Late so don't if you will see this, but from the very beginning, the security.enterprise_roots.enabled preference always stated it applied to certificates added, not those included by default, eg [0]. System vs User context is still different from baked-in vs added. On macOS for example the System keychain contains certificates added that are then accessible by all users and can only be added by an Administrator, and the separate System Roots keychain holds the root certificates (151 on the Mac I'm sitting in front of) that Apple ships with the OS. Firefox reading from both the "login" and "System" keychains doesn't mean reading from "System Roots". The suggested release notes for the bug report you linked reinforces this [1] (capitalization emphasis added):

>[Suggested wording]: By default, Firefox will now use TLS trust anchors (e.g., certificates) ADDED to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".

If you think all of these descriptions have been wrong all along from the code, that'd definitely be worth bringing up on Bugzilla. Personally I'm happy to have it enabled by default vs always needing to remember to do so if it's working as described. I think support for one's own CAs should be encouraged even the overall UX around running your own CA is mediocre right now.

----

0: https://support.mozilla.org/en-US/kb/how-disable-enterprise-... :

>"Mozilla has added an Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system, to resolve your TLS connection error. You can determine if a website is relying on an imported root certificate by clicking the Site Information icon in the address bar."

1: https://bugzilla.mozilla.org/show_bug.cgi?id=1848815

Of course they face that problem. It's a subset of the more general bootstrapping problem for a computer. So far, it mostly works as long as we can trust the hardware and we assume that the stack as we have it now is trustworthy.

As soon as you download and install an OS via an MITMed connection, it's over.

That's not Know Your Customer that's Know Your Producer.

Do your reckon there could be a consumer friendly way to generate pre-shared keys? With a Diffie–Hellman like algorithm

Sure, and a world is possible when we have other types of tech, too. For example we can have zero-knowledge proofs to access online sites and prove we’re over 18. But the UK government has already passed a law requiring all websites to KYC their members with a passport. And Utah recently passed a law also protecting children on social sites and I asked their politicians directly how they will enforce it — a likely candidate will be requiring ID from everyone.

But the governments when all is said and done don’t care about your privacy.

https://www.biometricupdate.com/202309/uk-passes-online-safe...

> We're already all used to running ad/script block on our clients so accept a certain level of breakage.

The "we" reading this post? Yeah, probably.

The internet population as a whole? Absolutely not, nowhere close.

I've been using Adblock or its descendants since the original Firefox extension where downloadable filter lists were a separate addon, and every time I have to browse a mainstream web site when using a "normal" person's computer it blows my mind how bad the experience is with all kinds of extra iframes I never normally see full of ads moving around, modals, etc. without even getting in to video content.

Normal people don't troubleshoot things like we do, if it doesn't work they try to do the same thing over and over again until they get bored or annoyed and then either move on or call one of us to "fix it".

>in the end we just "route around them" (they die)

My comment was about the perspective of the website owner, not the website user. The website owner certainly doesn't want to be routed around and have the website die. So the website owner will avoid HPKP.

I remember HN from over a decade ago: https://www.cntraveler.com/stories/2012-01-31/spirit-airline...

DNSSEC is a great concept with a rather convoluted design that's based on limitations of computers in the 90s. It's obviously better to have DNSSEC than not to, but I wouldn't call it a "great solution".

Case in point: the DNS client never actually validates the DNSSEC signatures, the DNS server the client uses is supposed to do that, and then simply sets a flag that says "I validated this". Perfect for recursive DNS resolvers running on localhost, but terrible for security when applied as designed.

Another example: Firefox currently has encrypted client hello enables to encrypt the SNI information and help combat traffic analysis, but only if you enable DoH to ensure that the necessary DNS records are correct. Once again, Mozilla didn't trust DNSSEC to work right and opted to trust DoH servers on their word.

In truth, DNSSEC isn't widely used, at least not internationally. Some TLDs have high DNSSEC usages, often because their registrar advocates for securing DNS, but with companies like Amazon failing to produce DNSSEC software that doesn't cause massive outages and TLDs like .nz going down for a day because of bad policies and management, many people don't bother.

It's a shame, really, because DANE would've fixed so many problems. I attribute its failure mostly to the design decisions the people behind DNSSEC made when they released the protocol.