EV Green Bar not working in latest FF, works in IE and Chrome
I just purchased a new EV certificate from Entrust and installed in on my website. Now with IE and Chrome I get the nice green bar, but FF shows a blue bar and says "which is run by unknown".
Modified by ARBlue79
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17
Please update to Firefox 18.0.1 and try there
Just upgraded to the latest version and it still has the same problem. Is this a common problem with FF?
Just go to the following site which has an EV certificate installed:
You can check this with Chrome and IE and it displays the green bar, but not with FF.
If you see a blue bar then Firefox uses a DV certificate and not an EV certificate.
Did you remove the old DV certificate?
Can you post a link to your site?
You can try to remove the currently used intermediate certificate to see if that makes Firefox use the new certificate.
- Tools > Options > Advanced : Encryption: Certificates - View Certificates
Clear the cache and the cookies from sites that cause problems.
"Clear the Cache":
- Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
- Tools > Options > Privacy > Cookies: "Show Cookies"
You can check out the public Entrust site which has an EV certificate. It does not show a green bar in FF, but does with the other browsers.
It is a green EV certificate for me.
Try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.
If that helped to solve the problem then you can remove the renamed cert8.db.old file.
Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates.
Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.
If that didn't help then remove or rename secmod.db (secmod.db.old) as well.
Thanks for the follow-up. I deleted the cert.db file entirely , cleared all my cache and history. When I go to the site, I get the attached in my browser bar. Can you post a screenshot of what you see?
Any updates on this? I'm seeing the same issue with Firefox 20.0.1. Not a single site is correctly displaying the green bar for EV SSL (including, for example, Paypal). I have cleared cache and removed certificates as suggested. The sites do show the green bar in Chrome and IE.
Modified by mcapone
Hi mcapone, I've attached a screen shot of what I see on https://www.paypal.com/home. What do you get for that identical URL -- gray padlock? globe icon?
Gray padlock. Two other computers here are displaying the same thing, while a third computer (in one of our branch offices) appears to be correctly rendering green bars. It occurred to me that some add-on might be messing us up (the computers with the issue are all developer machines with Firebug and HTTPFox installed), but I restarted with add-ons disabled and had the same issue.
Hi mcapone, if you click the gray padlock and click More Information then View Certificate, what do you see there? I've attached what I get, which is clearly indicated as an EV SSL cert. Is yours also showing as EV SSL?
Do you use any proxies that could be decrypting/re-encrypting your connection?
Modified by jscher2000
OK, no proxies or anything like that. Clicking the padlock gives all the appearance of a standard (non-EV) SSL key, but viewing the certificate clearly identifies it as an EV SSL with the same serial number and SHA fingerprint as you see.
can you try to replicate this behaviour when you launch firefox in safe mode once?
OK, I did restart Firefox in safe mode, and the problem persisted. However, that train of thought inspired me to create a new FF profile (via -profilemanager) and launch that fresh new profile. Under the newly minted profile, the EV SSL renders properly. When I return to my original profile, I get the bad behavior again.
So, clearly, there is something questionable in one of my profile files somewhere. I've had this same profile since Firefox 3, and before that it was probably imported from Seamonkey. So I'd be the first to acknowledge that all bets are off.
However, another machine here is a relatively newly-deployed Win7 box that had Firefox only since version 19 or so, and the developer in question does not use FF much at all, so his main profile ought to be relatively clean. He, as well, has the EV display issue on his FF, but creating a new profile also corrects the display for him (under the new profile).
Did you try to delete the prefs.js file to reset all preferences?
Where you using a userChrome.css file to customize the user interface?
Tools > Options > Advanced > Encryption > Validation. At least you must to check "Use the Online Certificate....". For change to be accepted restart firefox. Simply reloading page is not enough.
all these ideas are great for IT people who can get the green address bar to work correctly in FF but to get 10,000 of your customers to somehow no they have to do all these things with their FF brower to get a green address bar is pathetic. EV SSL when configured correctly works fine in IE and in Chrome get with the times firefox, or noboby is going to use your browser.
Hi joshkel2987, do you want to give us the URL of the problem page so we can take a look and try to figure out the source of the problem?
Strack's response about OCSP worked for me. I was having this problem too, and used GRC's fingerprinting service to verify the certificates of the sites I thought should be EV were actually presenting EV certs.
They were (including GRC), but FF was presenting only grey padlock and (unknown) for the site owner information, just as with the original question poster.
I followed Strack's suggestion and checked my OCSP option, which was off. I turned it on and restarted, at which point re-visiting EV sites returned proper EV status indication and the owner information from the certificate was properly presented as well.
I don't know why this setting should affect EV presentation in the browser. My understanding of EV in FF is that cert issuance chains root with hard-coded CA certs in the browser, so no OCSP ought to be necessary, right? Also, using OCSP involves a tradeoff between timely alerting to a compromised certificate, and leaking data about the websites you visit if you're paranoid (the OCSP request can be intercepted/logged...see Moxie Marlinspike's Convergence project for a comment on that).
Now...if I turn OCSP checking back off, will the correct EV indications stop once again?