On 01/20/2017 10:15 PM, VanguardLH wrote:
I just found the following article:
https://wiki.mozilla.org/CA:AddRootToFirefox
So now Firefox can supposedly be configured to use the global
certificate store (managed by the OS). However, with Mozilla's history
of giving and taking away, I would not rely on this option remaining
permanently available in all subsequent versions of Firefox.
Note that the article does not say that Firefox will actually use the
global certificate store. If security.enterprise_roots.enabled = true
then Firefox will *import* the global certificates but will continue to
hide those global certs in its own private cert manager. Root certs are
not included until Firefox version 52, so the MITM scheme used to
interrogate HTTPS web traffic (by anti-virus or streaming capture tools)
will still not work. The user must still ensure those tools install
their MITM root certs into Firefox's private cert store ... for now.
Since old versions of Firefox will still linger in use for many years
after version 52, tools that use the root cert MITM scheme will still
have to go through the hassle of installing their root cert into
Firefox's private cert store along with installing it in the global cert
store for as many years.
https://www.mozilla.org/en-US/about/...y-group/certs/
That gives a starting point regarding Mozilla's private certificate
store in Firefox. I've gone through all that before but do not recall
that Mozilla ever provided qualification as to why users cannot trust
the global certificate store. Sorry, I don't know the clinic term for
"control freak". It might be Obsessive Compulsive Personality Disorder
(OCPD) although that doesn't exclude Narcissistic Personality Disorder.
Explains a lot. Thank you!