Check: FFOX-00-000016
Mozilla Firefox STIG:
FFOX-00-000016
(in versions v6 r3 through v6 r2)
Title
Firefox must have the DoD root certificates installed. (Cat II impact)
Discussion
The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD Certificate Authority (CA).
Check Content
Type "about:preferences#privacy" in the browser window. Scroll down to the bottom and select "View Certificates...". In the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5. If there are entries for DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5, select them individually. Click the "View" button. Verify the publishing organization is "US Government". If there are no entries for the DoD Root CA 2, DoD Root CA 3, DoD Root CA 4, and DoD Root CA 5, this is a finding. Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store. This is not a finding. It may also be set via the policy Certificates >> ImportEnterpriseRoots, which can be verified via "about:policies".
Fix Text
Install the DoD root certificates. On Windows, import certificates from the operating system by using Certificates >> Import Enterprise Roots (Certificates) via policy or Group Policy Object (GPO).
Additional Identifiers
Rule ID: SV-251560r820754_rule
Vulnerability ID: V-251560
Group Title: SRG-APP-000175
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000185 |
For public key-based authentication, validate certificates by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
Number | Title |
---|---|
IA-5(2) |
Pki-based Authentication |