[Affected versions]: - Fx 65.0b5 [Affected platforms]: - Windows 7 x32 & x64 - Windows 10 x32 & x64 [Steps to reproduce]: 1. Install Kaspersky Internet Security (free trial version is used). 2. Launch Firefox. 3. Go to www.facebook.com. 4. Click on the (i) information button near the url. 5. Expand the 'Connection' option and on the bottom of the drawer click on 'More Information'. [Expected result]: - The page info is displayed, and the connection is encrypted using TLS 1.3. [Actual result]: - The encryption used is TLS 1.2. [Additional notes]: - Another change done by Kaspersky is to set security.enterprise_roots.enabled to 'true' and lock the preference. - Once the antivirus is un-installed, Firefox switches back to TLS 1.3 encryption and the security.enterprise_roots.enabled pref is unlocked. - Make sure only Kaspersky Internet Security is the only Antivirus installed on the system.

Sorry for missing this in the description. We have also tested this using a full version of Kaspersky Internet Security (purchased license) and we reached the same result.

Is this meant to be a blocklisting request or a Firefox bug?

I was not to which component this belonged to and I've seen that other Kaspersky bugs were logged here, that's why I chose it. Could you please suggest the component where should this be moved to?

No worries, I'm just trying to figure out what the best action for this bug is. Do you know if Kaspersky is installing an add-on that is doing this? If so, we could attempt to block it. If they are modifying Firefox files externally we may have to take a different action.

Kaspersky DOES install the addon but it is not enabled. I'm not entirely sure if the addon is causing the issue or not, but this can be looked at in greater depth after the holidays. This is not a blocking matter, since websites are still functioning despite having their TLS encryption changed.

Per https://bugzilla.mozilla.org/show_bug.cgi?id=1449115#c33 my understanding was that Kaspersky was going to disable ssl scanning if enterprise roots was disabled although instead they seem to be now setting security.enterprise_roots.enabled to 'true' and locking the preference. I assume that disabling their SSL scanning feature "Scan encrypted connections upon request from protection components" (found inside the Network settings section of the Kaspersky antivirus) makes the TLS 1.3 issue go away? Could it be that their SSL scanning feature is incompatible with TLS1.3, requiring them to downgrade to TLS1.2?

First let me make sure I understand the situation. Is Kaspersky terminating the connection with their own trust anchor? I.e., is the certificate Kaspersky.

Upon further investigation and talking things over with Romain, it was discovered that a particular setting in Kasperskys network section was intercepting all SSL traffic, causing the TLS encyrption to change. It was also noticed that when this was done, the certificate used was 'AO Kaspersky Lab' instead of 'DigiCert Inc'. After I disabled the SSL interception, the connection was switched back to TLS 1.3 with a DigiCert Inc certificate.

OK, then this is as expected, so the bug should be closed.

Per EKr's comment this is expected behavior, closing the bug now.