Friday, 28 February 2014

How-to: Fix Untrusted Connections in Firefox



With so much of our daily lives now conducted via the Internet, from paying bills to accessing medical services, on-line banking, shopping; if you can't trust your browser to take you to the right site, what do you do?

And what do you do when it is the right site but the browser thinks otherwise?

It's all to do with certificates and identification

In Firefox, security is taken very seriously. Any web address that starts with https has an encrypted link based on the presentation of a "certificate" to identify itself. Which is fine as long as Firefox determines that the site you're visiting is actually the site that it claims to be. If there is a problem with the certificate - as I have with one of my client sites, you will see the This Connection Is Untrusted alert page.

Connection Untrusted
The alert doesn't necessarily mean that the is fraudulent or broken - it just means that Firefox isn't able to verify the identity of the website, and rightly advises you proceed with care. Several problems can cause Firefox to reject an https certificate.

I'm Not a Certificate, Get out of Here
If you don't have the nerve or the know-how to deal with the alert, the safest thing to do is to click the Get me out of here! button. If you can read the tea-leaves in the Technical Details section, you might be able to make a judgement call or take action in respect of incorrect identification. The 'I understand the risks' option declares you are willing to risk a connection that could be vulnerable to eavesdropping (I've never dropped any eaves, have you?).

If you can, check in with the owners of the website; they may not know there's a problem. If, like my client, there's an ongoing issue with a certain certificate, it may be perfectly safe to

Technical information
Some common errors are:

  1. Certificate will not be valid until (date); somebody deployed a certificate early - it's not valid yet.
  2. (site name) uses an invalid security certificate. The certificate will not be valid until (date). (Error code: sec_error_expired_issuer_certificate). Also a date issue - probably yours. If your computer clock has the wrong date - the date given in the error message in the past - your system needs setting correctly.
  3. The certificate expired on (date); somebody forgot to renew the certificate
  4. (site name) uses an invalid security certificate. The certificate expired on (date). (Error code: sec_error_expired_certificate); also expired
  5. Certificate is only valid for (site name), (site name) uses an invalid security certificate. The certificate is only valid for (site name). (Error code: ssl_error_bad_cert_domain). This is potentially the bad one; the identification sent to you by the site is actually for another site. It's also possible the certificate is for a different part of the same site or domain. For example, https://example.com, and https://www.example.com are different addresses. The certificate for one does not authenticate the other.
  6. (site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer). Some anti-virus software will trigger this message, if you have enabled SSL scanning - ESET or BitDefender go off on this one. Try to disable this option.
  7. (site name) uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_untrusted_issuer). Self-signed certificates may make a secure connection but prove nothing of the actual identity of the site owner.
  8. (site name) uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer). This one you can do something about.

Firefox can sometimes trash authentication files in user profile folders. A certificate that was valid suddenly becomes unrecocgnised - but nothing changed. It's possible the file cert8.db in your profile folder may have become corrupted. You can close Firefox and delete this file .

Deleting cert8.db
Into the rabbit warren we go:

  1. Open your profile folder: by going to the top of the Firefox window, click on the Firefox button, choose Help menu and then Troubleshooting Information.
  2. In Application Basics, select Show Folder to open a new window listing your profile files.
  3. At the top of the Firefox window, click on the Firefox button and select Exit to close the browser. The profiles windows remains open.
  4. Click on the file named cert8.db.
  5. Press Delete.
  6. Restart Firefox.

A new cert8.db will be created when you restart Firefox. This is normal.

I Understand the Risks
You can bypass the warning if you're confident of both the identity of the website and the integrity of your connection. You can add the site as a security exception and carry on using it:

  1. On the warning page, click I Understand the Risks.
  2. Click Add Exception.... The Add Security Exception dialog will appear.
  3. Read the text describing the problems with this site.
  4. Click Confirm Security Exception if you want to trust the site.

However, few legitimate public sites will run for long with an invalid certificate; nor should you. RC
More information at: http://support.mozilla.org/en-US/kb/connection-untrusted-error-message

3 comments:

  1. Did the delete cert8.db thing. No cigar. Even www.mozilla.org shows sec_error_unknown_issuer. A Notepad++ appears to show almost no data in the rebuilt file.

    ReplyDelete
  2. same, deleted cert8.db not fixed. getting sec_error_unknown_issuer

    ReplyDelete
  3. Except when that doesn't work, of course... Which, as has been pointed out, it sometimes doesn't. You can delete cert8.db and not fix it, getting sec_error_unknown_issuer and the Add Exception button not available.

    Which is frustrating when all other Browsers (Chrome, Safari, IE11) are working as normal on the same device. Assuming your system date and time are set correctly (check all certificate expiry dates versus your clock), it could be either of two things.

    Apparently Mozilla has a stringent policy as to which Certificate authorities it includes with root certificates; Firefox needs a certificate chain that not only ends in a root certificate but has all required intermediate certificates need to be send by the server. Some sites don't properly include the intermediate certificate, so this can lead to problems for specific sites.

    You might have to install the right intermediate certificate manually, which is a tutorial all of itself, but essentially entails finding a download the .crt file for that site, then in Firefox go to Options, Advanced, Certificates, View Certificates, then Import - but leave all the option check-boxes un-ticked in the confirmation dialog.

    The same error mightn't be due to an issue with the browser itself, but owing to security software or malware is monitoring or intercepting encrypted network traffic on your pc - which looks like a man-in-the-middle attack to Firefox, therefore it stops working.

    This could include some firewalls which monitor secure connections, programs like Sendori or FiddlerRoot that can intercept connections and send their own certificate instead of the intended website's certificate. Eset Smart Security can play havoc with https depending on the configuration. It is on a client's network and plays merry hell with Firefox, but since it's not under my control, the IT folks won't change it.

    Then there is malware such as 'Browser Secureguard.' Apparently, this is a sneaky piece of Adware that routes via various proxies to serve up ads while browsing; inserting itself into the certificate chain messes with Firefox's security model, so that warning comes up that is nothing to do with the destination site at all.

    References:
    http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
    http://www.mozilla.org/projects/security/certs/pending/

    ReplyDelete

At least try to be nice, it won't kill you...