Security certificate and exception does not provide access to website
With the recent update to Firefox the security features, while impressive, are now becoming burdensome. In particular I frequent a particular website https://www.digg.com/video which aggregates video from many sites on the web. This kind of website is now considered insecure by Mozilla. Ok fine. But I allowed the security exception and it seems that the browser is still having trouble rendering the page properly. This is one example of what I mean: https://digg.com/video/bubble-art-fire I attached an image of the page . In fact the page is now unusable. Not sure how to adjust my security settings but I did uninstall my firewall and internet security suite to see if that fixed the problem. It did not. I can readily see the page in other browsers.
All Replies (4)
Hi mkostura, when I try that page and click the "Advanced" button, there is this further information:
Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED
This is related to a number of certificate issuers that apparently violated some policies, causing most browser makers to distrust their certificates. See: Distrust of Symantec TLS Certificates | Mozilla Security Blog. Digg needs to update.
The reason adding an exception leads to a second level problem is that sites often distribute their content over multiple servers, and the exception is only for the server mentioned in the address bar.
Well thanks. While the explanation is nice and educational (thanks for the link to the blog), the outcome is that I cannot use the website or Firefox any longer....the link works perfectly fine in Chrome, IE and Edge. Not sure what other browsers your refer but all of these seem to tolerate the certificates fine.
Is there a workaround in the security features of Firefox that I can use to allow the service?? Or would I have to effectively shut off the security features. Or do I have to use another browser?
Well, here are two possible workarounds:
(A) Use the HTTP protocol instead of HTTPS
You might need to make an exception in HTTPS Everywhere to prevent protocol upgrading. The site generally offers HTTP and not HTTPS, and HTTPS access triggers "mixed content" warnings.
(B) Allow some Symantec certificates
Actually, I don't know if other company's certificates are affected, or only Symantec's.
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste distrust and pause while the list is filtered
(3) Double-click the security.pki.distrust_ca_policy preference to display a dialog where you can enter the desired value:
- 2 - distrust ALL (default)
- 1 - distrust RECENT certs {works with digg's older cert}
- 0 - don't distrust
Thanks! Option 2 completely corrected the problem. Of course if a site does ultimately correct its certificates then I can change this selection back to #2