Invalid security certificate - ALL sites... all domains

1458 views
Skip to first unread message

Roger

unread,
Mar 31, 2016, 1:03:00 PM3/31/16
to mozilla-sup...@lists.mozilla.org
Good Thursday Morning,
Using latest FF (45.0.1) and have had no issues. Win 7 Pro. Corporate
network behind firewall but "other" laptops/computers sitting next to me
have no issues accessing.

Suddenly this AM I start to be denied access to regularly visited sites.

Example:
www.google.com uses an invalid security certificate. The certificate is
not trusted because the issuer certificate is unknown. The server might
not be sending the appropriate intermediate certificates. An additional
root certificate may need to be imported.

So I checked my time/date, all good.
I also went to the FF folder and deleted the cert8.db file, etc...

Really strange, was instant and effected Yahoo. Google. and this one
(some of many) m3.maas360.com I can see Foxnews... I can see
Bing... so it isn't all encompassing but frustrating.

Appreciate the help.
Thanks
Roger

»Q«

unread,
Mar 31, 2016, 1:24:31 PM3/31/16
to mozilla-sup...@lists.mozilla.org
In
<news:mailman.1135.145944377...@lists.mozilla.org>,
Roger <rogr...@yahoo.com> wrote:

> Using latest FF (45.0.1) and have had no issues. Win 7 Pro. Corporate
> network behind firewall but "other" laptops/computers sitting next to
> me have no issues accessing.
>
> Suddenly this AM I start to be denied access to regularly visited
> sites.
>
> Example:
> www.google.com uses an invalid security certificate. The certificate
> is not trusted because the issuer certificate is unknown. The server
> might not be sending the appropriate intermediate certificates. An
> additional root certificate may need to be imported.
>
> So I checked my time/date, all good.
> I also went to the FF folder and deleted the cert8.db file, etc...

Could you go back to google and get a screenshot of the certificate
info? Page Info (ctrl+i) » Security » View Certificate

Roger

unread,
Mar 31, 2016, 3:59:47 PM3/31/16
to mozilla-sup...@lists.mozilla.org
Did post a response with screen shots, seems not to have posted... have
forgotten if we 'can' do that?
Also, there was no listed certificate for Google under 'view certificate'.

»Q«

unread,
Mar 31, 2016, 5:33:01 PM3/31/16
to mozilla-sup...@lists.mozilla.org
In
<news:mailman.1146.145945438...@lists.mozilla.org>,
Roger <rogr...@yahoo.com> wrote:

> On 3/31/2016 10:22 AM, »Q« wrote:
> > In
> > <news:mailman.1135.145944377...@lists.mozilla.org>,
> > Roger <rogr...@yahoo.com> wrote:

> >> Example:
> >> www.google.com uses an invalid security certificate. The
> >> certificate is not trusted because the issuer certificate is
> >> unknown. The server might not be sending the appropriate
> >> intermediate certificates. An additional root certificate may need
> >> to be imported.

> Did post a response with screen shots, seems not to have posted...
> have forgotten if we 'can' do that?
> Also, there was no listed certificate for Google under 'view
> certificate'.

This list/group won't accept screenshots; you'd need to post it on an
image hosting site and link to it, but if there's no cert at all to see
I don't guess it's needed.

Most of this kind of trouble lately has been due to anti-malware
software. SUMO has a troubleshooting page (which I should have linked
to first),
<https://support.mozilla.org/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER>.

Anonymous

unread,
Mar 31, 2016, 6:00:45 PM3/31/16
to mozilla-sup...@lists.mozilla.org
Are you using ESET SmartSecuriy by any chance ?


Doc

unread,
Mar 31, 2016, 6:06:34 PM3/31/16
to mozilla-sup...@lists.mozilla.org
I had wondered about the A/V side of things.
I basically "disabled" all Web protection and, using Kaspersky, then
completely disabled all protection. I overlap with MalWareBytes but also
did disabled Web protection in it. I have all A/V apps "ignoring" each
other... maybe I should have them ignore FF... I will also check one
other application I am using that might stop it (but I kind of doubt it
because the Windows 10 Firewall Control applet is all or nothing and I
can get out to many other sites... just a good dozen so far are stopped
(two of which I use all the time)... thanks for hanging in.

