Connect with us

Hi, what are you looking for?


Data Protection

Mozilla Says Intermediate CA Preloading Reduces Connection Errors in Firefox

Courtesy of the recently added Intermediate Certificate Authority (CA) Preloading feature, Firefox is handling secure connections better and users are experiencing fewer errors, Mozilla says.

Courtesy of the recently added Intermediate Certificate Authority (CA) Preloading feature, Firefox is handling secure connections better and users are experiencing fewer errors, Mozilla says.

The technique essentially consists of the browser pre-downloading all trusted Web Public Key Infrastructure (PKI) intermediate CA certificates through Mozilla’s Remote Settings infrastructure.

Thus, Firefox users won’t see an error page when the proper intermediate CA certificates are not specified, which, according to Mozilla, is one of the most commonly encountered issues when it comes to configuring TLS security.

For Intermediate CA Preloading, Mozilla enumerates all of the intermediate CA certificates in the trusted Web PKI, with the relevant ones available through the multi-browser Common CA Database (CCADB) reporting mechanisms.

“As a result of Mozilla’s leadership in the CA community, each CA in Mozilla’s Root Store Policy is required to disclose these intermediate CA certificates” to the CCADB, the browser maker explains.

Mozilla periodically synthesizes a list of intermediate CA certificates and then places the list into Remote Settings, with more than two thousand entries currently included in that list.

When first receiving the list, or when updates are made, Firefox downloads the necessary intermediate CA certificates in the background. With changes made to the list at a slow pace, keeping it updated is an easy task.

Advertisement. Scroll to continue reading.

“Certificates provided via Intermediate CA Preloading are added to a local cache and are not imbued with trust. Trust is still derived from the standard Web PKI algorithms,” Mozilla explains.

According to the company, Intermediate CA Preloading in Firefox 68 has resulted in a lower number of unknown errors when a TLS handshake is performed.

“While there are other factors that affect the relative prevalence of this error, this data supports the conclusion that Intermediate CA Preloading is achieving the goal of avoiding these connection errors for Firefox users,” the company says.

While Intermediate CA Preloading is currently available for desktop users only, Mozilla plans on rolling it out for mobile users as well, to ensure they too encounter fewer secure connection errors.

Related: Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Study Finds Rampant Sale of SSL/TLS Certificates on Dark Web

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...