X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

"Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

Posted

This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update.

In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server.

But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ...

Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?

Modified by mogra

Chosen solution

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

Read this answer in context 2

Additional System Details

This happened

A few times a week

This started when...

Microsoft Forefront TMG was activated

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 10.1.2
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 1.6.0_29 for Mozilla browsers
  • Shockwave Flash 11.1 r102
  • 3.0.40818.0

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0

More Information

cor-el
  • Top 10 Contributor
  • Moderator
10749 solutions 96724 answers

This can happen if you still have leftover files from an older Firefox version in the Firefox program folder (C:\Program Files\Mozilla Firefox\defaults\pref)
There should only be a channel-prefs.js file in that defaults\pref folder.

See also:

Question owner

cor-el, thanks for your reply. But actually, as described above, this is not my problem. Firefox correctly displays the warning, as there is a Man-in-the-middle-attack when performing the update - although an intended one (Microsoft Forefront TMG performing HTTPS-inspection).

My question was: "How can I change the expected certificate attributes of the update server?" I want to accept the Firefox update that is correctly served by the Mozilla update server via the Microsoft proxy.

dveditz 1 solutions 7 answers

Chosen Solution

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

Modified by dveditz

grodech 0 solutions 2 answers

We're having this issue with newer versions of Firefox (10+) that connect through our SonicWall firewall that is doing SSL-DPI. Even though the Sonicwall cert is loaded in the Authorities section of the Firefox cert store, we still get the error. How do I set the app.update.certs.1.issuerName pref, as mentioned above?

Noah_SUMO
  • Moderator
50 solutions 303 answers

Helpful Reply

To access the preferences:
Type about:config into the url bar and hit enter. Click on the I'll be Careful button. Then type app.update.certs.1.issuerName in the filter or search box. Then double-click the pref or right-click > Modify and fill in the new value. Then close Firefox to save the changes.

To add the other 2 preferences (app.update.certs.3.commonName & app.update.certs.3.issuerName) that are not there by default, right-click on one of the prefs inside the the about:config window. Then choose New > String. Then fill in your custom values in the boxes that pop up for each preference. Make sure to close Firefox to save the changes.

Example screenshot:

Modified by Noah_SUMO

grodech 0 solutions 2 answers

For what it's worth, what finally got it working for me was to change app.update.cert.requireBuiltIn to false. So for all you SonicWall users out there that do SSL DPI, that's what you need to do.