Firefox/Mozilla doesn't certify certificate that is done by another organization and if the certificate is invalid or out of date then it's up to one owning the certificate to update to allow access with the certificate to be used. Ad Norton also gave you the same error message so this isn't a Firefox issue.

Mark, Thank you for the reply. Unfortunately your reply does not help me solve my issue. I did not include anything that says Norton gave me the same error message. As far as I can tell a Norton Certificate (which date appears valid) is in the W10-Pro Trusted certificate list as well as within the Firefox certificate list. Currently I am not trusting (using) Firefox with any accounts that require passwords.

If not Norton - Firefox isn't the issuing certificate it's verifies it's up to date and matches certification that should be for site or whom issuing it and if it fails then the Browser will protects itself from malicious certificates. So you should ask the site that uses to do their proper checks.

My apologizes, but I still don't understand your response.

I open a URL with FIrefox in protected mode, the page opens and I click on the lock icon, I check that the connection is secure and who it is verified by. If I'm happy with the verifier I continue.

Over the last couple of weeks its almost always Norton is the verifier. Click on the lock, Firefox responds with three lines of text. It tells me "You are securely connected to this site". next line Verified by: Norton Web/Mail Shield. In the next line Firefox says: Mozilla does not recognize this certificate issuer. It may have been added from your OS or by an administrator.

The certificate managers for Microsoft W10-Pro and Firefox both show Norton Web/Mail Shield Root with a date 1/1/2010 - 1/1/2040.

So my dilemma is: why does Firefox permit me access to the URL when it has no recognition of the certificate issuer?

This morning, using Firefox I opened several URL's and everyone was certified by Norton. I moved to Microsoft Edge and opened the same URL's and got a variety of certifiers, none were Norton.

Some sites permits access but it does say use at your own risk. Without a url of the problem site no one will know why it's doing that. How Norton verifies that's Norton not Firefox.

Your Firefox is configured to trust Norton web shield as a certificate issuer. This is standard for security software that filters your web browsing. Here's why: if the traffic is encrypted between Firefox and the web server, Norton -- which runs outside of Firefox -- can't read it and therefore can't block or clean it. In order to work as a filter, Norton sets up as a "man in the middle" and there are two separate encrypted connections: one between Firefox and the filter, and one between the filter and the web server.

Now normally Firefox will refuse to connect when there is a man in the middle because the fake site certificate can't be validated up to a trusted authority certificate. That's why the browser needs to be set to trust Norton web shield as an issuer of fake website certificates. There are two methods for that:

(1) import an Authority certificate into Firefox (your fourth screenshot) or

(2) set Firefox to use the Windows certificate store ("Enterprise roots"), which apparently is easier for security software to update

Hopefully that clarifies the situation. Next is what to do about it. What is your preference?

(A) You want your Norton software to continue filtering your browsing

In this case, there really isn't anything to change.

(B) You want Firefox to bypass Norton and connect to HTTPS addresses directly

I think you would go into the Norton web shield settings and tell it not to intercept Firefox traffic, or not to intercept HTTPS/secure traffic from Firefox, but I haven't researched what Norton's settings look like.

Hi jscher2000, Thank you for your response. I get the idea as to how things should work.

1). This all started less than a month ago. No new browsers, no new Norton... 2). Norton always asks if I want to install their protection into the browsers I use. I always refuse those requests. 3). In the last week no matter what URL I open the lock shows "Norton Web/Mail Shield Root". 4). Microsoft Edge shows many different Certifiers and and occasionally "Norton Web/Mail Shield Root".

Why do you say Firefox is configured to trust Norton web shield as a certificate issuer when Firefox states "Mozilla does not recognize this certificate issuer". There is a disconnect here. I've lost my trust Firefox.

I do not want to bypass certification in any way.

Does Mozilla support monitor this forum?

Hello again, I just looked at Firefox Certificate Manager (under Privacy/Security). Might this have something to do with my problem? Photo included

All the entries within the Certificate manager "Security Device" column say "Builtin Object Token" except Norton Web/Mail Shield Root which says "Software Security Device". Thank you.

Yes, that is the Norton root certificate that Firefox has imported from the Windows certificate store and that is needed to prevent a SEC_ERROR_UNKNOWN_ISSUER error. This discussed in this support article.

• https://support.mozilla.org/en-US/kb/error-codes-secure-websites

I hope everyone had a wonderful Thanksgiving.

I've noticed that "Norton Web/Mail Shield Root" certificate is now showing up on more Microsoft Edge browser checks of the Lock certification.

