cancel
Showing results for 
Search instead for 
Did you mean: 

What does "Your connection is not secure" mean?

When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead show an error page.

On some websites there is an option to report secure connection errors to Mozilla for statistical purposes:

report tls error

To troubleshoot secure connection problems with the error message Secure Connection Failed, see the Troubleshoot the "Secure Connection Failed" error message article.

When Firefox connects to a secure website (the URL begins with "https://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If the certificate cannot be validated or if the encryption is not strong enough, Firefox will stop the connection to the website and instead show an error page:

Fx44 Insecure Connection

What to do if you see this error?

If you encounter such an error message, if possible, you should contact the owners of the website and inform them of the error. It is recommended that you wait for the website to be fixed before using it. The safest thing to do is to click Go Back, or to visit a different website. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website.

Technical information

Click on Advanced for more information on why the connection is not secure. Some common errors are described below:

The certificate will not be valid until (date)

The certificate will not be valid until date (...)

Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE

The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article How to troubleshoot time related errors on secure websites.

The certificate expired on (date)

The certificate expired on date (...)

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

This error occurs when a website's identity certification has expired.

The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today's date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article How to troubleshoot time related errors on secure websites.

The certificate is not trusted because the issuer certificate is unknown

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER

You may have enabled SSL scanning in your security software such as Avast, Bitdefender, ESET or Kaspersky. Try to disable this option. More details about this are available in the support article How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites.

You may also see this error message on major sites like Google, Facebook, YouTube and others on Windows in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article How do I turn off family features?.

The certificate is not trusted because it is self-signed

The certificate is not trusted because it is self-signed.

Error code: SEC_ERROR_UNKNOWN_ISSUER

Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites.

The certificate is only valid for (site name)

example.com uses an invalid security certificate.

The certificate is only valid for the following names: www.example.com, *.example.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.

A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example.com, but the certificate is for https://www.example.com. In this case, if you access https://www.example.com directly, you should not receive the warning.

Corrupted certificate store

You may also see certificate error messages when the file in your profile folder that stores your certificates (cert8.db) has become corrupted. Try to delete this file while Firefox is closed to regenerate it:

Note: You should only perform these steps as a last resort, after all other troubleshooting steps have failed.
  1. Open your profile folder:

    Click the menu button New Fx Menu , click help Help-29 and select Troubleshooting Information. The Troubleshooting Information tab will open.

  2. Under the Application Basics section, click on Show FolderOpen FolderShow in FinderOpen Directory. A window with your profile filesfolder will open.
  3. Note: If you are unable to open or use Firefox, follow the instructions in Finding your profile without opening Firefox.

  4. Click the menu button New Fx Menu and then click ExitQuit Close 29 .
  5. Click on the file named cert8.db.
  6. Press command+Delete.
  7. Restart Firefox.
Note:cert8.db will be recreated when you restart Firefox. This is normal.

Bypassing the warning

You should only bypass the warning if you're confident in both the identity of the website and the integrity of your connection - even if you trust the site, someone could be tampering with your connection. Data you enter into a site over a weakly encrypted connection can be vulnerable to eavesdroppers as well.

In order to bypass the warning page, click Advanced:

  • On sites with a weak encryption you will then be shown an option to load the site using outdated security.
  • On sites which certificate cannot be validated, you might be given the option to add an exception.
Legitimate public sites will not ask you to add an exception for their certificate - in this case an invalid certificate can be an indication of a web page that will defraud you or steal your identity.

Reporting the Error

On some websites there is an option to report the error to Mozilla for statistical purposes:

Fx45 Report SSL Errors

This article, like all Firefox support, is brought to you mostly by volunteers, who keep Mozilla proudly independent and open source. Keep browsing freely!

Customize this article

Firefox

Firefox for Android

Firefox for iOS

Firefox OS

Thunderbird

Version History
Revision #:
3 of 3
Last update:
3 weeks ago
Updated by:
 
Comments

This was written by someone from the security team. Please consult him before making any significant changes (typos and style are fine).

