All of a sudden...

Firefox tells me that for several web sites that I visit regularly:

"Your connection is not secure. The owner of xxx.com or xxx.co.uk has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site". I can't even get to search with Google!

I normally run my computer as a 'user', but when I run as an 'administrator', I can connect to those sites without a problem.

Other web sites connect OK even when running as a 'user'.

Re-starting FF or re-booting the computer doesn't clear the problem.

I'm using FF 63.0.3 32-bit, the latest version.

What's going on?

Reply to
Chris Hogg
Loading thread data ...

formatting link

Reply to
Richard

Certificate issues on your machine perhaps? Have you done any updates or got a new anti malware solution recently? Brian

Reply to
Brian Gaff

Date/Time wrong on PC?

Reply to
Andy Burns

Try looking at their site security certificates - my guess is the site owner has let them time out so FF is warning you about that.

Reply to
Martin Brown

Unlikely if it's several (all https?) sites at the same time, Richard's suggestion that AVG has started MITMing the traffic sounds likely

Reply to
Andy Burns

Thanks for the suggestions. I use Bitdefender Total Security as my AV etc, not AVG nor Avast.

A bit of Googling and generally thrashing about tells me that one possibility is that the database of certificates in my user Appdata area has become corrupted. The fact that I can access all the web sites when running as an administrator, and also when using Comodo Ice Dragon as my browser, makes me think it's something specific to my Appdata files, in particular a corrupt Cert9.db file. I've tried deleting it and letting FF rebuild it, which doesn't cure the problem. The next thing to try is copying the Cert9.db file from my Administrator area into the appropriate folder in my User area to see if that cures it. Failing that, I'll carry on using Comodo, as it's very similar to FF, until I get the problem properly sorted.

Any comments?

Reply to
Chris Hogg

Only:

Dear oh dear, what a faff it is having to deal with AV stuff, eh?

Reply to
Tim Streater

What is the full error message after expanding any 'Advanced..." sections?

particularly relevant would be anything similar to SEC_ERROR_EXPIRED_CERTIFICATE or SEC_ERROR_UNKNOWN_ISSUER

If you go to "Add Exception..." then View, then the Details tab, what does it show in the Hierarchy box?

Reply to
Andy Burns

Except he's said it's not related to AV, does Linux make you immune from a corrupt certificate database?

Reply to
Andy Burns

Afterwards, make sure you hit Cancel rather than Confirm

Reply to
Andy Burns

But it appeared to take some time to determine this

Wot hav this to do with anything?

Reply to
Tim Streater

This is what I get initially when attempting a Google search:

"Your connection is not secure

The owner of

formatting link
has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."

and when I click on 'Advanced' I get: "

formatting link
uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER"

Apart from that, a bit more Googling suggests I should switch off 'Scan SSL' setting in Bitdefender v.15 and v.16, except I can't find that setting on Bitdefender Total Security. Nor can I find which version of Bitdefender Total Security I have. For most applications, it's under Help > About, but there doesn't seem to be such a thing on my current version of Bitdefender.

However

I switched off the 'Search Advisor' option under 'Online Threat Protection' in Bitdefender, which allowed me at least to access Google, although the same web sites still got blocked. Switching the OTP back on blocks Google itself again. It's most odd.

Reply to
Chris Hogg

Have you tried this: <q>

Chosen Solution thanks, so in a corporate environment it appears that all your secure network traffic is being intercepted/monitored by some network appliance. in order for that to work, the certificate of the man-in-the middeling device has to be trusted by browsers. firefox uses its own trust store for certificates instead of depending on the windows trust store by default.

you could import all custom certs from windows into firefox like this, which in effect should address the erros on secure pages: enter about:config into the firefox address bar (confirm the info message in case it shows up) & search for the preference named security.enterprise_roots.enabled. double-click it and change its value to true and restart the browser. </q>

from here:

formatting link

Reply to
Richard

Did you get the option to add an exception? From there you can view the certificate(s) you are being given, What does the root certificate in the Hierarchy box say?

