In order to prevent future errors caused by the SSL scanning feature of many antivirus programs, Mozilla is performing a test that imports the Windows root certificates into Firefox.

When browsing the web, Firefox will validate a site's SSL certificate using their own built-in root certificate store rather than utilizing the one managed by Windows. This allows Mozilla to retain full control over what certificates will be trusted when browsing the web.

Firefox Certificate Store

With the release of Mozilla Firefox 65 in February 2019, users suddenly started receiving errors while browsing that stated "Your Connection is not secure" or "SEC_ERROR_UNKNOWN_ISSUER".

It turned out that these errors were being caused by an issue with the way antivirus programs, such as Avast, Bitdefender, and Kaspersky, were installing their certificates in Firefox in order to perform SSL scanning.

In order for an antivirus engine to scan SSL connections it will install their own certificates into the Firefox and Windows certificate stores. An issue since Firefox 65 had caused the antivirus program's certificates to not be used properly and would display an error instead.

At the time, in order to fix these issues users could do one of two things. Either disable SSL scanning in their antivirus software, which is obviously a security risk, or enable the security.enterprise_roots.enabled flag to have Firefox use the Windows certificate store for validating the SSL connection.

According to a new Firefox bug report, the Mozilla security team has stated that the issues antivirus vendors had in February would have been avoided if the Windows root certificate store was used by default. Therefore, as a test Mozilla is enabling the security.enterprise_roots.enabled feature by default, which will cause Firefox to import the Windows root certificates when the browser is started.

This test is being pushed out to users of Windows 10 and Windows 8 who have an antivirus program registered other than Windows defender and do not have the security.enterprise_roots.enabled flag enabled already.

If this test does not cause other issues to arise, we should expect to see this configuration setting enabled by default going forward.