Monday, 5 January 2015

How-to: Fix Untrusted Connections in Firefox Pt 2


In part 1, I outlined a fix for this, which for the most part, works a treat. 

Except when it doesn't work, of course... Which, as has been pointed out, it sometimes doesn't. You can delete cert8.db and not fix it, getting sec_error_unknown_issuer and the Add Exception button not available.

Which is frustrating when all other Browsers (Chrome, Safari, IE11) are working as normal on the same device. Assuming your system date and time are set correctly (check all certificate expiry dates versus your clock), it could be either of two things.


Apparently Mozilla has a stringent policy as to which Certificate authorities it includes with root certificates; Firefox needs a certificate chain that not only ends in a root certificate but has all required intermediate certificates need to be send by the server. Some sites don't properly include the intermediate certificate, so this can lead to problems with specific sites.

You might have to install the right intermediate certificate manually, which is a tutorial all of itself, but essentially entails finding a download the .crt file for that site, then in Firefox go to Options, Advanced, Certificates, View Certificates, then Import - but leave all the option check-boxes un-ticked in the confirmation dialog.

The same error mightn't be due to an issue with the browser itself, but owing to security software or malware is monitoring or intercepting encrypted network traffic on your pc - which looks like a man-in-the-middle attack to Firefox, therefore it stops working.

This could include some firewalls which monitor secure connections, programs like Sendori or FiddlerRoot that can intercept connections and send their own certificate instead of the intended website's certificate. Eset Smart Security can play havoc with https depending on the configuration. It is on a client's network and plays merry hell with Firefox, but since it's not under my control, the IT folks won't change it.

Then there is malware such as 'Browser Secureguard.' Apparently, this is a sneaky piece of Adware that routes via various proxies to serve up ads while browsing; inserting itself into the certificate chain messes with Firefox's security model, so that warning comes up that is nothing to do with the destination site at all. RC

References:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
http://www.mozilla.org/projects/security/certs/pending/

No comments:

Post a Comment

At least try to be nice, it won't kill you...