← Back to Mozilla Firefox Security Technical Implementation Guide

V-251547

CAT II (Medium)

Firefox must be configured to ask which certificate to present to a website when a certificate is required.

Rule ID

SV-251547r1067550_rule

STIG

Mozilla Firefox Security Technical Implementation Guide

Version

V6R7

CCIs

CCI-000187

Discussion

When a website asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access, which increases security for DOD information. Access will be denied to the user if certificate management is not configured.

Check Content

Type "about:policies" in the browser address bar. 

If "Preferences" is not displayed under Policy Name and the Policy Value does not include "security.default_personal_cert" with a value of "Ask Every Time" and status of "locked", this is a finding.

Fix Text

Windows group policy:
1. Open the group policy editor tool with "gpedit.msc".
2. Navigate to Policy Path: Computer Configuration\Administrative Templates\Mozilla\Firefox\
Policy Name: Preferences
Policy State: Enabled
Policy Value:
{
  "security.default_personal_cert": {
    "Value": "Ask Every Time",
    "Status": "locked"
  }
}

macOS "plist" file:
Add the following:
<key>Preferences</key>
<dict>
  <key>security.default_personal_cert</key>
  <dict>
    <key>Value</key>
    <string>Ask Every Time</string>
    <key>Status</key>
    <string>locked</string>
  </dict>
</dict>

Linux "policies.json" file:
Add the following in the policies section:
"Preferences": {
  "security.default_personal_cert": {
    "Value": "Ask Every Time",
    "Status": "locked"
  }
}