Firefox ESR Root Certificate's Strange Rollback

Latest Firefox 115.9.1esr is using old root certificates compare to Firefox 124.0.2 [CA Certificates In Firefox], it contains TrustCor’s certificates but they were removed due to this report in 2022.
It seems odd to me that Mozilla chose to change it back only in Firefox ESR.

@OnionHead sorry would you mind doing some spelunking? There’s nothing in the 115.9.0 → 115.9.1 commit range that indicates any cert fuckery. I would expect to find something in the gecko-dev esr115 branch related to this ( GitHub - mozilla/gecko-dev at esr115 ).

EDIT: indeed and they’ve been in esr115 since at least 115.7

Presume this is what you’re seeing?

image1370×374 44.2 KB

@OnionHead ok mystery solved!

Sorry for the mild panic there. So the relevant patch ( 1851049 - Remove 3 TrustCor Root Certificates from NSS ) was not backported to Firefox ESR 115, which is why the certs appear there.

Back at the end of ESR 102 we backported the following patch which distrusts this cert authority:

• Bug 41506: Distrust TrustCor root certificates since 2022-11-30. (!497) · Merge requests · The Tor Project / Applications / Tor Browser · GitLab

So the cert authority still appears to be there, but it is distrusted (but not removed).

This appears to be a UX bug in about:certificate where this ‘distrust’ field isn’t actually displayed.

The most recent version of this file in Tor Browser 13.0.14 (scheduled for next week) can be found here:

• security/nss/lib/ckfw/builtins/certdata.txt · tor-browser-115.10.0esr-13.0-1 · The Tor Project / Applications / Tor Browser · GitLab

In theory we could backport the (relatively) recent patch which removes the cert entry entirely, but my understanding is there isn’t any real (techncial+security) point to do so.

Sorry for the confusion!

@richard Thank you for you response.

It looks like Mozilla simply reused an old root certificates bundle, because I find some other removed root certificates in Firefox 115.9.1esr on this list.

Including but maybe not limited to:

Global Chambersign Root - 2008
Chambers of Commerce Root - 2008
Autoridad de Certificacion Firmaprofesional CIF A62634068
Symantec Class 1 Public Primary Certification Authority - G6
Symantec Class 2 Public Primary Certification Authority - G6
VeriSign Class 1 Public Primary Certification Authority - G3
VeriSign Class 2 Public Primary Certification Authority - G3
E-Tugra Certification Authority
E-Tugra Global Root CA ECC v3
E-Tugra Global Root CA RSA v3
Hongkong Post Root CA 1

Is it better to distrust them as well?