mullvad-browser icon indicating copy to clipboard operation
mullvad-browser copied to clipboard

Published 20 hours ago verified publisher icon mullvad

Adding a custom root CA doesn't work

Open ruihildt opened this issue 2 years ago • 8 comments
trafficstars

I can't seem to add my Certificate Authority.

  • I run my own CA to manage internal SSL / device certs across all of my systems.
  • Normally, in Firefox - adding a root CA is very easy: - Settings -> Privacy and Security -> View Certificates -> Authorities -> Import - When I attempt these steps in Mullvad Browser however, the import fails silently with no error and no CA being added to the browser.
  • OS is Windows 10x64
  • Browser version: 12.0.4

Any help in this regard would be greatly appreciated.

ruihildt avatar Apr 20 '23 09:04 ruihildt

OS/external CAs are blocked to prevent man in the middle attacks Adding a root CA directly to Mullvad Browser internal database should be theoretically possible, but for some reason it doesn't work as expected.

Ideally, we should understand if we can allow users to add the CA without lessening the security of the typical user. But this is currently not a priority.

ruihildt avatar Apr 20 '23 09:04 ruihildt

I can't use Mullvad browser with AdGuard, pls fix it.

wft44maqb avatar Apr 28 '23 08:04 wft44maqb

Were you able to find a workaround? I am having issues doing the same

00Prime avatar Jun 05 '23 22:06 00Prime

@00Prime @wft44maqb @EthnTuttle

Can you try going to about:config, then look for security.nocertdb and set it to false?

ruihildt avatar Jun 13 '23 15:06 ruihildt

^ and RESTART for it to take effect

Thorin-Oakenpants avatar Jun 14 '23 07:06 Thorin-Oakenpants

@00Prime @wft44maqb @EthnTuttle

Can you try going to about:config, then look for security.nocertdb and set it to false?

Thank you so much for this hint! I searched for a solution for a long time...

Are there any security drawbacks by setting security.nocertdb to false? (I mean beside the possibility that I "accidentally" import a root certificate from a bad one who wants to do man-in-the-middle-attacks, which sounds very unlikely to me.)

IeP4nieF avatar Sep 03 '23 08:09 IeP4nieF

I don't know. security.nocertdb makes sure informations are kept in memory only, so something might be written to disk here (password manager persistence to disk in Tor Browser only works if this is set to false).

ruihildt avatar Oct 05 '23 14:10 ruihildt

@ruihildt I found that while setting security.nocertdb to FALSE does allow adding a custom CA, it's probably not the right approach to fix this problem. Apparently, the reason it is set to TRUE is to prevent the caching of intermediate CAs which can be used for fingerprinting.

https://www.ghacks.net/2017/02/22/firefox-fingerprinting-using-intermediate-ca-caching/

Would love to add my custom CA to mullvad-browser so i could fully switch over! But this approach is not a compromise worth taking.

fritz-fritz avatar Dec 08 '23 09:12 fritz-fritz

Closing as all information have been provided.

ruihildt avatar Sep 19 '24 12:09 ruihildt