Most likely is something (bitdefender or whatever) is decrypting your SSL sessions, inspecting and/or modifying them and re-encrypting with a local certificate, which naturally firefox doesn't trust.

The error is what you'd expect, given what bitdefender is doing to your traffic.

Reply to
Andy Burns

Well, thanks for trying, but it made no difference :-(

Reply to
Chris Hogg

No. As quoted earlier, I get "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."

Er...I see no Hierarchy box! Where should it be?

You don't like Bitdefender? Pray tell...

I don't get the problem when I run as Administrator, or when using Comodo Ice Dragon. I don't see why Bitdefender should be at fault if I only get the failure when running as a User.

Reply to
Chris Hogg

If you don't get the option to add an exception, you can't view the certificates, so it doesn't exist.

I don't like *anything* that futzes with SSL traffic.

Perhaps when bitdefender was installed (as admin?) it added its own root cert to admin's cert store?

Firefox has its own cert store, but other browsers use the windows cert store, which was what the 'enterprise' about:config setting someone else suggested would change.

If you visit another https site, that doesn't use HSTS (i.e. not as high profile as google, or a bank) do you get a "weaker" error message that does let you get as far as adding an exception?

Reply to
Andy Burns

formatting link
does allow me to add an exception. The root certificate in the Hierarchy box is as follows:

-----BEGIN CERTIFICATE----- MIIDdDCCAlygAwIBAgIJALWT5Eq7yqhoMA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLk5ldC1EZWZlbmRlcjEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTgw OTMwMjI1NDI0WhcNMTgxMjI5MjI1NDI0WjAeMRwwGgYDVQQDExN3YXR0c3Vwd2l0 aHRoYXQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArjcABSuA BmYaIha9u2gTW4c6m4jwCVV1EL/VCRDQxReqytv5LPyCNH9oM8W+Fi8PVRNFirBF TN4+jdV9dqh1ifEDRVCrLiYZnbND+6uLaCUFK/qzYPleThkKZWddGPc+7RbreZa6 WX6YKi81rY7Y8qobDCljE1AKg4PmEbyQIJolgFV0+Nkax8q6Q7p2/q6JfQwM94nt

7lwjpSswz13FzGXjHbVx4Pdl5vSdY1GJN6Z4yu6Q4y35e9XYuaHT9G46b/rR+Qaf X8iTF+BhwoQha2DJ4jet5ehfvIjoTE2loPlso8/ENNW/nWyFZPkJHM5tpGCokDQJ nRqzUlaVLrIVrwIDAQABo3MwcTA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vMTI3 LjEyNy4xMjcuMTI3OjM5MzkvYmRlYzEuY3J0MDcGA1UdEQQwMC6CE3dhdHRzdXB3 aXRodGhhdC5jb22CF3d3dy53YXR0c3Vwd2l0aHRoYXQuY29tMA0GCSqGSIb3DQEB CwUAA4IBAQAv4A/zcJ66TWdIHHp2Wzk0H/5wEdrerxifx99fUCJmm4d16z78kicm 98uxThh5GRXP7trzJvQ7tB6PhLk6ZVt83qGZ64asDzV0ypDTGYbfCVqmkSiMwLMN EE3G15TlS+lV4o1mJlgBCtxYzbdrOWbYUie1oKZPDoeYNmFEaRc7ivDIntUpCTy+ MialD+yo+gBXTEy/yjeZuZnVXe7QhxDxLxKIcOVr6IwICoMRcWUBWbAzQNnGfLHk siSFeGqSjF5b6xa9PJd+kp3F6+SbJQi94k/pPdlDdXZd99G15YzXE4nBf0ulokm1 3Wc9PDCWWBcD/4fxbzFXbPi9u6kbLIZn

-----END CERTIFICATE-----

But there are lots of sub-headings. Are their details in the above somewhere? It means nothing to me...

Reply to
Chris Hogg

formatting link

Reply to
Richard

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.