Just noticed it on my Firefox 67.0.1 on my Win 7 Pro 64-bit machine.
I do NOT have a folder C:\program files\mozilla firefox\distribution.
I do NOT have a file policies.json anywhere on my C:\ drive.
In my registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates, the only entry is ImportEnterpriseRoots with data value 1 (appearing as 0x00000001 (1)). There are no entries above that subkey Certificates.
In my FF, in about:policies, in "Active", I see this:
Policy Name Policy Value
Certificates ImportEnterpriseRoots true
So - is it Avast or not?
If it's Avast, how is Avast doing this, and what is Avast doing?
I'm not a tech, so please make it simple for dummies. Thanks.
I'll try to make it simple...
Yes, Avast is doing this. In order to scan
HTTPS traffic, Avast has to have its certificate trusted. The certificate is loaded into the Windows Certificate Store when Avast is installed, but Firefox keeps its
own list of trusted certificates. So...
Avast creates the Mozilla subkey in the Policies section of the registry (or adds to it, if it already exists) and adds the
ImportEnterpriseRoots subkey. That tells Firefox to trust
all certificates in the Windows Certificate Store (including, of course, Avast's).
You will see the Firefox message if
either policies.json is present in the distribution folder
or the Mozilla key exists in the Policies section of the registry. If you look in about:config in Firefox, you will see that the entry
security.enterprise_roots.enabled is
locked. This is due to the registry entry.