Unable to access secure (HTTPS) sites in Firefox 43

This article is no longer maintained, so its content might be out of date.

Firefox 43 included a change to reject new security certificates made using an old algorithm called "SHA-1". Microsoft and Google will soon be making a similar change to their products. Since this change, some Firefox users with certain third-party tools have had problems accessing secure (HTTPS) websites, as summarized in this Mozilla Security Blog post. This article explains how to see if this problem affects you and, if so, how to resolve it.

What causes this issue?

Some tools intercept your secure Internet traffic to decrypt your secure sessions and provide you with certain functionality. Such tools can include security scanners or antivirus products. Some of these tools provide your browser with a SHA-1 certificate. When Firefox encounters such a certificate, it rejects the connection, and shows you the SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED error. Since these tools intercept all HTTPS sessions and replace the real certificate with a SHA-1 certificate, you will see this error on all HTTPS sites, even if the site’s real certificate doesn’t use SHA-1.

How do I know if this affects me?

If you can access this article in Firefox, you're fine. However, if you see an error page when trying to access an HTTPS site (such as https://support.mozilla.org or https://blog.mozilla.org) click Advanced on the error page. If you see the error code SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, then you’re affected.

What can I do to work around this problem?

The best way to fix this problem is to install the latest version of Firefox from the Firefox download page, which has a fix for this problem. You will need to download and run the Firefox installer manually, using an unaffected copy of Firefox or another browser. If you are affected, then Firefox will not be able to automatically update.

What is the correct solution to this problem?

This issue occurs because a third-party application you are using intercepts secure connections made by your browser. In doing this, it replaces the website's certificate with a certificate using a SHA-1 signature. To avoid problems with SHA-1 certificates in the future, you should try to identify the tool which is serving SHA-1 certificates (this is likely to be a security scanner or antivirus product) and configure it to use a stronger signature digest algorithm. You should also make sure that any products you’re using that might be having a man-in-the-middle approach are kept up to date.

These fine people helped write this article: AliceWyman, philipp, Tonnes, Artist. You can help too - find out how.