Your connection is not secure
Firefox Quantum reports "Your connection is not secure".
I have a Windows 10 Professional computer with Kaspersky Total Security. I use 2 local accounts: 1. User account (ua) A, member of <Administrators>, and 2. ua B, member of <Users>.
Logged on with ua A I can use Firefox without any problems. Logged on with ua B Firefox reports "Your connection is not secure" for my sites. Logged on with ua B and start Firefox by "run as Administrator" there are no problems. Logged on with ua B, start Kaspersky Safe Money (Firefox is set as default browser) and then visiting my sites also give no problems.
Before Quantum I could use Firefox normally logged on with ua B. What's happening?
Chosen solution
If you have cert8.db (used previously) and cert9.db then try to rename cert9.db (cert9.db.old) in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.
If that has helped to solve the problem then you can remove the renamed file (cert9.db.old).
Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
All Replies (17)
Sounds like a kaspersky problem and if you disable kaspersky what happens then?
Thanks WestEnd for your input. I've tried it and it didnot solve the problem. As I expected because why would Kaspersky block ua B and not ua A ?
Thanks cor-el but I was familiar with that article before placing my post. Besides, why troubleshooting for ua B and not for ua A where both users use the same certificate ?
In what way is the connection not secure?
Is there a certificate problem or is there a problem with mixed content?
You can see a special padlock at the left end of the location/address bar.
- a padlock with a strike through means that mixed active content is blocked.
- a padlock with an exclamation mark attached means that mixed passive content (e.g. images) is present, but not blocked.
You see the shield icon when Tracking Protection is blocking content.
WestEnd said
Sounds like a kaspersky problem and if you disable kaspersky what happens then?
cor-el said
In what way is the connection not secure? Is there a certificate problem or is there a problem with mixed content? You can see a special padlock at the left end of the location/address bar.You see the shield icon when Tracking Protection is blocking content.
- a padlock with a strike through means that mixed active content is blocked.
- a padlock with an exclamation mark attached means that mixed passive content (e.g. images) is present, but not blocked.
Hi cor-el. Thanks for your input and the articles.There is nothing wrong with the content of the webpage; see for yourself : www.nos.nl. It's a Dutch news site. I send you a screenshot of the error-message I get using ua B using Firefox directly (see my first post).
No problems here with https://nos.nl/
You can click the "Advanced" button to expand this section and show extra details. If the certificate is not trusted because the issuer certificate is unknown (SEC_ERROR_UNKNOWN_ISSUER) then click the blue error message to expand this section and show the certificate chain. You can click "Copy text to clipboard" and paste the base64 encoded certificate chain text in a reply. That will allow us to details like the issuer of the certificate.
- always be cautious when you get an 'Untrusted' error message
- never create a permanent exception without investigating the cause and only use this to inspect the certificate
SEC_ERROR_UNKNOWN_ISSUER :
Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false HTTP Public Key Pinning: false
Certificate chain:
++++ That's it
Does this work to inspect the certificate chain?
Open this chrome URI by pasting or typing this URI in the location/address bar to open the window to check the certificate:
- chrome://pippki/content/exceptionDialog.xul
In the location field enter the URL of the website
- retrieve the certificate via the "Get certificate" button
- inspect the certificate via the "View..." button
Hallo cor-el
New stuff for me: chrome URI.
You've asked me to inspect the certificate chain. I don't understand the question because the "certificate chain" field was empty (my post 2/16/18, 7:06 AM). Here are the results of the chrome URI. I'm not familiair with this. I see in the Extensions part of the Details-pane: 1. Certicicate Subject Alt Name: Not Critical DNS Name: *.nos.nl DNS Name: nos.nl 2. Certicicate Basic Constraints: Critical Is not a Certificate Authority 3. Extended Key Usage: Not Critical TLS Web Server Authentication (1.3.6.1.5.5.7.3.1) TLS Web Client Authentication (1.3.6.1.5.5.7.3.2) 4. Certicicate Key Usage: Critical Signing Key Encipherment
Hope you can do something with this. Thanks again. Evert.
The second and third screenshot show that the certificate is issued by your Kaspersky security software.
See the section about Kaspersky in the article:
Hallo cor-el
About your article reference, I already knew that one. But first, I have been able to "fix" FF for account B. I cannot save the fix so when closing FF and start it up again the fix is gone. Here is the fix: Open FF Certificate Manager (Options/Privacy & Security/scroll to Certificates and click <View Certificates>). Select the Authorities pane and select the "Kaspersky Anti-Virus Personal Root Certificate". Click <View> and you can read: Could not verify this certificate because the issuer is unknown. <Close> the screen and click <Edit trust>. In my case the three "Edit trust settings" selections were empty. I set the first one: "This certificate can identify websites." and click <OK> (confirmed with masterpassword). Now click the <View> again and now we see: This certificate has been verified for the following uses: SSL Certificate Authority And now I can use FF. But again, don't close FF.
This must be a known fix. Do you know how to save the fix? Or even better, what to change to prevent the fix? (about:config ??). It must be a bug in FF Quantum (??).
Chosen Solution
If you have cert8.db (used previously) and cert9.db then try to rename cert9.db (cert9.db.old) in the Firefox profile folder to remove intermediate certificates and exceptions that Firefox has stored.
If that has helped to solve the problem then you can remove the renamed file (cert9.db.old).
Firefox will store intermediate certificates that a server sends in the Certificate Manager for future use.
You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.
- Help -> Troubleshooting Information -> Profile Directory:
Windows: Show Folder; Linux: Open Directory; Mac: Show in Finder - http://kb.mozillazine.org/Profile_folder_-_Firefox
Hi cor-el
Renaming cert9.db is the permanent solution! Problem solved. Case closed. Thanks again. Have a good life. Evert Rademaker.
Hi Evert !
Would you be a dear and mark cor-el's post as Chosen Solution ?
(solved problem button .... )
Bij voorbaat dank ! (Thank you in advance)