--

"Doc" in Arizona
mailto: doc@crosstactical dot com

VanguardLH

unread,
Apr 1, 2016, 6:55:46 AM4/1/16
to mozilla-sup...@lists.mozilla.org
Try disabling your anti-virus software. It might have an HTTPS scanning
feature that requires a MITM (Man In The Middle) attack scheme to
intercept and decode the HTTPS encrypted traffic. Firefox uses its own
private certificate store instead of using the global or OS certificate
store. Internet Explorer and Google Chrome use the global certificate
store (in Windows, run certmgr.msc to see it). Can you visit those same
HTTPS sites by using Internet Explorer or Google Chrome?

For the HTTPS scanning (MITM) scheme to work with Firefox means the
anti-virus program has to install its root certificate into *Firefox's*
private certificate store (besides installing it into the OS global
certificate store). See if disabling your AV program's HTTPS scanning,
if available, or disabling the entire AV program resolves the problem.

While an AV program should be configured to perform background updates
(no user prompt) for signature updates, it should prompt the user when
there is a new *program* update. Depending on how the AV software
updates itself, it is possible that it either does not install its MITM
root certificate into Firefox's private certificate store or an old one
remained in Firefox so the AV software and cert in Firefox are out of
sync.

That HTTPS works at Bing is confusing. I would expect a root cert
problem in Firefox's private certificate store used with the HTTPS
scanning feature of an AV program to cause interference at all HTTPS
sites. Still, I'd try disabling an HTTPS scanning feature in the AV
program or disabling the AV program and then retesting.

Roger

unread,
Apr 1, 2016, 12:29:41 PM4/1/16
to mozilla-sup...@lists.mozilla.org
IN IE, have not tried Chrome yet... can visit them.
I disabled ALL A/V - and my WindowsFirewallControlApp... no joy.
Google, Yahoo, many others (about three that I use all the time) give
the exact same notice of 'insecure' page, not able to allow, etc...

Strangest thing... BTW, the A/V on this PC has been installed for over 1
year... all of them. Never had this happen before.
Thanks for helping.

»Q«

unread,
Apr 1, 2016, 12:57:11 PM4/1/16
to mozilla-sup...@lists.mozilla.org
In
<news:mailman.1153.145946199...@lists.mozilla.org>,
You're the same as Roger, the OP?

If there's an 'advanced' button or an 'I understand the risks' option
on the error page Firefox shows you, you should be able to drill down
from there to get to a view of the certificate info to get a screenshot.

(I'm sorry I can't give better directions -- Mozilla keep changing the
UI of the error page, and I can't remember what it currently looks
like.)

Millwood

unread,
Apr 1, 2016, 1:18:00 PM4/1/16
to mozilla-sup...@lists.mozilla.org
Visit options->advanced->network->settings and see if a proxy is in use.

IIRC, some software (either that you want or that you don't want) that
uses a proxy to intercept your traffic has certificate issues - they
cheat in a way that doesn't work any more.

Roger

unread,
Apr 1, 2016, 2:47:31 PM4/1/16
to mozilla-sup...@lists.mozilla.org
The suddenness of this is problematic. It worked even that day and then
in the middle of moving to a different link, stopped working. And no
updates occurred on the A/V -

I even did a 'refresh' on the Firefox site. Taking this laptop home to
see if I can figure it out the problems of a busy IT office.
Thanks!

VanguardLH

unread,
Apr 1, 2016, 9:00:39 PM4/1/16
to mozilla-sup...@lists.mozilla.org
Roger wrote:

> "Can you visit those same HTTPS sites by using Internet Explorer or
> Google Chrome?"
>
> IN IE, have not tried Chrome yet... can visit them.
> I disabled ALL A/V - and my WindowsFirewallControlApp... no joy.
> Google, Yahoo, many others (about three that I use all the time) give
> the exact same notice of 'insecure' page, not able to allow, etc...
>
> Strangest thing... BTW, the A/V on this PC has been installed for over 1
> year... all of them. Never had this happen before.
> Thanks for helping.

