Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Mozilla Says Intermediate CA Preloading Reduces Connection Errors in Firefox

Courtesy of the recently added Intermediate Certificate Authority (CA) Preloading feature, Firefox is handling secure connections better and users are experiencing fewer errors, Mozilla says.

Courtesy of the recently added Intermediate Certificate Authority (CA) Preloading feature, Firefox is handling secure connections better and users are experiencing fewer errors, Mozilla says.

The technique essentially consists of the browser pre-downloading all trusted Web Public Key Infrastructure (PKI) intermediate CA certificates through Mozilla’s Remote Settings infrastructure.

Thus, Firefox users won’t see an error page when the proper intermediate CA certificates are not specified, which, according to Mozilla, is one of the most commonly encountered issues when it comes to configuring TLS security.

For Intermediate CA Preloading, Mozilla enumerates all of the intermediate CA certificates in the trusted Web PKI, with the relevant ones available through the multi-browser Common CA Database (CCADB) reporting mechanisms.

“As a result of Mozilla’s leadership in the CA community, each CA in Mozilla’s Root Store Policy is required to disclose these intermediate CA certificates” to the CCADB, the browser maker explains.

Mozilla periodically synthesizes a list of intermediate CA certificates and then places the list into Remote Settings, with more than two thousand entries currently included in that list.

When first receiving the list, or when updates are made, Firefox downloads the necessary intermediate CA certificates in the background. With changes made to the list at a slow pace, keeping it updated is an easy task.

“Certificates provided via Intermediate CA Preloading are added to a local cache and are not imbued with trust. Trust is still derived from the standard Web PKI algorithms,” Mozilla explains.

Advertisement. Scroll to continue reading.

According to the company, Intermediate CA Preloading in Firefox 68 has resulted in a lower number of unknown errors when a TLS handshake is performed.

“While there are other factors that affect the relative prevalence of this error, this data supports the conclusion that Intermediate CA Preloading is achieving the goal of avoiding these connection errors for Firefox users,” the company says.

While Intermediate CA Preloading is currently available for desktop users only, Mozilla plans on rolling it out for mobile users as well, to ensure they too encounter fewer secure connection errors.

Related: Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans

Related: Let’s Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Study Finds Rampant Sale of SSL/TLS Certificates on Dark Web

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.