"Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."
This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update.
In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server.
But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ...
Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?
Modified
Chosen solution
As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.
Not a user-friendly solution, but should get you going again.
Read this answer in context 👍 2All Replies (6)
This can happen if you still have leftover files from an older Firefox version in the Firefox program folder (C:\Program Files\Mozilla Firefox\defaults\pref)
There should only be a channel-prefs.js file in that defaults\pref folder.
See also:
cor-el, thanks for your reply. But actually, as described above, this is not my problem. Firefox correctly displays the warning, as there is a Man-in-the-middle-attack when performing the update - although an intended one (Microsoft Forefront TMG performing HTTPS-inspection).
My question was: "How can I change the expected certificate attributes of the update server?" I want to accept the Firefox update that is correctly served by the Mozilla update server via the Microsoft proxy.
Chosen Solution
As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.
Not a user-friendly solution, but should get you going again.
Modified
We're having this issue with newer versions of Firefox (10+) that connect through our SonicWall firewall that is doing SSL-DPI. Even though the Sonicwall cert is loaded in the Authorities section of the Firefox cert store, we still get the error. How do I set the app.update.certs.1.issuerName pref, as mentioned above?
To access the preferences:
Type about:config into the url bar and hit enter. Click on the I'll be Careful button. Then type app.update.certs.1.issuerName in the filter or search box. Then double-click the pref or right-click > Modify and fill in the new value. Then close Firefox to save the changes.
To add the other 2 preferences (app.update.certs.3.commonName & app.update.certs.3.issuerName) that are not there by default, right-click on one of the prefs inside the the about:config window. Then choose New > String. Then fill in your custom values in the boxes that pop up for each preference. Make sure to close Firefox to save the changes.
Example screenshot:
Modified
For what it's worth, what finally got it working for me was to change app.update.cert.requireBuiltIn to false. So for all you SonicWall users out there that do SSL DPI, that's what you need to do.