Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Bitdefender: suspicious connection blocked involving Firefox - signature-2.cdn.mozilla.net

Each morning, when I first cold boot my computer, the moment I open my Firefox browser, I receive numerous (10+) identical error messages from Bitdefender:

Suspicious connection blocked: Feature: Online Threat Prevention

firefox.exe attempted to establish a connection relying on an unmatching security certificate to content-signature-2.cdn.mozilla.net. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one.

Question: Is this ACTUALLY coming from Firefox? If so, please match your security certificates! If that's impossible due to a technical issue, then please email me your confirmation so that I can add an exception to Bitdefender.

Question: If it's not coming from Firefox, please email me, letting me know what additional system information you require so that we can get to the bottom of who/what is masquerading as Firefox while attempting to establish an unauthorized Internet connection from my computer.

HP Envy laptop, Windows 10 OS, latest update.

This has been occurring for several months.

Thank you for your time.

Each morning, when I first cold boot my computer, the moment I open my Firefox browser, I receive numerous (10+) identical error messages from Bitdefender: Suspicious connection blocked: Feature: Online Threat Prevention firefox.exe attempted to establish a connection relying on an unmatching security certificate to content-signature-2.cdn.mozilla.net. We blocked the connection to keep your data safe since the used certificate was issued for a different web address than the targeted one. Question: Is this ACTUALLY coming from Firefox? If so, please match your security certificates! If that's impossible due to a technical issue, then please email me your confirmation so that I can add an exception to Bitdefender. Question: If it's not coming from Firefox, please email me, letting me know what additional system information you require so that we can get to the bottom of who/what is masquerading as Firefox while attempting to establish an unauthorized Internet connection from my computer. HP Envy laptop, Windows 10 OS, latest update. This has been occurring for several months. Thank you for your time.
Attached screenshots

All Replies (19)

I don't think it's necessary for Bitdefender to terminate connections where the certificate doesn't match. Firefox does that all on its own, as you may have seen from time to time on the built-in secure connection error pages.

Anyway, since this connection can't work for anyone, I suggest ignoring it unless you discover that something important has stopped working in Firefox.

Do you use a bookmark or are you starting with the main (home) page of this website?

If you use a bookmark to access a specific page then instead navigate to this page starting with the main page or with the sign in page in case there is a problem with this bookmark.

cor-el said

Do you use a bookmark or are you starting with the main (home) page of this website? If you use a bookmark to access a specific page then instead navigate to this page starting with the main page or with the sign in page in case there is a problem with this bookmark.

Neither. I get roughly 23 identical error message pop-ups after booting my computer and opening Firefox. If I close down Firefox, the reopen it, I the 23 error messages begin again, so it's clearly tied to opening Firefox.

It does not matter which website I go to (news, weather, facebook, etc.). It always begins within a few seconds after opening Firefox.

jscher2000 said

I don't think it's necessary for Bitdefender to terminate connections where the certificate doesn't match. Firefox does that all on its own, as you may have seen from time to time on the built-in secure connection error pages. Anyway, since this connection can't work for anyone, I suggest ignoring it unless you discover that something important has stopped working in Firefox.

Bitdefender claims its product is doing its job. Indeed, out of hundreds of other programs on my computer, not once has any other program attempted to access sites with mis-matched certificates.

If "Firefox does that all on its own," then perhaps it should stop doing something which one of the leading antivirus/security programs clearly sees as a threat.

"Ignoring it" is not an acceptable solution. This is a potentially harmful security issue. I'd like to see it resolved, not ignored.

Thank you both for your replies. If either of you have anything more to add, by all means, please do so!

In the meantime, anyone else out there with insight on this issue? Please review the attachment at the OP. Thank you.

That server seems to be used for content signatures to validate information that Firefox requests from Mozilla servers in the background: https://github.com/mozilla-services/autograph/blob/main/signer/contentsignaturepki/README.md

Do you get a secure connection error if you try to open this file:

https://content-signature-2.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-2020-05-05-15-04-19.chain

Expected result: download dialog

If I open the Browser Console before making the request, and enable listing requests by clicking "Requests" at the right end of the filter bar, I see the following certificate information:

If you got an error page, you can compare by clicking the Advanced button to view more details, and then clicking View Certificate.

cor-el said

Do you use a bookmark or are you starting with the main (home) page of this website? If you use a bookmark to access a specific page then instead navigate to this page starting with the main page or with the sign in page in case there is a problem with this bookmark.

Only about 60% of the time. The rest of the time I'm opening Firefox direction from the link I pinned to the taskbar, and the issue remains the same, even after clean, cold boots. Ergo, it's associated with Firefox directly, not a bookmark.

jscher2000 said

That server seems to be used for content signatures to validate information that Firefox requests from Mozilla servers in the background: https://github.com/mozilla-services/autograph/blob/main/signer/contentsignaturepki/README.md Do you get a secure connection error if you try to open this file: https://content-signature-2.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-2020-05-05-15-04-19.chain Expected result: download dialog If I open the Browser Console before making the request, and enable listing requests by clicking "Requests" at the right end of the filter bar, I see the following certificate information: If you got an error page, you can compare by clicking the Advanced button to view more details, and then clicking View Certificate.

Excellent page resource explaining content signatures, jscher2000. Thank you.

As for your results through the Browser Console, I am unable to duplicate your screen. Specifically, the browser opens the page displaying the three certificates, but the Browser Console displays:

Unchecked lastError value: Error: Could not establish connection. Receiving end does not exist.

