Compare Revisions

connection, secure, certificate, rc4

When connecting to a website that uses an invalid TLS certificate or weak encryption, Firefox will display an error page saying "Your connection is not secure".

When Firefox connects to a secure website (the URL begins with "http'''s'''://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead, show you an error page with the message, ''Your connection is not secure'': [[Image:Fx44 Insecure Connection]] * To troubleshoot secure connection problems that cause a ''Secure Connection Failed'' message, see the [[Troubleshoot the "Secure Connection Failed" error message]] article. __TOC__ = What to do if you see this error? = If you encounter such an error message, if possible, you should contact the owners of the website and inform them of the error. It is recommended that you wait for the website to be fixed before using it. The safest thing to do is to click {button Go Back}, or to visit a different website. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website. = Technical information = Click on {button Advanced} for more information on why the connection is not secure. Some common errors are described below: == The certificate does not come from a trusted source == {note}The certificate does not come from a trusted source. <br><br>Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED{/note} This error indicates that [https://wiki.mozilla.org/CA Mozilla's CA Certificate Program] has imposed policies upon this website's certificate authority that the website has not complied with. When this error occurs, it indicates that the owners of the website need to work with their certificate authority to correct the policy problem. Mozilla's CA Certificate Program publishes a list of [https://wiki.mozilla.org/CA/Upcoming_Distrust_Actions upcoming policy actions affecting certificate authorities] which contains details that might be useful to the website owners. For more information, see the Mozilla Security Blog post, [https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ Distrust of Symantec TLS Certificates]. == The certificate will not be valid until ''(date)'' == {note}The certificate will not be valid until ''date'' (...)<br><br>Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE{/note} The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time{for win} (double-click the clock icon on the Windows Taskbar){/for} in order to fix the problem. More details about this are available in the support article [[How to troubleshoot time related errors on secure websites]]. == The certificate expired on ''(date)'' == {note}The certificate expired on ''date'' (...)<br><br>Error code: SEC_ERROR_EXPIRED_CERTIFICATE{/note} This error occurs when a website's identity certification has expired. The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time{for win} (double-click the clock icon on the Windows Taskbar){/for} in order to fix the problem. More details about this are available in the support article [[How to troubleshoot time related errors on secure websites]]. == The certificate is not trusted because the issuer certificate is unknown == {note}The certificate is not trusted because the issuer certificate is unknown.<br>The server might not be sending the appropriate intermediate certificates.<br>An additional root certificate may need to be imported.<br><br>Error code: SEC_ERROR_UNKNOWN_ISSUER{/note} You may have enabled SSL scanning in your security software such as Avast, Bitdefender, ESET or Kaspersky. Try to disable this option. More details about this are available in the support article [[How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites]]. {for win8,win10} You may also see this error message on major sites like Google, Facebook, YouTube and others on Windows in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article [http://go.microsoft.com/fwlink/p/?LinkId=627342 How do I turn off family features?]. {/for} == The certificate is not trusted because it is self-signed == {note}The certificate is not trusted because it is self-signed. <br><br>Error code: SEC_ERROR_UNKNOWN_ISSUER{/note} Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites. == The certificate is only valid for ''(site name)'' == {note}example.<i></i>com uses an invalid security certificate.<br><br>The certificate is only valid for the following names: www.example.<i></i>com, *.example.<i></i>com <br><br>Error code: SSL_ERROR_BAD_CERT_DOMAIN{/note} This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is. A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example<!---->.com, but the certificate is for https://'''www.'''example<!---->.com. In this case, if you access https://'''www.'''example<!---->.com directly, you should not receive the warning. == Corrupted certificate store == You may also see certificate error messages when the file in your profile folder that stores your certificates ({for not fx58}{filepath cert8.db}{/for}{for fx58}{filepath cert9.db}{/for}) has become corrupted. Try to delete this file while Firefox is closed to regenerate it: {note}'''Note:''' You should only perform these steps as a last resort, after all other troubleshooting steps have failed.{/note} #[[T:profileFolder]] #[[T:closeFirefox]] # Click on the file named {for not fx58}{filepath cert8.db}{/for}{for fx58}{filepath cert9.db}{/for}. # Press {for mac}{key command}+{/for}{key Delete}. # Restart Firefox. ;{note}'''Note:''' {for not fx58}{filepath cert8.db}{/for}{for fx58}{filepath cert9.db}{/for} will be recreated when you restart Firefox. This is normal.{/note} = Bypassing the warning = You should only bypass the warning if you're confident in both the identity of the website and the integrity of your connection - even if you trust the site, someone could be tampering with your connection. Data you enter into a site over a weakly encrypted connection can be vulnerable to eavesdroppers as well. In order to bypass the warning page, click {button Advanced}: * On sites with a weak encryption you will then be shown an option to load the site using outdated security. * On sites which certificate cannot be validated, you might be given the option to add an exception. {warning}Legitimate public sites will '''not''' ask you to add an exception for their certificate - in this case an invalid certificate can be an indication of a web page that will defraud you or steal your identity.{/warning} = Reporting the error = On some websites there is an option to report the error to Mozilla for statistical purposes: <!-- test page used: https://expired.badssl.com/ --> ;[[Image:Fx60ConnectionNotSecure-Report]] = Secure Connection Failed error = Some websites may produce a ''Secure Connection Failed'' error page, similar to this one: <!-- note for localizers: https://10000-sans.badssl.com/ and https://dh480.badssl.com/ produce similar error pages --> ;[[Image:fx60SecureConnectionFailed-ErrorCode]] This type of error does not allow you to bypass the warning; it only provides a checkbox to report the error to Mozilla and a {button Try Again} button. The error page may include an error code, in addition to the following information: * ''The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.'' * ''Please contact the website owners to inform them of this problem.'' In some cases you may be able to resolve or work around the problem, for example, by making some changes to your security software settings or by modifying a Firefox preference setting. See the [[Troubleshoot the "Secure Connection Failed" error message]] article for more information.