Joni said

This was written by someone from the security team. Please consult him before making any significant changes (typos and style are fine).

Just in case anyone needs to, how do we consult David Keeler (dkeeler)? Start a discussion thread here, mark it "[Attn: Admin]" or "[Attn: dkeeler]" and PM him with a thread link?

As for the background, How to resolve weak crypto error messages on Firefox redirects to this article (see "What links here"). I did a search and found this related bug (fixed in Firefox 44):

Bug 1207137 - Provide an affordance to override cert errors like weak crypto

P.S. The SUMO bug to create this article is: Bug 1215490 - Create a SUMO article for RC4-only servers

I edited the Description of the new article, Unable to access secure (HTTPS) sites in Firefox 43 to add this article under "Related documents". Both articles now have "See also" links to each other. Related discussion: https://support.mozilla.org/en-US/kb/unable-access-secure-https-sites-firefox-43/discuss/6476#post-1...

On second look I removed the "see also" link. This article content currently doesn't apply to Firefox 43 or lower (although maybe it should). I started a new discussion thread: https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean/discuss/6480 Update this article to apply to Firefox 43?

This article is titled What does "Your connection is not secure" mean? and has the "warning" note:

{for not fx44}{warning}Firefox versions 43 and lower: This article applies to newer versions of Firefox.{/warning}{/for}

What about Firefox 43 users who see that error?

The related bug, Bug 1207137 - Provide an affordance to override cert errors like weak crypto ...has this test link, http://brampitoyo.github.io/fx-untrusted-connection/rc4.xhtml ...which also shows me a "Your connection is not secure" error page with an Advanced button in Firefox 43 (it lets me override the error and load the page using outdated security).

(The "Learn more" link goes to What does "Your connection is not secure" mean?, by the way.)

(Disregard the above. That was an http: link for a "UI prototype")


Related discussion in the Unable to access secure (HTTPS) sites in Firefox 43 article forum:

https://support.mozilla.org/en-US/kb/unable-access-secure-https-sites-firefox-43/discuss/6476#post-1...

Tonnes said

I did a small edit in order to avoid some possible confusion, which may answer the Advanced panel question above (see this screenshot provided by Philipp). I know this would create an inconsistency with the Blog text but the wording in the blog may not be leading nor perfect. <snip> Note that there is this What does "Your connection is not secure" mean? article which isn’t linked. Thinking of it now, how about merging them? If not, the emphasis in the title of this article may need to be more on the "sudden" nature of this message appearing, probably not by including the SHA1 change, but more like "I can no longer access...", so Unable to access secure (HTTPS) sites in Firefox 43 as you suggested may quite well cover that. <snip>

Alice, Mark mentioned this to me as well. I started working on a common response for using that to collect troubleshooting info for certificate issues in Firefox. (not sure if this is relevant, but will post a link to the draft) https://support.mozilla.org/en-US/kb/.../history

The problem with making any substantive changes to this article is this post by Joni on November 30, 2015

This was written by someone from the security team. Please consult him before making any significant changes (typos and style are fine).

By the way, when I test https://expired.badssl.com/ in Firefox 43 I get the error page, "This Connection is Untrusted". In Firefox 44 Beta I get "Your connection is not secure".

In bug 1232258 comment 2 philipp suggests merging the content of "This Connection is Untrusted" error message appears - What to do into this article. The History of this article shows that philipp has revisions pending.

Other test links and related discussion here: https://support.mozilla.org/en-US/kb/connection-untrusted-error-message/discuss/6479 [Fx44] Add link to new article (What does "Your connection is not secure" mean?)

I updated the thread title to get Joni's attention: [Attn: Admin - Joni] Update this article to apply to Firefox 43 ... and merge with "This Connection is Untrusted" article?

