I have a problem accessing an https website with Firefox (26.0), but have no problems accessing it with either Chrome or IE. The particular URL deep links into a message forum.
I get the following error message:
This connection is untrusted You have asked Firefox to connect securely to www.lotro.com, but we can't confirm that your connection is secure. www.lotro.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Adding an exception works, but only for this one message thread. The next time I have a different thread we go through the same routine.
OK, I've read the forums a bit: Disabled all Add-ons I'm not running any SSL scanning. Both browser.xul.error_pages.enabled and browser.xul.error_pages.expert_bad_cert are set to True. Certificate dates are fine as is my clock/date. I've deleted cert8.db
When it does load rather than getting a lock I get an exclamation point and a mouseover says Website does not supply identify information.
When I tell Firefox to get the certificate I get:
Certificate Status: This site attempts to identify itself with invalid information. Unknown Identity Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
When I view the certificate I find: Issued To Common Name (CN) *.lotro.com Organization (O) The Saul Zaentz Company Organizational Unit (OU) Secure LInk SSL Wirecard Issued By CN Network Solutions Certificate Authority O Network Solutions L.L.C. OU <Not Part of Certificate> Validity Issued on 1/3/2012 Expires on 1/17/2016
Under Details > Extensions I find Certificate Basic Constraints: Critical, Is not a Certificate Authority.
The security trust chain looks like this:
UTN-USER-First-Hardware Network Solutions Certificate Authority *.lotro.com
It sounds like you are getting good certificate, or at least the same one I'm getting (first screen shot). Can you check whether you have an entry for "UTN-USER-First-Hardware" in your Authorities tab?
orange Firefox button (or Tools menu) > Options > Advanced > Certificates mini-tab > "View Certificates" button
On the Authorities tab, toward the bottom under The USERTRUST Network, can you find "UTN-USER-First-Hardware"? (second screen shot)
Regarding the warning icon in the address bar, I get that as well. It indicates that there is some non-secure "passive" content in the page, like images. For forums, I wouldn't be too concerned about that.
The reference to identify information is there for all regular SSL certificates. Only EV SSL certificates (green lock) can verify identity, because the issuer requires some proof of identity for the customer before issuing it.
I went in and looked at my Authorities tab and DO have The USERTRUST Network and UTN-USER-First-Hardware. I also have Network Solutions L.L.C and Network Solutions Certificate Authority.
I deleted UTN-USER-First-Hardware and went to http://www.tbs-certificates.com/FAQ/en/42.html and imported the certificate. But when I try I'm told This certificate is already installed as a certificate authority. :( It is back in my Authorities tab is it the new one or not? I didn't exit and reload firefox while doing this.
While searching for UTN-USER-First-Hardware I saw a few stories about some bad certificates issued back in 2011 (addons.mozilla.com and the like). Was their certificate revoked?
Hi Paul5358, the story of the fraudulent 2011 certificates is an interesting story, and in the end, the known bad certificates were blocked in two ways (hardcoded in Firefox, and when Firefox checks certificate validity, reporting that they are invalid). The certificate used for LOTRO is not one of those bad certificates.
Because Comodo is a leading low-cost provider of SSL certificates, distrusting the UTN-USER-First-Hardware certificate used to sign the fraudulent certificate also will distrust thousands of legitimate certificates used around the web. In a post-mortem article, that was estimated to impact 205,000 sites (13% of all secure sites) whose SSL certs ultimately are signed by that certificate. So I don't think it's practical to distrust it (you can't actually delete the certificate, as you discovered, but you can distrust it).
But this leaves the mystery of why you get an SSL error when visiting the forum. Could there be some software that is intercepting your secure connections and bungling the certificates, such as security/filtering software or malware? Or is Firefox connecting through a dysfunctional proxy/privacy service? One place to check for indirect connections is the Options dialog.
orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button
The default setting is "Use system proxy settings", which should piggyback on the settings in Internet Explorer. You also could try "No proxy".
I checked Configure Proxies to Access the Internet. And found it was set to; "Use system proxy settings". I changed it to "No proxy", saved it and reloaded. No joy :(
Leaving the proxy settings at No, I disabled all of the Add-ons and rebooted into Safe Boot with Network via MSConfig to eliminate the chance that some loaded and forgotten program was doing something. Still the connection is untrusted.
Because I use LassPass and Xmarks, I'm not adverse to blowing away Firefox and reloading it. If I can remove it and not leave any crumbs behind.
You can manipulate the two aspects of the program separately:
(1) Settings - to test with clean settings, you can create a new profile; let's hold that thought.
(2) Program - sometimes program files become corrupted, which usually can be repaired by re-running the full installer. However, if other software has dropped files into Firefox's program folder, those won't be replaced or removed. This is by design so you don't lose plugins dropped there, but could be the source of the problem. To address that situation, you can rename the Firefox folder and then reinstall.
Download the installer for your preferred language from this page:
After exiting Firefox, rename the program folder to something like OldFox.
On 64-bit Windows, it's:
C:\Program Files (x86)\Mozilla Firefox
On 32-bit Windows, it's:
C:\Program Files\Mozilla Firefox
Then run the installer. It should find your existing personal data automatically.
To complete the thought in the previous post, here's the two-minute new profile experiment:
Create a new Firefox profile
A new profile will have your system-installed plugins (e.g., Flash) and extensions (e.g., security suite toolbars), but no themes, other extensions, or other customizations. It also should have completely fresh settings databases and a fresh cache folder.
Exit Firefox and start up in the Profile Manager using Start > search box (or Run):
Any time you want to switch profiles, exit Firefox and return to this dialog.
You'll click the Create Profile button. I recommend using the default location suggested, and to avoid data loss, not re-using any existing folder. Then start Firefox in the new profile you created.
Does Firefox accept the certificate when you access the site in the new profile?
When returning to the Profile Manager, you might be tempted to use the Delete Profile button. But... it's a bit too easy to accidentally delete your "real" profile, so I recommend resisting the temptation. If you do want to clean up later, I suggest making a backup of all your profiles first in case something were to go wrong.
With regards to the fraudulent certificates ... if a major root CA were forced to give a root certificate so some ... agency. Short of scrapping the whole chain of trust concept, is there anything that can be done? Seems like the weakest link is very weak.
I don't want to derail my own thread, but I'm sure this has been a topic of discussion. Perhaps you could point me in the right direction to do some reading.