
Why Does Mozilla Maintain Our Own Root Certificate Store? - zdw
https://blog.mozilla.org/security/2019/02/14/why-does-mozilla-maintain-our-own-root-certificate-store/
======
shakna
As a user, I love that Firefox has their own root store. It tends to be more
up to date, and have higher standards in some circumstances.

As a sysadmin, the enterprise policy that came in 65 [0] was a "finally!"
moment. Until then, Firefox was an incredibly irritating little special
snowflake. It's still a special snowflake, but a little less annoying.

[0]
[https://wiki.mozilla.org/CA/AddRootToFirefox](https://wiki.mozilla.org/CA/AddRootToFirefox)

~~~
mrkstu
Thanks for that link- I run the proxy at work, and since we do some ssl
decrypt, dealing with FF can be a pain- this should lessen that considerably.

------
davidhyde
If you work in a corporation that manages your windows pc but you are still
able to do things like install Firefox yourself then you may well notice the
man-in-the-middle certificate(s) your company installs on your system because
they won’t appear in Firefox and it will warn you of that fact when you
attempt to securely visit a site.

~~~
mr_toad
MiTM certificates don’t even try and disguise themselves, they usually have an
obvious CA name like ‘Macaffe firewall CA’ or something similar. Often they’ll
have your employers name on them.

------
jzl
I love that FF has its own root store. I've often wondered why Chrome _doesn
't_ have its own, which seems like it would be a Googly thing to do. But I'm
glad that they don't and hope they don't implement one any time soon.

~~~
skunkworker
It seems as though it's just a difference in design. Chrome uses the system's
default store, which for systems that are constantly updated is not a problem.
But for systems that aren't regularly updated and can't get addition &
revocations to their store then FF takes the lead here.

~~~
serf
example :

a friends ancient Huawei android phone can no longer access his online banking
via the system browser, or chrome.

Firefox works great.

Whether or not you should be online banking with an outdated platform is
another discussion, but he's happy that it works.