Internet Explorer and Google Chrome use the global (OS) certificate
store. It is Firefox with its private certificate store that is causing
you problems. If you go to Options -> Advanced -> Certificates, and
view certificates, are any listed? Do you see one for your anti-virus
program?

As I noted, a program update can result in the anti-virus program
wanting to use a new root certificate because the old one has or is
about to expire. So part of the program update is to use a new
certificate. While the update may install the new cert (to replace the
old one) in the global certificate store, it unlikely replaces its old
one in Firefox's private certificate store. Unless the AV program has
an option to reinstall its cert into Firefox, and if you don't want to
ask them how to do that manually, you have to uninstall the AV program
and then reinstall it. That's because the order of installation should
be web browser first and then anti-virus program. During the install,
the AV program adds its cert to both the global cert store in the OS and
the private cert store in Firefox.

WHICH anti-virus program is the always active one? Don't really care
about the inactive ones that you use an on-demand scanners, only the one
you use as the on-access (real-time) scanner. Normally disabling the AV
will kill its interception of web traffic; however, I would first check
if the AV program has an HTTPS scan feature and, if so, disable that
(and retest) before disabling the AV program (and retest that way, too).
Disabling the AV program often does NOT remove the transparent proxy
(not one you configure but a hidden proxy that intercepts traffic over
well-known ports), so the transparent proxy may remain [mis]configured
to intercept HTTPS traffic although the AV program appears disabled.
Traffic may still be going through its proxy. I've had that with Norton
AntiVirus where its transparent proxy went dead (whether NAV was enabled
or disabled) and all network traffic was dead until I either killed its
process and restarted them in the correct order or rebooted the computer
to kill all its processes and load them from scratch.

Have you yet check the proxy settings in Firefox?
Options -> Advanced -> Network, Connection -> Settings

Either set it to "use system proxy settings" (and then use Internet
Options -> Connections -> LAN settings to verify you aren't configured
to use a proxy) or to "none". Some anti-virus software, or software
designed to intercept web traffic, might configure Firefox to go through
its proxy, and malware will do that, too. I use a streaming media
capture tool (Applian Replay Media Capture) and to capture HTTPS
streamed media means that it, too, has to use the MITM cert scheme (it
has to install its cert in the global cert store to work with IE and
Google Chrome and into Firefox's private cert store) but it also changes
the proxy. It only changes the global proxy settings under Internet
Options so Firefox has to be configured to use those settings, not its
own and not "none". When RMC crashes (it happens, or hangs and I kill
it), it's code to replace the prior proxy settings does not run so I'm
stuck trying to use a proxy that no longer exists. However, that
affects IE from connecting to anywhere and you don't have a problem with
IE. That does not preclude some other external software, add-on, or
malware wanting Firefox to use a proxy. Millwood touched on this.

Have you yet loaded Firefox in its safe mode to eliminate possible
interference from any extensions you installed into Firefox?

Have you yet tried booting Windows into its safe mode to retest if the
problem with Firefox remains?

VanguardLH

unread,
Apr 1, 2016, 9:01:00 PM4/1/16
to mozilla-sup...@lists.mozilla.org
Roger wrote:

> The suddenness of this is problematic. It worked even that day and then
> in the middle of moving to a different link, stopped working. And no
> updates occurred on the A/V -
>
> I even did a 'refresh' on the Firefox site. Taking this laptop home to
> see if I can figure it out the problems of a busy IT office.
> Thanks!

Do you have Firefox configured to update itself without prompt?

Do you have Firefox configured to update its add-ons without prompt?

What about Windows Updates? Does that install updates without prompt?

Although I dislike having to do it myself, have you tried creating a new
profile in Firefox?

Roger

unread,
Apr 1, 2016, 10:07:51 PM4/1/16
to mozilla-sup...@lists.mozilla.org
1. "If you go to Options -> Advanced -> Certificates, and
view certificates, are any listed?"
As mentioned in a prior part of this thread, none listed when this error
displays - there is no certificate to view for that page (under page
info). I DID GO into certificates and deleted all that pertained to
(say) google... just to see if that allowed me to hit google.com, nope.
There are none showing for Kaspersky, for Malwarebytes or for MS Sec
Essentials. I WILL recheck on Saturday.

