avast and then immediately install another security system. I have Malwarebytes now and like it much better.