Issue Details

Hi there, I maintain Phoenix, a suite of configurations & advanced modifications for Firefox. I recently received a report from a user who was unable to access google.com & youtube.com. The issue appears to have been directly caused by AdGuard for Windows, due to your program breaking HTTPS via the HTTPS Filtering feature. We enforce Strict Certificate Pinning, so instead of the browser just loading the MITM'ed webpage, it spits out a MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE error.

This issue doesn't only apply to Phoenix, it also impacts:

• Arkenfox
• Brace
• Cachy Browser
• Dove
• FireDragon
• LibreWolf
• Mull - (Android Browser, fairly certain your Android app also has this same type of MITM filtering, so also relevant there)
• Mullvad Browser
• Tor Browser

Etc...

Proposed solution

There are a number of solutions I could see to this problem.

1. Stop filtering HTTPS traffic for browsers by default. Why is this type of filtering necessary at all for web browsers, where you can simply install a content blocking extension, such as uBlock Origin or your own? This is a far safer approach that doesn't break HTTPS. For users who did still want to filter this traffic in their browser for whatever reason, it could be added as a separate toggle, with a warning so they know it will cause issues with various browsers. I'm personally against having this kind of HTTPS filtering at all, but not enabling it for the browser by default would at least be a compromise and improvement over the current situation, and it'd still give users a choice who really do want to use it. It'd both fix this issue and directly improve the privacy & security of all AdGuard users as a whole, regardless of their browser choice.

2. In your AdGuard Browser Assistant extension, is it possible to add some kind of check for the value of the security.cert_pinning.enforcement_level pref? If the pref is set to 2 (how it's set by Phoenix & all of the other browsers/projects listed above), perhaps AdGuard could disable HTTPS filtering for the browser? At the very least, maybe it could give users some kind of prompt or warning that with the pref set to 2, they will have issues.

3. Is it possible to fallback to the authentic webpage if the user is met with the MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE error? If not, when users run into this error, is it possible to inform them that this pref might be the cause?

4. If the HTTPS filtering implementation is left as is - could there at least be some kind of warning or KB entry that informs users of this issue?

Alternative solution

Thank you for your time, I hope we can find some solution here, especially seeing as how this is a widespread issue that impacts a significant amount of users, due to how many browsers also enable Strict Certificate Pinning. This directly hurts AdGuard, as users will see websites break after installing it and won't understand why/how to fix it.

If there's anything I can do to help with this issue on my end, please let me know, though I won't compromise on toggling the security.cert_pinning.enforcement_level, due to the substantial privacy & security benefits it provides.

I myself am a fan of AdGuard - I own a lifetime license to your software of my own, and Phoenix even includes AdGuard's DNS servers as some of the few carefully considered default providers for users to choose from, so I deeply respect your work.

Look forward to hearing back from you soon :)