Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

I need to access a site which Firefox calls untrusted and does NOT give the option to make an exception :-(.

  • 18 replies
  • 9 have this problem
  • 100 views
  • Last reply by grumpf

more options

I can access the same site from other computers using FireFox in the same local network. But on this PC FireFox claims that the certificate issuer is untrusted (sec_error_untrusted_issuer) and does NOT give me the option to decide myself. Frankly I'm freaking out by this incredible decision to take control away from the user. A warning is nice and appreciated, but I should ALWAYS have the right to take the risk. Actually I knew what I was doing and I was in a hurry and it was important to get access. I HATE Firefox for this :-(.

I short ... I want to see the warning but I want to be able to access anyway.

I already deleted cert8.db while restarting FF ... didn't solve the problem. I believe my mail operator is INDEED sending the wrong certificate, but I don't care. I want access. Man in the middle ... OK, I usually don't use the webmailer, but I want to be able, damnit.

I can access the same site from other computers using FireFox in the same local network. But on this PC FireFox claims that the certificate issuer is untrusted (sec_error_untrusted_issuer) and does NOT give me the option to decide myself. Frankly I'm freaking out by this incredible decision to take control away from the user. A warning is nice and appreciated, but I should ALWAYS have the right to take the risk. Actually I knew what I was doing and I was in a hurry and it was important to get access. I HATE Firefox for this :-(. I short ... I want to see the warning but I want to be able to access anyway. I already deleted cert8.db while restarting FF ... didn't solve the problem. I believe my mail operator is INDEED sending the wrong certificate, but I don't care. I want access. Man in the middle ... OK, I usually don't use the webmailer, but I want to be able, damnit.

Chosen solution

@cor-el: Thanks, but if you read my first post you'll find that I already did that cert8-thing before posting here ... didn't change anything ...

BUT: I SOLVED IT !

I downloaded FireFox Portable from heise.de (which I trust) and that contained the certificates ... so I saved them to file and loaded these files in the installed incarnation of FireFox and ... problems be gone ... I'm in business.

In the meantime I found out WHY this had to happen ... Because of Mr. Snowden and the NSA there's an initiative "eMail made in Germany" amongst the mail providers which want to get more people to use their mail instead of i.e. Gmail ... so they claim that by getting the root-certificate from a german issuer instead of Verisign people will be safe from the bad spies ... ROFL ... so they actually changed the certificates from Verisign to telesec ... and with that move many many people got problems. T-Online just told everybody to install new browsers or to reset their browsers to factory settings. Can't write here what went through my head when I read about that ...

BUT: It is still a problem that someone as long in the industry as I have been has such a hard time to get this fixed. No ordinary person could. And there MIGHT well be an emergency which is more important than browser security. If an override option is not acceptable then at least a 1...2...3 step by step solution wizzard MUST be provided. It is NOT acceptable to effectively disable a person to access what he wants to access. This is like a car which refuses to start because the driver shows a little alcohol ... while he attempts to bring somebody to the hospital urgently.

Read this answer in context 👍 0

All Replies (18)

more options

What version of Firefox has the problem?? Your system information indicates Firefox 12, which seems unlikely.

more options

If you right-click the error page, does the context menu have a "This Frame" item with a flyout menu to open the frame in a new tab? If so, try that to see whether you can access the "Add Exception" dialog that way.

Also, if you inspect the certificate before adding an exception, who does it show to be the issuer (Issued by section)? Sometimes this helps identify particular malware that might be causing the problem.

more options

Yes, I'm still using version 12 on this PC because newer FireFoxes have developed in a direction I really don't like (don't get me started). But as far as I know newer FF versions also have this "feature". While seeking a solution I found other people complaining about the same problem. If you can confirm that latest FFs always offer user-override in this case there's at least no need for a fix. I would still love to be able to see my webmail ;-).

more options

Well, I checked, but this is not the case, it's not an (i)Frame unfortunately ... I also went to the advanced settings and switched the checking of SSL certificates off, but that didn't change anything (but SHOULD have).

more options

Forgot to say that since I don't get the option for an exception I also don't get ANY detailed information about the details of the problem other than that the issuer is not trusted ... really great help :-(.

I really envision to have some details about a medication sitting in my webmail and while fighting for access somebody next to me slowly gets worse ... but I'll have been "helped" to prevent a man in the middle attack ...

more options

Thank you both a lot for answering :-) !

more options

No, there is no reason to expect Firefox 32 to be more lenient about certificates than Firefox 12. But it has patched a lot of security problems from back in the day (see: https://www.mozilla.org/security/know.../firefox.html) so we always recommend updating. And that would also go for your plugins...