2. All of the A/V are active! One has to create an 'ignore' status in
each for the others but they play well together and, as I mentioned,
they have been for over 12 months. I did disable ALL of the AV, all at
once, one at a time, both Web and 'complete' scanning portions. I even
exited the A/V, made sure the task manager showed none of the
executables running, STILL got the issue with those several (many
really) web sites. NORTON, as you suggest, is terrible. Zero ring A/Vs
have always been an issue and I refuse to use Norton due its "ego."

3. No proxy, just get the 'connection' from settings. Nothing uses a
proxy on the laptop so effected - simply 'no proxy'. Also IE has "no
proxy" set. Again, no proxy. One of the first things I checked was
internet connections...

4. I do not allow anything to UPDATE on its own, all updates are done
manually. I set Firefox to 'tell me' and that is all... same with
Windows 7 Pro 64. Same with the A/V stuff too.

5. I will load FF in safe mode... it is a GREAT IDEA...

6. I did create a 'new' profile using the 'Firefox' refresh button on
their site... it basically sets things back to default. No help.

I am going to reinstall after a full wipe of FF... I will keep the
current profile (secure it away), create a full clean, new install and
then see if 'that generic' profile has issues. If not, I will use the
profile manager and swap, then see... I am amazed at how resilient this
problem is.

Many thanks.

Christian Riechers

unread,
Apr 2, 2016, 6:03:04 AM4/2/16
to mozilla-sup...@lists.mozilla.org
On 04/02/2016 04:08 AM, Roger wrote:
> I am going to reinstall after a full wipe of FF... I will keep the
> current profile (secure it away), create a full clean, new install and
> then see if 'that generic' profile has issues.

You're wasting your time. Re-installing the application does not change
the profile.
If you want to try with a new clean profile, create one using profile
manager.

> I am amazed at how resilient this problem is.

Why don't you simply follow the instructions in the support article >Q<
posted earlier in this thread?

VanguardLH

unread,
Apr 2, 2016, 10:43:30 AM4/2/16
to mozilla-sup...@lists.mozilla.org
Roger wrote:

> "If you go to Options -> Advanced -> Certificates, and view
> certificates, are any listed?"
> As mentioned in a prior part of this thread, none listed when this
> error displays - there is no certificate to view for that page (under
> page info).

Wasn't asking what cert was used or is missing for a particular site
visit. Not asking about the site cert details shown when visiting a web
page. I asked if ANY *root* certs were listed in Firefox's private
certificate store. Navigate to where I mentioned to see the list of
certs listed in Firefox's private certificate store. There is where you
want to ensure the Google CA (via GeoTrust) is listed inside of Firefox
(whether or not you are currently visiting a Google site).

What URL do you use to visit Google? Do you start with HTTP
(http://www.google.com/) or with HTTPS (https://www.google.com)? Google
should redirect you to their HTTPS page (it is a server-side action
rather than relying on issuing the Location header to the client telling
it where instead to connect).

Are you using the HTTPS Everywhere extension? If so, test with loading
Firefox in its safe mode to disable it (and all other extensions) to
eliminate them as the cause for your problem. I've once encountered a
problem visiting an HTTP web site using HTTPS Everywhere to alter the
URL to instead connect to the HTTPS version of the web site (the old
site was HTTP only, they had migrated to a new site that used HTTPS,
and HTTPS Everywhere was simply changing the protocol from http:// to
https:// without changing the domain portion of the URL so they were
trying to use HTTPS at an HTTP site that had not HTTPS support).
Reported the problem to them, reported the problem to the web admin for
the site, and the problem disappeared in 3 days (don't know if the HTTPS
Everywhere authors or the site admin fixed the problem). Since HTTPS
Everywhere has a limited database of rules in trying to connect to HTTPS
instead of HTTP, I'll have to see how many times I hit more problems
with that extension. If figure on strike 3 that it will get removed.
Two strikes remaining.

> I DID GO into certificates and deleted all that pertained to (say)
> google... just to see if that allowed me to hit google.com, nope.
> There are none showing for Kaspersky, for Malwarebytes or for MS Sec
> Essentials. I WILL recheck on Saturday.

