Do you use a proxy server or other intermediary? You could check whether you have Firefox set to use a proxy server and switch that off as a test. You can do that on the Preferences page:

"3-bar" menu button (or Edit menu) > Preferences

In the left column, click Advanced. On the right side, click the "Network" mini-tab and then the "Settings" button.

Anything unexpected here? You could try "No proxy" to see whether that helps.

This message seems to be associated with sites using the HTTP/2 protocol (only recently supported in Firefox) but not using an appropriate level of security for that protocol. So one option would be to set Firefox NOT to use http/2 so sites fall back to http/1.1. If it works, it would leave the mystery unsolved, and I think it's better to solve the mystery in case it's someone/something spying on you, but I'll give you the steps anyway:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste spd and pause while the list is filtered

(3) Double-click the network.http.spdy.enabled.http2 preference to switch the value from true to false

Nah. Ended up just downgrading

Okay, but in the interest of science and in 30 seconds or less, could you take a look at the certificate for https://www.youtube.com/? You can call that up in the Page Info dialog using either:

• right-click (on Mac Ctrl+click) a blank area of the page and choose View Page Info > Security > "View Certificate"
• (menu bar) Tools > Page Info > Security > "View Certificate"
• click the padlock or "i" icon in the address bar, then the ">" button, then More Information, and finally the "View Certificate" button

Check the indicated areas in the attached screenshot for any variance that could indicate an intermediary. Anything interesting?

guymanforget said

it gives me a NS_ERROR_NET_INADEQUATE_SECURITY error when i go to any google owned sites or even mozzila.org. somehow support.mozzila.org still works though. i know google is a security risk in general but i have no going anyway option and youtube doesn't work either. most sites dont work but some do like support.mozzila.org or my site shinycreators.com im runnning arch linux on the newest arch linux release of firefox (48.0.1-1)

I have exactly the same issue trying to get to any HTTPS for google.com or facebook.com (maybe other sites as well).

I'm running Firefox 48 from Debian testing.

jscher2000 said

This message seems to be associated with sites using the HTTP/2 protocol (only recently supported in Firefox) but not using an appropriate level of security for that protocol. So one option would be to set Firefox NOT to use http/2 so sites fall back to http/1.1. If it works, it would leave the mystery unsolved, and I think it's better to solve the mystery in case it's someone/something spying on you, but I'll give you the steps anyway: (1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful. (2) In the search box above the list, type or paste spd and pause while the list is filtered (3) Double-click the network.http.spdy.enabled.http2 preference to switch the value from true to false

I tried disabling HTTP/2 as suggested and it worked.

I think this issue is pretty serious and should be treated as a security concern because for some sites I was being redirected to some shady sites while this was enabled.

Let me know if you want me to do some testing.

Hi default50, do you use any "man in the middle" software or services? In particular, security software that filters HTTPS connections or proxy servers?

jscher2000 said

Hi default50, do you use any "man in the middle" software or services? In particular, security software that filters HTTPS connections or proxy servers?

No, I do not have anything like that. I have a home broadband connection provided by Virgin Media in Ireland. A cablemodem acting as a WiFi AP and router is my gateway. The only "odd" thing is that I have an IPv6 address using DSLite, so I may be NAT'ted, but for destinations on IPv4, which Google or Facebook are not.

I just tested browsing from my laptop through my 4G phone tethered by Bluetooth and I got the same result, only worked with network.http.spdy.enabled.http2;false.

I also used this site for testing.

Firefox 48.0.1 on a Mac OS X 10.11 is not showing the same.

Do you have any non-default settings for secure connection-related preferences? To check:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste TLS and pause while the list is filtered

(3) If you have any "user set" preferences here, try using the default values (right-click context menu > Reset)

(4) In the search box above the list, type or paste SECURITY.SSL and pause while the list is filtered

(5) If you have any "user set" preferences here, try using the default values (right-click context menu > Reset), however, it's okay to set these to false (this helps mitigate Logjam issues):

• security.ssl3.dhe_rsa_aes_128_sha
• security.ssl3.dhe_rsa_aes_256_sha