Roger wrote:
> "If you go to Options -> Advanced -> Certificates, and view
> certificates, are any listed?"
> As mentioned in a prior part of this thread, none listed when this
> error displays - there is no certificate to view for that page (under
> page info).
Wasn't asking what cert was used or is missing for a particular site
visit. Not asking about the site cert details shown when visiting a web
page. I asked if ANY *root* certs were listed in Firefox's private
certificate store. Navigate to where I mentioned to see the list of
certs listed in Firefox's private certificate store. There is where you
want to ensure the Google CA (via GeoTrust) is listed inside of Firefox
(whether or not you are currently visiting a Google site).
What URL do you use to visit Google? Do you start with HTTP
(
http://www.google.com/) or with HTTPS (
https://www.google.com)? Google
should redirect you to their HTTPS page (it is a server-side action
rather than relying on issuing the Location header to the client telling
it where instead to connect).
Are you using the HTTPS Everywhere extension? If so, test with loading
Firefox in its safe mode to disable it (and all other extensions) to
eliminate them as the cause for your problem. I've once encountered a
problem visiting an HTTP web site using HTTPS Everywhere to alter the
URL to instead connect to the HTTPS version of the web site (the old
site was HTTP only, they had migrated to a new site that used HTTPS,
and HTTPS Everywhere was simply changing the protocol from http:// to
https:// without changing the domain portion of the URL so they were
trying to use HTTPS at an HTTP site that had not HTTPS support).
Reported the problem to them, reported the problem to the web admin for
the site, and the problem disappeared in 3 days (don't know if the HTTPS
Everywhere authors or the site admin fixed the problem). Since HTTPS
Everywhere has a limited database of rules in trying to connect to HTTPS
instead of HTTP, I'll have to see how many times I hit more problems
with that extension. If figure on strike 3 that it will get removed.
Two strikes remaining.
> I DID GO into certificates and deleted all that pertained to (say)
> google... just to see if that allowed me to hit
google.com, nope.
> There are none showing for Kaspersky, for Malwarebytes or for MS Sec
> Essentials. I WILL recheck on Saturday.
You do NOT want to delete the root certs in Firefox's private cert store
(or the root certs in the OS/global cert store, either).
Google is a CA (Certificate Authority) so they, of course, issue their
own site certs which are verified using their trusted root certs that
must be installed in whatever certificate store is used to find the root
certs. In Options -> Advanced -> Certificates, view certificates, you
should find "Google Internet Authority G2" listed under GeoTrust. Do
NOT delete it NOR mark it distrusted; else, you deliberately break the
validation chain.
> 2. All of the A/V are active!
That is usually a bad setup. They will often conflict with each other.
When one notices that a file has been accessed, like for a write, it
will scan the file, and so will the other AV program, and so on. They
can even get into a loop where one AV opens a file during a scan which
another AV sees got opened so it scans, which the first AV sees was
opened by the other AV so it reopens the file, ad infinitum. I've seen
this where hard disk activity skyrockets. A file monitor showing who
was accessing the file found 2 AV programs battling over each other as
to who would succeed in scanning the opened file. Eventually they would
timeout after about 8000 file opens and scans. Uffda. Excluding one AV
from another AV is only preventing them from scanning each others files
on the disk, not from their processes conflicting with each other.
You might install multiple AV programs to overlap their detection
coverage but only ONE and ONLY ONE should be active at a time. Only ONE
should have active its on-access scanner. The others should remain
quiescent (inactive) and used only as on-demand scanners.
That best-use scenario of multiple AV programs for overlapped coverage
applies when the quiescent AV program(s) has no active components. Some
install drivers into the system API calls or stack drivers that remain
active even when you supposedly disable them. SuperAntiSpyware (SAS),
for example, will leave behind an active file I/O stacked driver. It
can interfere with other stacked drivers because many are sensitive to
the order in which they are stacked. Using SAS means it is still active
with its stacked driver despite you told that AV program to not load.
So even if you have only ONE anti-virus program running (it on-access
scanner) at a time, the other supposedly quiescent ones can still
interfere with the operation of the active one and even with the
operation of the others when they are manually ran as on-demand
scanners.