Can you share the address of the problem server, or test it using the following site and share the address of the report? Perhaps this will help in spotting anything special about this certificate issue.

http://www.networking4all.com/en/support/tools/site+check/

more options

Thanks ... here's the link to the report:

http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=https%3A%2F%2Femail.t-online.de%2F&protocol=https

As expected is says: Site is not listed in the certificate

I understand that this is stupid. I have contacted them months ago about this, but they are HUGE and don't care about a single client. But I have that eMail since the early 1990ies and they don't forward, so you can't run from them easily ...

more options

Concerning updates ... Yes, I know very well, that old bugs exist in my FireFox and Plugins. Unfortunatly I do NOT believe that creating a software monoculture is the best way to save the world from viruses. In other words if EVERY person has the same (latest, auto-updated) version on his PC the consequence is that a single virus will lead to total desaster. It would be necessary that auto-update installs different versions to different people, so that new features would have to be programmed multiple times by independend developers and auto-update would have to generate a personal mix of versions for the population. Since this is not being done I make my update decisions on my own. And one thing that DOES stop me to update is the recent tendency to take control away from the user - like in this case the decision not to give me the "I know the risk" option. I'm programming since about 1982, I have seen the DOS-PC coming, Windows coming, Apple going and coming back, the Internet coming ... I have about 20 PCs, make my living with programming everything from embedded DSPs to databases and I think I know what risk exists and if I want to take it. I hate tools that were programmed by people who just decide that they know better. Sorry for the rant, I appreciate your help very much !

more options

I think the full URL might have confused it a bit. When I checked just the server name, it lists a different error:

http://www.networking4all.com/en/support/tools/site+check/report/?fqdn=email.t-online.de&protocol=https

"Self signed certificate in certificate chain. The certificate chain could be built up using the untrusted certificates but the root could not be found locally."


But when I visited the site, my Firefox actually didn't object. (Note: had to disable JavaScript to prevent immediate forwarding to the login page on a different server.) As shown in the attached screen shot, my Firefox has a built-in authority certificate for T-TeleSec GlobalRoot Class 3 and everything checks out.

If your Firefox doesn't show that certificate on the Authorities mini-tab of the Options dialog under Advanced/Certificates/View Certificates then you might need to import it from IE.

more options

OK ... obviously, since I don't get the green verification field to the left of the adress bar I also don't get any certificate information there ... the field is yellow and when I click on it I get the info that no certificate was provided from the site ... understandable somehow. But I went to Options/Advanced/Encryption/View Certificates and there I opended the Authorities Tab and found NOTHING beginning with "T-" ... no T-Online, no T-Systems, nothing ... So I guess I have to install their certificates. You mention that I have to get them from "BI" ... The dialog I was writing about does contain a button labled "Import" but needs a file. So where do I get that file from, or how do I fetch these certificates from an online source ?

I can confirm that other PCs on my network do not have this problem, but I have no idea why these certificates are missing. I certainly didn't delete them :-) ... Maybe there really IS a man in the middle ;-) ...

more options

Irxxx ... not "BI" ... "IE" is what you wrote ... so I started the MSIE up (which I never do) and had a look at its Certificates ... well, it doesn't have one for T-Systems ...

more options

Funny thing ... I can't open the site where they probably have their certificates because I don't have their certificate ...

more options

OK, I gonna get the file from another PC and report ...

more options

No dice ... I checked on 3 other PCs (totaling 4) ... one Win7, one Win Vista, one Win XP ... I checked the Internet Explorer and the FireFox Certificate tabs ... I got a lot of certificates, but nothing from T-Systems and T-Online ... I was also wrong about access on other PCs. Turns out the PC I had in mind already HAD a security exception I must once have made ... Which means I must extend my previous statement: I wish to have the option to override, but I also wish to get the warning EVERY time, not just once before I add the exception.

In other words: Can you please tell me how I can get my hands on that certificate in a secure fashion ? Thanks a lot !

more options

No problems reported with this SSL Certificate Checker website:

Did you ever create an exception for this website?

Try to rename the cert8.db file in the Firefox profile folder to cert8.db.old or delete the cert8.db file to remove intermediate certificates that Firefox has stored.

If that helped to solve the problem then you can remove the renamed cert8.db.old file. Otherwise you can rename (or copy) the cert8.db.old file to cert8.db to restore the previous intermediate certificates. Firefox will automatically store intermediate certificates when you visit websites that send such a certificate.

more options

Chosen Solution

@cor-el: Thanks, but if you read my first post you'll find that I already did that cert8-thing before posting here ... didn't change anything ...

BUT: I SOLVED IT !

I downloaded FireFox Portable from heise.de (which I trust) and that contained the certificates ... so I saved them to file and loaded these files in the installed incarnation of FireFox and ... problems be gone ... I'm in business.

In the meantime I found out WHY this had to happen ... Because of Mr. Snowden and the NSA there's an initiative "eMail made in Germany" amongst the mail providers which want to get more people to use their mail instead of i.e. Gmail ... so they claim that by getting the root-certificate from a german issuer instead of Verisign people will be safe from the bad spies ... ROFL ... so they actually changed the certificates from Verisign to telesec ... and with that move many many people got problems. T-Online just told everybody to install new browsers or to reset their browsers to factory settings. Can't write here what went through my head when I read about that ...

BUT: It is still a problem that someone as long in the industry as I have been has such a hard time to get this fixed. No ordinary person could. And there MIGHT well be an emergency which is more important than browser security. If an override option is not acceptable then at least a 1...2...3 step by step solution wizzard MUST be provided. It is NOT acceptable to effectively disable a person to access what he wants to access. This is like a car which refuses to start because the driver shows a little alcohol ... while he attempts to bring somebody to the hospital urgently.

more options

THANKS !! GREAT SUPPORT !!