This thread was archived. Please ask a new question if you need help.
the majority of the server certificates in my firefox browser store are obsolete, and cannot use the ssl scan in BdF all HTTPS sites are blocked.
I use FF 43.0.2 I have been having problems with sites which I believe were safe, but which were blocked by FF because of certificate issues (generally slated "unknown"). These were sites that I connected to on a regular basis before. Finally being fed-up not being able to access these sites (no info available with this type of problem and iframe giving no clue) I followed a FF guideline and deleted the cert8.db The result has been the impossibility to connect to any HTTPS site. I finally found the temporary solution to disable BitDeFender's scan SSL option. But this made me uneasy. So I checked on the certificates themselves and saw they had (almost) all expired. What does this mean? Is there a way to ensure the proper updates are done, as seems to be possible using the check box "Query OCSP responder servers to confirm the current validity of certificates"? And how do I come back to a regular surveillance of the SSL traffic, or is it purely for show and ineffective? How can I trust a system telling me its own foundations are flaky? Thanks a million for all you guys do and a million and one for this particular issue if you have an answer. ;-)
Hello jscher200 and cor-el, Just to say thank you again for your time. I believe after all the tweeking and reading that indeed the best solution is for the time being to avoid using the scan SSL option of the security software altogether. It is more of a risk anyway than anything else, as its mode of operation is less than satisfactory in those terms. Thanks again. ChrisRead this answer in context 👍 0
All Replies (13)
I followed a FF guideline and deleted the cert8.db
The result has been the impossibility to connect to any HTTPS site. I finally found the temporary solution to disable BitDeFender's scan SSL option.
I assume your other browsers trust BitDefender's fake SSL certificates because BitDefender inserted its certificate into the Windows system certificate store. But Firefox cannot extract the certificate automatically. It needs to be added to your new cert8.db file either by BitDefender or by you manually importing it.
I assume BitDefender has a feature to take care of it for you, but I don't know what triggers it. Some security software does it at Windows startup, so you could try shutting down and restating Windows. In other cases, there might be a button in the security software interface to update your browsers. If all else fails, we should check the manual.
So I checked on the certificates themselves and saw they had (almost) all expired. What does this mean?
Sorry, where did you see that?
Hello jscher2000, Thank you for taking the time to answer me. I went exactly through the same logic you did, reinitiated all that could be and shutting down all that could be etc to no avail. The data is present in the tools options under certificates in the advanced tab. The only thing I didn't do, for lack of time and proper understanding of all possible consequences is check on the services. What made me think of that is the two checked (in my case) boxes there: one for viewing the certificates, the other for the security devices. Hope this provides you with some feedback, but I still fail to understand why it worked before and not after I created a "fresh" version of cert8.db. It seems that there is some kind of updating loop that is ignored by FF, as there is no noticeable change in the certificates data. Indeed, I noticed that when I had opened a session without the SSL check, therefore allowing access to the HTTPS site, I could still access it if I modified my settings and checked on SSL flux then.
I suspect you will need to export the BitDefender signing certificate from Internet Explorer and then import it into Firefox. The steps are outlined in this post: https://support.mozilla.org/questions/1089816#answer-796756
Hello jscher2000, Thank you for your answer. I have a problem with this solution: How do I "isolate" the Bitdefender certificate? I have no way of doing that. I do have one that is linked to them, but I have no way of assuring it is the relevant one. Did I miss something obvious? Otherwise, I tested doing it and your lead was fine. So no worries on that side. Thx again.
I'm working blind here, so unfortunately I can't give you specific details.
Usually, the security software generates a fake certificate for the site, and when you view the "path" in the Windows Certificate Viewer (similar to the hierarchy in the Firefox Certificate Viewer), the signing certificate is the next certificate higher in the path above the fake site certificate. Don't bother with the site certificate, you need that signing certificate.
Actually, I think I'm repeating what I had in the other thread. Where are you running into problems?
Hi jscher2000, lol we have a saying the blind leading the blind! Hahahaha! More seriously: I appreciate your efforts keeping up with me, or should I say putting up. What I do not know is which certificate is the security certificate. How do I recognize it? When I look at the different certificates, I have no clue as to which it is. This is all the more true, that I also have one generated by the support site of the security software. Are they one and the same? I don't think so, but I cannot find any type of info on the net either.
If you open a secure page in IE or Chrome, and view the certificate, then the Path, the certificate above that site's certificate is the signing certificate. Assuming that is the BitDefender certificate, that is the one you want.
You can check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
If you can't inspect the certificate via "I Understand the Risks" then try this:
Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:
In the location field of this window type or paste the URL of the website.
- retrieve the certificate via the "Get certificate" button
- click the "View..." button to inspect the certificate in the Certificate Viewer
You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.
Hello jscher2000 and cor-el! Thx for trying helping me. To answer jscher2000 first: my problem was with knowing which certificate to look for. I have a name now, but maybe I had it all along with IE not knowing what to look for. To answer cor-el: I did as you suggested (didn't do the clock bit, I had already eliminated that possibility before posting). Here is the snapshot. It tells me the certificate is not valid for Google.com and that it was issued by BdF. Which seems to validate the analysis we had made with jscher2000. That in other words, the list from Bitdefender is not updated properly. I went looking for something approaching in the server list of certificates in IE but I do not find anything really conclusive and wouldn't want to create havoc loading wrongly a new certificate. On the other hand, I can't see the harm. If you concur, please advise and I'll try the one which seems closest (it has CA and personnal in it... lol how much more precise can you get than that! Talking about wild goose chases, anyway) but I would much prefer to find a proper way of getting on IE their cerificate. On another aspect, I have read quite a few stories where problems of tis nature have seemed to pop-up since january on the subject or similar with BdF. They do not answer (one of their forte unluckily) and when they do they beat around the bush. It seems they have somekind of a bug because of a loop bypassing effectively ssl clearance and relying on the onboard store. In other words, the checking is faked but normally reasonably so. But with the problems that arose concerning these issues, they may have jumped the gun and put up an iffy plug in the meanwhile to stifle critics. Here's a link if you're asked by others: http://www.pcworld.com/article/2889692/some-bitdefender-products-break-https-certificate-revocation.html Thanks again for all the help. Wish I could resolve this problem, but unless you have a miracle at hand, I guess I'll have to wait it out. Merci.
When I looked at Bitdefender's forums, every reply about this issued recommended turn off scanning of secure connections. They even have an article with the steps for that: What to do when Security Certificates cannot be verified/installed.
Maybe it would nice to get this working, but I can't say for certain it is worth the effort.
Hello jsched2000, Yes, I made myself the same reflexion when I started understanding this wasn't my issue but that of the security software. But what kept nagging me, and made me pursue bothering you guys with it, is that nothing was awry so completely before I renewed cert8. I only had the issue with a handful (a large hand at that, but still) of sites. It was only then that the problem arose with major sites (https sites) such as google et al. So i am still of a mind to look for some kind of solution. I cannot accept having to rely on thin air when I navigate. There must be some kind of repository for valid certificates. So without the SSL check I can maybe at least load major chunks of main sources... Thank you anyway for the trouble and the follow-up.
If the certificate is issued by your security software then they only solution is to install the root certificate and set trust bit(s) or disable this SSL scan feature in your security software.
Hello jscher200 and cor-el, Just to say thank you again for your time. I believe after all the tweeking and reading that indeed the best solution is for the time being to avoid using the scan SSL option of the security software altogether. It is more of a risk anyway than anything else, as its mode of operation is less than satisfactory in those terms. Thanks again. Chris