>From your prior statment, it looks like you are using Kaspersky,
Microsoft Security Essentials (MSE), and MalwareBytes. Two of those
mention a company name, not a product name. I can only assume you are
using only the anti-virus product from Kaspersky, not a suite, and
probably the AntiMalware product from MalwareBytes (aka MBAM). However,
I do not know if you are using the free or paid version of MBAM. The
free version of MBAM does not have an on-access scanner, only an
on-demand scanner. The free version of MBAM won't conflict with
Kaspersky or MSSE. The paid version of MBAM has encountered conflicts
with other anti-virus/malware software (and excluding them from scanning
each other's disk files was not a solution). MSSE is such a weak
anti-malware program that it rarely conflicts with anything but it can.
I would leave MSE installed but configure it to not be active and only
use it as an on-demand scanner (turn off its real-time protection as it
is a waste of CPU and data bus resources). You would still be wasting
some memory on an otherwise idle service. Your setup is probably okay:
a strong AV (Kaspersky), a limp one (MSE), and a differently oriented
anti-malware (MBAM). However, if you use a coarse and fine sifter to
separate particle sizes of sand, you really only need the fine sifter.
No real added detection coverage is afforded by having MSE active.
If I ever saw MSE detect something that Kaspersky did not, I would
suspect MSE's alert was a false positive. I would run the file through
VirusTotal.com to see if MSE was indeed correct and Kaspersky missed it.
In the past, I used an anti-spam proxy that would poll the DNSBLs (DNS
blocklists), like Spamhaus and Spamcop. Anything flagged by the Spamcop
blocklist was already flagged in Spamhaus' zen blocklist. Many flagged
by Spamhaus (that were indeed spam) were NOT flagged by Spamcop.
Spamhaus's zen blocklist was the better list (the fine grained sifter)
so there was no point in wasting bandwidth and CPU cycles to go poll
Spamcop's blocklist.
> One has to create an 'ignore' status in each for the others but they
> play well together
If they don't leave behind some active component, like a driver when
disabled and after a reboot of Windows. I gave the SAS example that
leaves a file I/O stack driver loaded (even after a reboot) that I found
interfered with another AV program (forget which one). I had to use an
old tool (no longer availble) from Resplendence that showed me the
stacked drivers and their order. That's how I discovered SAS was still
active despite being disabled and the other AV program didn't like to be
second in line after the SAS driver. Too often stacked drivers are
sensitive to their loading order. My suggestion to disable all but one
AV program and reboot Windows usually works to have only that AV program
active but that does not not always work. Some still leave resident
(active) components when disabled. They may not in Windows safe mode.
> I even exited the A/V, made sure the task manager showed none of the
> executables running,
That won't get rid of the drivers. Rebooting in Windows' safe mode
(with networking) may eliminate loading their drivers. Have you tried
booting into Windows safe mode?
> I do not allow anything to UPDATE on its own, all updates are done
> manually. I set Firefox to 'tell me' and that is all... same with
> Windows 7 Pro 64. Same with the A/V stuff too.
You want your anti-virus/malware software to automatically get signature
updates but alert you when there is a program update.
Have you looked at each anti-virus/malware program to check its last
*program* update to see if all were updated before or after the HTTPS
problem started?
> I did create a 'new' profile using the 'Firefox' refresh button on
> their site... it basically sets things back to default. No help.
Never used that. Typically the suggestion is to create a new profile.
You don't reuse a freshened instance of your old profile but instead
create a whole new and separate profile.
Or are you talking about resetting Firefox as mentioned at:
https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings
That disables extensions and sets all settings to default in what you
see in the config UI and under about:config. It does not create a new
profile. It resets your existing profile. You tried a reset of your
current profile and that didn't work, so I'd try a wholly new profile.
> I am going to reinstall after a full wipe of FF... I will keep the
> current profile (secure it away), create a full clean, new install
> and then see if 'that generic' profile has issues. If not, I will use
> the profile manager and swap, then see... I am amazed at how
> resilient this problem is.
First try loading Firefox in its safe mode and retest.
If that doesn't work, try using a *new* profile (not a resetted one) in
Firefox.
If that doesn't help, reboot Windows into its safe mode with networking
and retest.
And if all that doesn't work, I guess my next step would be to uninstall
Firefox, delete any remnant files (e.g., Firefox profile folders,
appdata folder, etc) and any remnant registry entries, and do a fresh
install of Firefox.