Search Support

Beware of phishing attacks: Mozilla will never ask you to call a number or visit a non-Mozilla website. Please ignore such requests.

Learn More

Peelregion.ca website not secure ?

  • 19 replies
  • 1 has this problem
  • 27 views
  • Last reply by Mace2

more options

When I use Firefox 57 on my Yosemite Mac I get a message that https://peelregion.ca site is not secure. But if I use my Firefox on Lg phone it doesn't provide any error.

https://www.ssllabs.com website gives a rating of "F" for the site which is a Brampton city web site. Can anyone verify if the site is truly unsecure?

All Replies (19)

more options
more options

Hi mace2, you asked:

Can anyone verify if the site is truly unsecure?

What Firefox is saying is that it cannot verify that the server responding to your request is the server you requested or whether it is an impostor because it cannot verify the SSL certificate.

Based on the SSL Labs report, the server definitely needs to be updated.

Most importantly for your purposes, it does not send the "intermediate" certificate. This means that unless Firefox has received that certificate from another server (another Thawte/Symantec customer), it cannot connect the site's certificate with a trusted issuer; the chain of trust is broken. This is hard to work around because it's really a matter of luck whether your Firefox has seen that certificate before; there's no obvious way to know where you can get it.

more options

You will need this intermediate certificate:

  • thawte EV SSL CA - G3

right-click and "save link as" -> thawte_EV_SSL_CA-G3.crt

You can import the certificate under the Authorities tab in the Certificate Manager.

  • Options/Preferences -> Privacy & Security -> Certificates: View Certificates

Do not set any trust bits when prompted.

more options

thanks. but since SSL labs reports shows a "F" grade I am reluctant to add any certificate.

Is your Firefox also missing that intermediate certificate? FreMcd had no problem and my Android firefox also did not have a problem.

more options

The server only send its own certificate and not the intermediate certificate from Thawte. There is nothing against adding a intermediate certificate manually to be able to visit a website. Making an exception in Firefox is much worse because you choose to trust a certificate that can't be chained to a builtin root certificate. If you import the intermediate certificate manually then Firefox will use it to build the correct certificate chain. Otherwise you would have to be lucky to stumble across a server that sends this specific intermediate certificate. Note that the link I posted is present in the report on the Qualys SSL Labs website.

more options

How can I determine the server Firefox is using to verify the website?

more options

Hi mace2, Firefox has some built-in root certificates. Any time a website presents a certificate, Firefox will check whether it was signed with one of those trusted certificates. If not, then the site needs to also supply one or more intermediate certificates to connect the site certificate with the trusted root. This server is not doing that.

Firefox ALSO will check whether a site's certificate has been revoked, but that is a separate process. The first check is simply checking that there is a complete chain of trust. That's what's failing.

cor-el gave you a method to obtain and install the missing intermediate certificate from its issuer. That will compensate for the site's failure to send it to Firefox.

more options

Hi jscher2000. thanks. I am aware how the certificates are used but I do not understand why on my Mac OS firefox it was missing but on my Android phone the certificate was present. FredMcD confirmed his firefox was able to get to the site without any problem.

Why is the intermittent certificate missing from my Yosemite Mac certificate?

more options

The only reason you would have the intermediate certificate would be if your Firefox previously visited a different site that had a certificate from the same issuer. Thawte is a major issuer of certificates, so it's not surprising that you had it on at least one browser.

Note: if you ever use Firefox's Refresh feature or delete the cert8.db file manually, then you would lose all the accumulated intermediate certificates and be starting out from scratch.

more options

The reason I think it may be something else is about a week ago I went to the same site without getting the error message that the site is not secure.

A possibility could be the cert might of been removed.

more options

With a bare Firefox and a new profile you will always get a certificate error if the website isn't sending a complete certificate chain. It can only work if you have at least once visited a website (server) that sends this specific intermediate certificate and Firefox has stored it. Not sure if Firefox will still do this in Private Browsing mode.

more options

Tell me if I'm incorrect.

The website https://www.peelregion.ca tells my browser where to find the cert? If that is true If I can't find the correct cert or intermittent It is the website www.peelregion.ca fault.

more options

Yes, a server is supposed to send its own certificate AND it is supposed to send any intermediate certificates necessary to connect its certificate with a trusted "root" certificate.

more options

Its interesting to note that my android phone after performing an update to Firefox now also gets the site is not secure error message.

This suggests that it was getting the correct certificate from https://peelregion.ca and then it stopped.

more options

mace2 said

Its interesting to note that my android phone after performing an update to Firefox now also gets the site is not secure error message.

This suggests that it was getting the correct certificate from https://peelregion.ca and then it stopped.

Or that your Firefox had received it from a different site, so it didn't need it from peelregion.ca (this is how I was able to visit the site even though it is not sending that certificate).

more options

Your phone didn't get the certificate from peelregion.ca, but already had this intermediate certificate from a visit to another website that did send a full certificate chain.

In this specific case the missing intermediate certificate can be downloaded via this link I posted above from a Symantec server.

If you install the certificate in the Certificate Manager then Firefox can use it and you won't see the error. This is the same as visiting a website that includes the certificate in the send certificate chain, only you need to install the certificate manually.

more options

How can I view the certificate store on an Android specifically Lolipop

more options

I was just there am in Canada so used url as know site. It is secure for me though Firefox has blocked some tracking stuff. As the Shield came out beside the Information Icon. Certificate is valid.

more options

Concerning the response from FredMcD and PLshadow. I called Peelregion.ca today 31-Jan-2018 and they informed me they have no HTTPS.

You 2 should of received an error.