You do NOT want to delete the root certs in Firefox's private cert store
(or the root certs in the OS/global cert store, either).

Google is a CA (Certificate Authority) so they, of course, issue their
own site certs which are verified using their trusted root certs that
must be installed in whatever certificate store is used to find the root
certs. In Options -> Advanced -> Certificates, view certificates, you
should find "Google Internet Authority G2" listed under GeoTrust. Do
NOT delete it NOR mark it distrusted; else, you deliberately break the
validation chain.

> 2. All of the A/V are active!

That is usually a bad setup. They will often conflict with each other.
When one notices that a file has been accessed, like for a write, it
will scan the file, and so will the other AV program, and so on. They
can even get into a loop where one AV opens a file during a scan which
another AV sees got opened so it scans, which the first AV sees was
opened by the other AV so it reopens the file, ad infinitum. I've seen
this where hard disk activity skyrockets. A file monitor showing who
was accessing the file found 2 AV programs battling over each other as
to who would succeed in scanning the opened file. Eventually they would
timeout after about 8000 file opens and scans. Uffda. Excluding one AV
from another AV is only preventing them from scanning each others files
on the disk, not from their processes conflicting with each other.

You might install multiple AV programs to overlap their detection
coverage but only ONE and ONLY ONE should be active at a time. Only ONE
should have active its on-access scanner. The others should remain
quiescent (inactive) and used only as on-demand scanners.

That best-use scenario of multiple AV programs for overlapped coverage
applies when the quiescent AV program(s) has no active components. Some
install drivers into the system API calls or stack drivers that remain
active even when you supposedly disable them. SuperAntiSpyware (SAS),
for example, will leave behind an active file I/O stacked driver. It
can interfere with other stacked drivers because many are sensitive to
the order in which they are stacked. Using SAS means it is still active
with its stacked driver despite you told that AV program to not load.

So even if you have only ONE anti-virus program running (it on-access
scanner) at a time, the other supposedly quiescent ones can still
interfere with the operation of the active one and even with the
operation of the others when they are manually ran as on-demand
scanners.

>From your prior statment, it looks like you are using Kaspersky,
Microsoft Security Essentials (MSE), and MalwareBytes. Two of those
mention a company name, not a product name. I can only assume you are
using only the anti-virus product from Kaspersky, not a suite, and
probably the AntiMalware product from MalwareBytes (aka MBAM). However,
I do not know if you are using the free or paid version of MBAM. The
free version of MBAM does not have an on-access scanner, only an
on-demand scanner. The free version of MBAM won't conflict with
Kaspersky or MSSE. The paid version of MBAM has encountered conflicts
with other anti-virus/malware software (and excluding them from scanning
each other's disk files was not a solution). MSSE is such a weak
anti-malware program that it rarely conflicts with anything but it can.
I would leave MSE installed but configure it to not be active and only
use it as an on-demand scanner (turn off its real-time protection as it
is a waste of CPU and data bus resources). You would still be wasting
some memory on an otherwise idle service. Your setup is probably okay:
a strong AV (Kaspersky), a limp one (MSE), and a differently oriented
anti-malware (MBAM). However, if you use a coarse and fine sifter to
separate particle sizes of sand, you really only need the fine sifter.
No real added detection coverage is afforded by having MSE active.

If I ever saw MSE detect something that Kaspersky did not, I would
suspect MSE's alert was a false positive. I would run the file through
VirusTotal.com to see if MSE was indeed correct and Kaspersky missed it.

In the past, I used an anti-spam proxy that would poll the DNSBLs (DNS
blocklists), like Spamhaus and Spamcop. Anything flagged by the Spamcop
blocklist was already flagged in Spamhaus' zen blocklist. Many flagged
by Spamhaus (that were indeed spam) were NOT flagged by Spamcop.
Spamhaus's zen blocklist was the better list (the fine grained sifter)
so there was no point in wasting bandwidth and CPU cycles to go poll
Spamcop's blocklist.

