On Tue, May 21, 2019 at 12:59 PM Adrian R via dev-security-policy < [email protected]> wrote:
> Hello > > Today, as part of an "upgrade" to version 19.5 Avast Antivirus has > forcefully enabled the entire Microsoft PKI for all Firefox users that also > happen to be users of Avast [Free] Antivirus. > > They now forcefully set this Mozilla enterprise policy for all users of > Avast: > > HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates > "ImportEnterpriseRoots"=dword:00000001 > > And this causes Mozilla Firefox to trust all the root certificates in the > Windows store... That is not my understanding of how this setting works: it only imports roots that have been added to the Windows root store, e.g. by a program such as Avast, or an administrator. It does not import roots Microsoft ships with Windows. > but with a bug: Firefox ignores the local revocation info for root > certificates and thus considers revoked root certificates as being valid. > > > Related Mozilla bugzilla bug id: 1553233 > > *sigh* > > ~~~~ > Adrian R. > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