Joni approved philipp's edit to merge content from the "This Connection is Untrusted" article into this one. I updated the thread title since there's now a pending revision to redirect the "TLS Error Reports" article to this article (revision 115049).

https://support.mozilla.org/en-US/kb/tls-error-reports/discuss/6062#post-11771 (May 10 2015) includes Image:ReportTLSerror, shown below:

ReportTLSerror

Going to https://crew.lirr.org/ in Firefox 43 produces the above Secure Connection Failed error, with no option to bypass the error to load the site. So does Firefox 38 ESR. When you click on "Report this error", the Learn More... link goes to https://support.mozilla.org/kb/tls-error-reports/ .

Going to https://crew.lirr.org/ in Firefox 44 produces a "Your connection is not secure" error and links to this article, as a redirect from https://support.mozilla.org/en-US/kb/how-resolve-weak-crypto-error-messages-firefox (you can bypass the error using the Advanced button)

This article has a "Reporting the Error" section with a screenshot of the Secure Connection Failed error with a checkbox to report the error to Mozilla but it's at the bottom of the article.

If the redirect is approved then I think we should add a note {for not fx44} to the top of this article about reporting errors to Mozilla, since Secure Connection Failed errors with Learn More links to https://support.mozilla.org/kb/tls-error-reports will be redirected to this article. This article links to the Troubleshoot the "Secure Connection Failed" error message article at the top. but that doesn't mention reporting errors, and the note at the top of this article says that this article doesn't apply to Firefox 43 and below.

I checked the test links at https://badssl.com/ and I get a "Secure Connection Failed" error in all three browsers (Firefox 38 ESR, Firefox 43 AND Firefox 44) for this link: https://10000-sans.badssl.com/

Here's the error page I see in Firefox 44:

Image:fx44SecureConnectionFailed-TLS

fx44SecureConnectionFailed-TLS

The Learn More link shown after clicking "Report this error" goes to https://support.mozilla.org/kb/tls-error-reports

I made a new revision to add content for fx43 and below due to "TLS error reports" redirect being approved.

This article is linked in-product from ssl error messages which makes it our #2 most popular article in the kb with 1.3 million visitors during the past 30 days. since it is obviously a hot topic and often also a retention issue, that might lead users to leave the browser, we should try to keep the content in here as good as possible :-)

I've looked at some available telemetry data for one month of error messages in firefox 45 & here are some findings about the 115 million recorded displayed ssl error pages during that time:

  • SEC_ERROR_UNKNOWN_ISSUER makes up 65% percent of all error messages. we have a separate article which goes into more details on this, which will be linked directly on unknown issuer error pages starting with firefox 48 (bug 1242886). until then we should probably move this section to the top of the page.
  • 20% percent of the errors are due to SSL_ERROR_BAD_CERT_DOMAIN. we have a section that covers this already - maybe we can prioritise it within the article as well. i'd guess that most of those occurrences are due to misconfigured servers/certs, but maybe some MITM-tools cause this as well. probably worth looking into that more...
  • 14% are various time related error messages (SEC_ERROR_OCSP_FUTURE_RESPONSE, SEC_ERROR_EXPIRED_CERTIFICATE, MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE, SEC_ERROR_OCSP_OLD_RESPONSE, MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE). we only cover a fraction of those and not entirely correctly at the moment. part of it will be due to server side issues, but another part also due to skewed clocks on a user's device - in the latter case the error page will directly warn users about this fact starting in firefox 48 or 49 (bug 712612). i think it may be worth spinning off a separate article for those timing-based errors explaining how to set the right time step-by-step for various operating systems and maybe have this linked directly from the particular error messages as well.

all other error codes are totalling below 2%, maybe it is worth to document some of the more interesting ones amongst those as well though. i'd look at those ones: SEC_ERROR_BAD_SIGNATURE, SEC_ERROR_REVOKED_CERTIFICATE, SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, SEC_ERROR_UNTRUSTED_ISSUER, MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE

raw data: https://docs.google.com/spreadsheets/d/1Z0TDpBoGzvfIN9E2ETeWpZNraVfvWFnuM_XSIExZvA4/

i have created a first version of an article that especially deals with time related https errors: https://support.mozilla.org/en-US/kb/troubleshoot-time-errors-secure-websites/history