> One has to create an 'ignore' status in each for the others but they
> play well together

If they don't leave behind some active component, like a driver when
disabled and after a reboot of Windows. I gave the SAS example that
leaves a file I/O stack driver loaded (even after a reboot) that I found
interfered with another AV program (forget which one). I had to use an
old tool (no longer availble) from Resplendence that showed me the
stacked drivers and their order. That's how I discovered SAS was still
active despite being disabled and the other AV program didn't like to be
second in line after the SAS driver. Too often stacked drivers are
sensitive to their loading order. My suggestion to disable all but one
AV program and reboot Windows usually works to have only that AV program
active but that does not not always work. Some still leave resident
(active) components when disabled. They may not in Windows safe mode.

> I even exited the A/V, made sure the task manager showed none of the
> executables running,

That won't get rid of the drivers. Rebooting in Windows' safe mode
(with networking) may eliminate loading their drivers. Have you tried
booting into Windows safe mode?

> I do not allow anything to UPDATE on its own, all updates are done
> manually. I set Firefox to 'tell me' and that is all... same with
> Windows 7 Pro 64. Same with the A/V stuff too.

You want your anti-virus/malware software to automatically get signature
updates but alert you when there is a program update.

Have you looked at each anti-virus/malware program to check its last
*program* update to see if all were updated before or after the HTTPS
problem started?

> I did create a 'new' profile using the 'Firefox' refresh button on
> their site... it basically sets things back to default. No help.

Never used that. Typically the suggestion is to create a new profile.
You don't reuse a freshened instance of your old profile but instead
create a whole new and separate profile.

Or are you talking about resetting Firefox as mentioned at:

https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings

That disables extensions and sets all settings to default in what you
see in the config UI and under about:config. It does not create a new
profile. It resets your existing profile. You tried a reset of your
current profile and that didn't work, so I'd try a wholly new profile.

> I am going to reinstall after a full wipe of FF... I will keep the
> current profile (secure it away), create a full clean, new install
> and then see if 'that generic' profile has issues. If not, I will use
> the profile manager and swap, then see... I am amazed at how
> resilient this problem is.

First try loading Firefox in its safe mode and retest.

If that doesn't work, try using a *new* profile (not a resetted one) in
Firefox.

If that doesn't help, reboot Windows into its safe mode with networking
and retest.

And if all that doesn't work, I guess my next step would be to uninstall
Firefox, delete any remnant files (e.g., Firefox profile folders,
appdata folder, etc) and any remnant registry entries, and do a fresh
install of Firefox.

VanguardLH

unread,
Apr 2, 2016, 10:44:22 AM4/2/16
to mozilla-sup...@lists.mozilla.org
Christian Riechers wrote:

> Roger wrote:
>
>> I am going to reinstall after a full wipe of FF... I will keep the
>> current profile (secure it away), create a full clean, new install and
>> then see if 'that generic' profile has issues.
>
> You're wasting your time. Re-installing the application does not change
> the profile.

When I do an uninstall (even if planning to follow with a new install or
fresh reinstall), I the remnant cleanup (registry and files) after
uninstalling Firefox. Perhaps this is what the OP meant by "full wipe
of FF". Can't reuse an old profile that was deleted.

The OP is going to copy the profile folder to somewhere else before he
deletes it as part of his FF wipe (uninstall and remnant cleanup).

> If you want to try with a new clean profile, create one using profile
> manager.

In a different subthread, I mentioned trying that before resorting to
uninstalling and wiping Firefox and reinstalling it fresh. It would an
easy and quick check.

Paul in Houston, TX

unread,
Apr 2, 2016, 11:43:50 PM4/2/16
to mozilla-sup...@lists.mozilla.org
fwiw, a very similar thing started with me on Wed, Mar 30 and it's still an
ongoing problem. Https and certs with FF and SM barely work.
IE9 works better but still not good. 5 computers with varying o/s's.
I've narrowed it down to a either a bad ATT vdsl router or bad ATT something
external to my system. IE9 works better than SM or FF but still not good.

Roger

unread,
Apr 4, 2016, 12:22:42 PM4/4/16
to mozilla-sup...@lists.mozilla.org
Right... sorry. I had not seen that 'link'... we(I) use a business
version of Kaspersky. Different then the 'help' link, article (see:
Most of this kind of trouble lately has been due to anti-malware
software. SUMO has a troubleshooting page (which I should have linked
to first),
<https://support.mozilla.org/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER>)

....however I did note that Kaspersky was scanning encrypted links/sites.
Upon disabling that action and restarting Firefox I "AM ABLE" to access
the previously (and suddenly) inaccessible websites.

