What do the security warning codes mean?

Revision Information
  • Revision id: 165590
  • Created:
  • Creator: Joni
  • Comment: updted to reflect new error pages that will land in Nightly. PLease don't approve until the pages have landed in Nightly.
  • Reviewed: No
  • Ready for localization: No
Revision Source
Revision Content

When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead, show you an error page with a warning of potential security risk.

What to do if you see this error?

If you encounter a "Your connection is not secure" error, you should contact the owners of the website and inform them of the error. It is recommended that you wait for the website to be fixed before using it. The safest thing to do is to click Go Back (Recommended), or to visit a different website. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website.

Technical information

Click on More for more information on why the connection is not secure. Some common errors are described below:

SEC_ERROR_UNKNOWN_ISSUER

Firefox is unable to connect to this website securely because it could not verify that the certificate is valid. This could be because the certificate issuer is unknown, self-signed or the servier is not sending the correct intermediate certificates. An additional root certificate may need to be imported.

SSL_ERROR_BAD_CERT_DOMAIN

This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.

A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning.


SEC_ERROR_EXPIRED_CERTIFICATE

The certificate expired on date (...)

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

This error occurs when a website's identity certification has expired.

The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article Troubleshoot time-related errors on secure websites.

SEC_ERROR_OCSP_INVALID_SIGNING_CERT

The website failed to prove its identity and failed additional security checks that Firefox completed against its security certificate.

SEC_ERROR_OCSP_FUTURE_RESPONSE

Either your computer clock is set to a time in the past or the website you're trying to connect to is set to the wrong time. Firefix is unable to connect securely because of this. If your clock is already set to the right time, the website is likely misconfigured and the website administrators will have to fix it.

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

This error indicates that Mozilla's CA Certificate Program has imposed policies upon this website's certificate authority that the website has not complied with. When this error occurs, it indicates that the owners of the website need to work with their certificate authority to correct the policy problem.

Mozilla's CA Certificate Program publishes a list of upcoming policy actions affecting certificate authorities which contains details that might be useful to the website owners. For more information, see the Mozilla Security Blog post, Distrust of Symantec TLS Certificates.

MOZILLA_PKIX_ERROR_MITM_DETECTED

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED

MOZILLA_PKIX_ERROR_MITM_DETECTED is a special case of the SEC_ERROR_UNKNOWN_ISSUER error code when a man-in-the-middle attack is detected.

You may have enabled SSL scanning in your security software such as Avast, Bitdefender, ESET or Kaspersky. Try to disable this option. More details are available in the support article Troubleshoot security error codes on secure websites.

You may also see this error message on major sites like Google, Facebook, YouTube and others on Windows in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article How do I turn off family features?.

Corrupted certificate store

You may also see certificate error messages when the file in your profile folder that stores your certificates (cert8.dbcert9.db) has become corrupted. Try to delete this file while Firefox is closed to regenerate it:

Note: You should only perform these steps as a last resort, after all other troubleshooting steps have failed.

  1. Open your profile folder:

    • Click the menu button Fx89menuButton, click Help and select More Troubleshooting Information.From the Help menu, select More Troubleshooting Information. The Troubleshooting Information tab will open.
    • Under the Application Basics section next to Profile FolderProfile Directory, click Open FolderShow in FinderOpen Directory. A window will open that contains your profile folder.Your profile folder will open.Your profile directory will open.
    Note: If Firefox displays an error after clicking Open Folder or if you are unable to open or use Firefox, follow the instructions in Finding your profile without opening Firefox.

  2. Click the Firefox menu Fx89menuButton and select Exit.Click the Firefox menu at the top of the screen and select Quit Firefox.Click the Firefox menu Fx89menuButton and select Quit.
  3. Click on the file named cert8.dbcert9.db.
  4. Press command+Delete.
  5. Restart Firefox.
Note: cert8.dbcert9.db will be recreated when you restart Firefox. This is normal.

Bypassing the warning

Firefox will sometimes give you the option to bypass a warning and proceed to the website. You should only bypass the warning if you're confident in both the identity of the website and the integrity of your connection - even if you trust the site, someone could be tampering with your connection. Data you enter into a site over a weakly encrypted connection can be vulnerable to eavesdroppers as well.

In order to bypass the warning page, click More:

  • On sites with a weak encryption you will then be shown an option to load the site using outdated security.
  • On sites which certificate cannot be validated, you might be given the option to add an exception.
Legitimate public sites will not ask you to add an exception for their certificate - in this case an invalid certificate can be an indication of a web page that will defraud you or steal your identity.

Secure Connection Failed error

Some websites may produce a Secure Connection Failed error page, similar to this one:

fx60SecureConnectionFailed-ErrorCode

This type of error does not allow you to bypass the warning; it only provides a checkbox to report the error to Mozilla and a Try Again button. See the Secure connection and security warning error pages in Firefox article for more information.