X
Tap here to go to the mobile version of the site.

Support Forum

Connection untrusted for Twitter even after addition of security exception

Posted

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded.

I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded. I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

Modified by Daneelro3

Chosen solution

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Shockwave Flash 12.0 r0
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.06
  • Next Generation Java Plug-in 10.51.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • 5.1.20125.0
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0

More Information

guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
697 solutions 7850 answers

Helpful Reply

Hi Daneelro3,

Thank you for your question, I understand that there is difficulty with creating a certificate that is not allowing Twitter, I have asked the security irc channel for more information for troubleshooting this and will be back shortly with more information.

Hi Daneelro3, Thank you for your question, I understand that there is difficulty with creating a certificate that is not allowing Twitter, I have asked the security irc channel for more information for troubleshooting this and will be back shortly with more information.
guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
697 solutions 7850 answers

Helpful Reply

Twitter uses HSTS. It would prevent adding an override. If so, what needs to happen there is for the root certificate the company is using to be installed and trusted in the certificate db. I hope this helps.

Twitter uses HSTS. It would prevent adding an override. If so, what needs to happen there is for the root certificate the company is using to be installed and trusted in the certificate db. I hope this helps.

Modified by guigs2

Question owner

Thank you for looking into this!

I'm only barely familiar with the whole certificates and SSL business, so some questions on your suggestion for clarification:

  1. Is this something I can do on my computer, or something that would have to be done on the company server?
  2. Is the root certificate you speak of Twitter's or my company's?
  3. Can you give (or link to) step-by-step instructions on this certificate installation?

Also, why does this happen with Firefox but not IE9? Does Mozilla view this as a security loophole in IE9?

Thank you for looking into this! I'm only barely familiar with the whole certificates and SSL business, so some questions on your suggestion for clarification: # Is this something I can do on my computer, or something that would have to be done on the company server? # Is the root certificate you speak of Twitter's or my company's? # Can you give (or link to) step-by-step instructions on this certificate installation? Also, why does this happen with Firefox but not IE9? Does Mozilla view this as a security loophole in IE9?
guigs2
  • Top 10 Contributor
  • Administrator
  • Moderator
697 solutions 7850 answers

Daneelro3,

I am not sure, I think it just has different features for certificates.

  1. The certificate would be local to the certificate db in Firefox. I believe you can find that in key3.db. The tool you can use is the certificate database tool linked here: https://developer.mozilla.org/en-US/d.../NSS_Tools_certutil Its "man page" is here: https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil
  2. It is your certificate, not Twitter's certificate.
  3. I am not entirely sure of the steps, but I am happy to take a hack at it.
 See if the NoScript Firefox extension works as well, this was said to support the redirection nature of the HTTPS that is a result of HSTS.(I think) You might be interested in the RFC about it http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 see "Server Implementation Advice" and "UA Implementation Advice" in section 9.

And this is the issue http://mozilla.6506.n7.nabble.com/HSTS-preload-list-td271152.html

Previous work around: And then I found this: https://support.mozilla.org/en-US/que.../942924 manually changing the timeout, but I do not think this is secure. There is not a very secure way of doing this.

So in conclusion: (after talking to the #security channel :-) )HSTS is set by Twitter's servers doesn't allow users to override connections that are invalid, bot untrusted and invalid. Starting a new profile and disable HSTS preload list (which is not a wise security decision) the about:config is "network.stricttransportsecurity.preloadlist"

You could also: could use a hsts preload disabled profile, install his own CA, then MITM using a cert from that CA. Or to add the add the certificate that issued the MITM certificate to the trust db with the tool mentioned above. geekboy 11:35 the pref to toggle is network.stricttransportsecurity.preloadlist I think I asked

Daneelro3, I am not sure, I think it just has different features for certificates. # The certificate would be local to the certificate db in Firefox. I believe you can find that in key3.db. The tool you can use is the certificate database tool linked here: [https://developer.mozilla.org/en-US/docs/NSS/tools/NSS_Tools_certutil] Its "man page" is here: [https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil] # It is your certificate, not Twitter's certificate. # I am not entirely sure of the steps, but I am happy to take a hack at it. See if the NoScript Firefox extension works as well, this was said to support the redirection nature of the HTTPS that is a result of HSTS.(I think) You might be interested in the RFC about it [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02] see "Server Implementation Advice" and "UA Implementation Advice" in section 9. And this is the issue [http://mozilla.6506.n7.nabble.com/HSTS-preload-list-td271152.html] Previous work around: And then I found this: [https://support.mozilla.org/en-US/questions/942924] manually changing the timeout, but I do not think this is secure. There is not a very secure way of doing this. So in conclusion: (after talking to the #security channel :-) )HSTS is set by Twitter's servers doesn't allow users to override connections that are invalid, bot untrusted and invalid. Starting a new profile and disable HSTS preload list (which is not a wise security decision) the about:config is "network.stricttransportsecurity.preloadlist" You could also: could use a hsts preload disabled profile, install his own CA, then MITM using a cert from that CA. Or to add the add the certificate that issued the MITM certificate to the trust db with the tool mentioned above. geekboy 11:35 the pref to toggle is network.stricttransportsecurity.preloadlist I think I asked

Chosen Solution

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies. At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what? [EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I # ran mmc from the Windows command line, # strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK), # looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates, # exported the certificate, # opened the Firefox certification manager and imported the certificate under Authorities ('''not''' under Websites!), # enabled network.stricttransportsecurity.preloadlist again. Now I don't have to manually override for any new https sites and Twitter loads normally, too. Thanks for leading me to the solution!

Modified by Daneelro3