Thanks for the 'redirect' Christian.

Believe this will work - not sure why Kaspersky (and there IS NO, REPEAT
NO, Cert for it in Firefox) suddenly caused this issue (updates, of
course) as it has been working for over 12 months on this laptop.

Thanks again for hanging in.

Paul in Houston, TX

unread,
Apr 4, 2016, 1:54:45 PM4/4/16
to mozilla-sup...@lists.mozilla.org
fwiw v2,4-4-16,
A new ATT Uverse modem has fixed all my https, ssl, & certificate problems.
Modems seem to be good for two years max.

Millwood

unread,
Apr 4, 2016, 3:08:26 PM4/4/16
to mozilla-sup...@lists.mozilla.org
Roger wrote:
>
> ....however I did note that Kaspersky was scanning encrypted
> links/sites. Upon disabling that action and restarting Firefox I "AM
> ABLE" to access the previously (and suddenly) inaccessible websites.
>

This is how Kaspersky (probably) can scan encrypted content. When you
try to connect to an https site, Kaspersky actually responds to firefox
using a forged certificate for the site - thus the complaint about the
google certificate. This lets Kaspersky decrypt the content firefox has
encrypted using their bogus certificate (lots of details of the protocol
left out). Kaspersky also connects to the real site and re-encrypts the
content. Content from the site is decrypted (it made the connection so
it has the key), checked, and re-encrypted for the bogus connection it
made with firefox.

This is called a "man in the middle" attack and could be used, for
example, by a bogus wi-fi hot spot to read your communications,
including passwords, with your bank. So firefox has been tightening its
verification of certificates to make it harder to make the forged
certificate which got the story started above.

Kaspersky could make this work by installing a root certificate that it
controlled in your cert store and signing the bogus certificates with
it. IMHO, that's not what I want happening in my machine. And there is
a mechanism called certificate pinning which we hope will get used more
widely to prevent even that man in the middle attack.

Bottom line in general - if the "good guys" can break a secure protocol,
the "bad guys" are more likely to be able to do so as well.

Burry

unread,
Apr 4, 2016, 3:49:16 PM4/4/16
to mozilla-sup...@lists.mozilla.org
My speed touch modem/router lasted 12 years.
Bulging caps in power part killed the router.

Paul in Houston, TX

unread,
Apr 4, 2016, 9:06:00 PM4/4/16
to mozilla-sup...@lists.mozilla.org
Amazing!
Last year I threw out a box of 10 bad ones (two were from the neighbor).
Kept a few 12v jacks and leds.
I run 2 routers - one is the dsl/adsl/vdsl/cable gateway and the other is the dhcp/wifi.
Normal life span for mine is 1.5 years but I found if I remove the covers and glue
aluminum fins on the chips they last another 0.5 years.


Mark Lloyd

unread,
Apr 5, 2016, 9:22:44 AM4/5/16
to mozilla-sup...@lists.mozilla.org
On 04/04/2016 12:54 PM, Paul in Houston, TX wrote:

[snip]

> A new ATT Uverse modem has fixed all my https, ssl, & certificate problems.
> Modems seem to be good for two years max.
>

My first cable modem (Toshiba) lasted about 3 years, before it started
causing excessive packet loss and died.

I had the second cable modem (Motorola) for about 9 years. It was still
working, but had to be replaced because of higher cable speeds (50Mbps
requires DOCSIS 3).

--
Mark Lloyd
http://notstupid.us/

"Try new Post Jesus (tm) breakfast cereal! Chock full of bland,
tasteless little bread wafers made from 100% Jesus for that full-body of
Christ taste. Goes great with a little red wine."

Roger

unread,
Apr 7, 2016, 8:44:23 AM4/7/16
to mozilla-sup...@lists.mozilla.org
Like toasters... seems manufacturing is really "programmed to fail."
Reply all
Reply to author
Forward
0 new messages