In looking at the Firefox Certificate Manager I see that Norton Web/Mail Shield Root is the only Certificate manager under Authorites that is "Software Security Device". See attached jpeg. All the remaining ones say Builtin Object Token.

What is a Builtin Object vs. Software Security Device. Thank you.

Built-in root certificates are added by Mozilla and have been approved following a lengthy process whereas a certificate designates as "Software Security Device" is imported and you need to trust the issuer and can oppose a risk especially it trust bits are set to make it work as a root certificate. You can click the Edit button to see whether trust bits are set for a "Software Security Device" certificate. Firefox only sees the certificate send by the software that generated the fake website certificate and not the original certificate send by the website.

Thank you cor-el,

I've attached a photo of Firefox Certificate Manager with "Norton's Web/Mail Shield Root" selected. I clicked on the Edit Trust button and see: "This certificate can identify websites" check box is selected.

Your comment is confusing: Firefox only sees the certificate send by the software that generated the fake website certificate and not the original certificate send by the website. I have no idea that I am dealing with a fake website.

I am trying to understand the security significance of this message: "Connection verified by a certificate issuer that is not recognized by Mozilla".

Trying to understand how a Software Security Device (Norton) is within Firefox's Certificate Manager and why every other entry is "BuiltIn Object Token"

Can I remove the Norton web/mail shield root? Does it also have to be removed from W10 certificate mgr?

I've stopped use of Firefox, unsure of its security.

Can anyone answer these questions? Thank You.

That is part of the situation I described in my earlier reply, https://support.mozilla.org/en-US/questions/1475500#answer-1689727

Norton is setting up as a "man in the middle" of your connection to provide filtering. If you trust Norton and find this service valuable, no change is needed. If you prefer a direct connection to websites and taking Norton out of the loop, update your Norton settings so it doesn't intercept Firefox requests.

Your comment is confusing: Firefox only sees the certificate send by the software that generated the fake website certificate and not the original certificate send by the website. I have no idea that I am dealing with a fake website.

Norton is setting up as a man in the middle. It impersonates each website, generating a fake certificate signed by the Authority certificate you see in Firefox. Storing the signing certificate in Firefox prevents Firefox from rejecting the fake site certificate.

Norton then connects to the real website and forwards communications between the browser and the site, filtering in between.

I am trying to understand the security significance of this message: "Connection verified by a certificate issuer that is not recognized by Mozilla". Trying to understand how a Software Security Device (Norton) is within Firefox's Certificate Manager and why every other entry is "BuiltIn Object Token" Can I remove the Norton web/mail shield root?

Yes, but then unless you also set Norton not to intercept Firefox, you will not be able to connect to any sites (they will all have a secure connection failure).

Does it also have to be removed from W10 certificate mgr?

Maybe.

I've stopped use of Firefox, unsure of its security.

Doesn't Norton intercept your other browsers, too?

Hi Jscher2000,

Thank you. I do not know how to change my norton settings so it does not intercept Firefox requests. Can you help me to find that option and turn it off. Thank you.

The only other browser is Microsoft Edge. I have seen the Norton Certificate come up on it, but its not as prevalent. Also Edge does not complain about it. That said any time I see the Norton certificate I restart the browser and try again. Usually it brings me known certificated.

jscher2000,

Here is a Norton Support reply to a customer with the same issues as mine. I do not understand all the reply comments and its not clear that the response helped the customer.

Do the Norton support comments help you understand how to help me with the problem Thank you.

https://community.norton.com/t/change-in-verified-by-in-web-browser/251997/2

Thank you for the link. It looks like you can start by turning off the HTTPS scanning. This will affect Edge, too.

Hi jscher2000, As I thought, Norton keeps changing the User HI. I scraped two screens and merged them so you can see the most current options that I can select from. The NEW Norton name is called "Safe Web" (formerly Browser Protection).

I turned OFF HTTPS Scanning. I'll give it a test.

Please pass on any other thoughts Thank You.

Hi jscher2000,

Well, you nailed it. I turned OFF Norton HTTPS Scanning and its been fine for a couple of days. Thank you for staying with me until this was resolved.

Norton 360 now has 2 pages of settings under the banner "Safe Web" most of which I have no idea on how to set. Since my problems started a month ago, Norton must have updated and enabled ALL the new settings.

Soon these apps will be flooding user's with AI based protection which we may have zero control of settings.

How does anyone know their computing devices are safe with all the added software and very many individual potential settings. Thank you, Jscher :-)