Yahoo mail gives untrusted connection error
When I log into Yahoo mail on Firefox 40.0.3 (on Windows 7) on my company-supplied laptop, I get this message: "You have asked Firefox to connect securely to us-mg5.mail.yahoo.com, but we can't confirm that your connection is secure."
I cannot create an exception: "This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate."
The "technical details" section states: "us-mg5.mail.yahoo.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)"
This does not happen at home, so the company laptop has something to do with it, but, even on the company laptop I do not have this problem when using Chrome, so it's not that the company does not allow access to outside mail.
On Firefox, the problem is intermittent. Sometimes, there is no problem and everything works fine. Clearing history/cookies/cache and restarting does not fix the problem. It sometimes goes away on its own for a little while, but then returns.
I have searched every database I could for answers, but have found no solution yet. The computer clock is correct, I'm not using Avast, etc. (some of the other situations I've run across).
I hope that I can get this resolved, because I'd rather keep using FF, which I've used for years, than switch to Chrome.
Thanks for your help, in advance.
Sorry, I might have been unclear. There's an important detail which I realize might not have been clear unless you looked very closely at the first screen shot. The certificate you want to export is the one above the Yahoo certificate in the dialog, the proxy certificate that vouches for the fake Yahoo certificate. Will that one import?Read this answer in context 0
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36
First, thank you for such a complete explanation.
It sounds as though your work connection is proxied; there are a variety of different products that do this, and most likely you will need to import the proxy's signing certificate into Firefox so that it will trust the fake site certificates generated by the proxy.
Does your IT support Firefox? If so, they probably are aware of this issue and could assist. But you also could investigate further right now...
Is this the only site that has given you an untrusted connection error, or have you gotten them for other sites and created exceptions?
If you saved exceptions:
Visit one of the sites for which you saved an exception and inspect its certificate for the identity of the issuer, which should point to your proxy server information (if this theory is correct). Click the padlock in the address bar, then More Information, then View Certificate. I have attached an example showing where to check.
If you have not saved exceptions:
You can investigate using Chrome to view the certificate. When you are on Yahoo mail in Chrome, click the padlock in the address bar, then Connection, then Certificate Information. I have attached an example showing where to check.
Can you identify the "man in the middle"?
Wow, thanks for your prompt and detailed help.
Our IT does not support FF. Oddly enough, when I go to the Yahoo mail website on Chrome, I get a corporate warning page that warns the user that you're about to use web-based mail, don't share proprietary information that way... etc. etc. This warning page does not come up when I go to Yahoo mail via FF.
I have not previously saved exceptions.
No other site has (yet) given me any similar error.
I have followed the process you suggest. Screenshots are attached.
Is the "man in the middle" here "Symantec Class 3 Secure Server CA - G4"?
I'm curious about the warning page. Does it show the address of an internal server (or IP address), or does it show itself on a Yahoo address?
If it's an internal address and you copy it from Chrome's address bar and paste it on Firefox's address bar, can Firefox load it?
If it's on a Yahoo address, does the certificate viewer still show the official Symantec certificate, or a different one?
The problem was not happening yesterday afternoon, and going to Yahoo mail on Chrome did not yield the warning page. I shut down the computer overnight. This morning when I first signed in, the problem did not happen (FF accessed Yahoo mail without difficult), but I just came back from a meeting (the computer was on but locked), and it is happening again.
Opening Yahoo mail in Chrome, the warning page shows the URL that I am about to go to as: "https://us-mg5.mail.yahoo.com/neo/launch?.rand=6gb7v3chjfaa8" So, an external address.
While still on that warning page, the certificate viewer shows "XXXX Secure Web Gateway" as the issuer (XXXX is the company name, which I am redacting). Image of path posted.
Once I clicked that yes, I do indeed want to go to that page, and open the page, the certificate is back to being what I posted before.
Thank you for all the time you are taking to help me troubleshoot this.
Okay, that makes sense. IE and Chrome must already be set up to trust your web gateway, and you need to also set up Firefox. That involves exporting the gateway's signing certificate from IE/Chrome and importing it into Firefox.
The process would be as outlined in the solution in this thread: https://support.mozilla.org/questions/1068675
I think you might have to wait until you see another warning screen to have easy access to the certificate to export.
Got the error just now, opened Chrome, got the warning page.
I opened the certificate on the warning page, and saved the certificate file (in DER format). I then went to the relevant menu in FF, tried to import the file I had saved, and got this error:
"This is not a certificate authority certificate, so it can't be imported into the certificate authority list."
Sorry, I might have been unclear. There's an important detail which I realize might not have been clear unless you looked very closely at the first screen shot. The certificate you want to export is the one above the Yahoo certificate in the dialog, the proxy certificate that vouches for the fake Yahoo certificate. Will that one import?
Yes, and I am sorry I didn't pay close enough attention.
That worked. Thank you so much for your help! You rock.