When I click on the link (view-source:moz-extension://570c9611-b493-4a51-86e9-968b31b498db/background.js) in Browser Console to amplify, it brings up the following:

Right, never mind on the Browser Console, that was the only way I could capture the cert information because a successful download doesn't show anything in a tab. What does the first certificate look like in your case? The Common Name is different?

I feel like the answers veered way off into the weeds. I'm not looking for coders or developers to guide me through the binary jungle.

Simple Question: Which of the following two courses of action is the correct one:

1. Add to exceptions (see attached graphic): If the correct answer is, "Add to exceptions," please tell me HOW/WHY this won't create a security breach.

2. Ignore: If the correct answer is to ignore it, this is proving very difficult, as I'm getting 20+ such Suspicious connection blocked pop-ups, all citing "content-signature-2-cdn-mozilla.net" every time I open Mozilla Firefox. As you can see from the attached graphic, that's 44 times during the two times I opened Firefox to check to see if there were any new updates which might have fixed the problem. Every time it pops up, it changes the focus of my typing so I cannot accomplish any work until it finishes.

I do not get this error message from Bitdefender when using Google Chrome or any of several other Chromium-based browsers, including Brave, Epic, Vivalidi, Opera and Edge.

I do not get this error message from Bidefender when using Waterfox or Tor, both of which are modified versions of Firefox.

I am ONLY getting this error message from Bitdefender when using the standard, 64-bit version of Mozilla Firefox available for download for installation on Windows 10.

In fact, I've tried 11 different browsers. No issues except with Mozilla Firefox. That in and of itself should be a significant clue. I had HOPED someone on the development team would focus on the "content-signature-2-cdn-mozilla.net" message and fix the problem at the source so I could continue using Mozilla Firefox.

Firefox USED to have a "Report Bug" (or something like that) which allowed the user to submit a basic description, attach a screen shot, and check a box to capture and report system information. The few times I used it bugs disappeared in the very next revision.

It was a great system!

Now, all attempts to use that take me to "ideas@moz://a" or here which hasn't been able to fix anything in more than a year.

Well, I'm sure you're all familiar with the old adage about customer service: If the problem isn't fixed by the third time you've beat the horse, "it's DEAD, Jim." Time to get off and find another horse.

I'll check back a couple of more times over the next few days to see if anyone can actually answer my Simple Question as given above. If you can, without risking a security breach of my system, then three cheers! If not, then it's time to cut my losses and get on with life using one of Firefox's several outstanding competitors.

I definitely do not recommend making any kind of exception to allow a possibly hijacked connection to that server.

Did you test what happens if you try to download this file directly, either in Firefox or another browser:

https://content-signature-2.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-2020-05-05-15-04-19.chain

If you open it in a text editor, it contains 87 lines of certificate code starting with:

-----BEGIN CERTIFICATE-----
MIIC9TCCAnugAwIBAgIIFfzRFY3VsmIwCgYIKoZIzj0EAwMwgaMxCzAJBgNVBAYT
AlVTMRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMS8wLQYDVQQLEyZNb3pp
bGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25pbmcgU2VydmljZTFFMEMGA1UEAww8Q29u
dGVudCBTaWduaW5nIEludGVybWVkaWF0ZS9lbWFpbEFkZHJlc3M9Zm94c2VjQG1v


Do you get that, or another error message? If you get a secure connection error page, click the Advanced button, then View Certificate, and you can compare with the details I posted earlier in this image:

https://user-media-prod-cdn.itsre-sumo.mozilla.net/uploads/images/2021-09-15-13-43-52-79c2c4.png

jscher2000 said

I definitely do not recommend making any kind of exception to allow a possibly hijacked connection to that server. Did you test what happens if you try to download this file directly, either in Firefox or another browser: https://content-signature-2.cdn.mozilla.net/chains/normandy.content-signature.mozilla.org-2020-05-05-15-04-19.chain If you open it in a text editor, it contains 87 lines of certificate code starting with: -----BEGIN CERTIFICATE----- MIIC9TCCAnugAwIBAgIIFfzRFY3VsmIwCgYIKoZIzj0EAwMwgaMxCzAJBgNVBAYT AlVTMRwwGgYDVQQKExNNb3ppbGxhIENvcnBvcmF0aW9uMS8wLQYDVQQLEyZNb3pp bGxhIEFNTyBQcm9kdWN0aW9uIFNpZ25pbmcgU2VydmljZTFFMEMGA1UEAww8Q29u dGVudCBTaWduaW5nIEludGVybWVkaWF0ZS9lbWFpbEFkZHJlc3M9Zm94c2VjQG1v
Do you get that, or another error message? If you get a secure connection error page, click the Advanced button, then View Certificate, and you can compare with the details I posted earlier in this image: https://user-media-prod-cdn.itsre-sumo.mozilla.net/uploads/images/2021-09-15-13-43-52-79c2c4.png

Using Waterfox:

1. The file downloads without error. 2. Opening it with Notepad++ reveals the same first four lines you have listed in Begin Certificate. 3. There was no secure connection error page.

Using Firefox:

1. Bitdefender reports, "Suspicious page blocked for your protection." See attached. 2. I don't have an "advanced button" in Firefox. Online help states, "To access the advanced settings, type: about:config into the address bar and press Enter." Doing that brings up a different page, none of which looks anything at all like your "2021-09-15-13-43-52-79c2c4.png" image. 3. However, manually bypassing the security downloads the same file downloaded by Waterfox, also matching the first four lines you have in Begin Certificate. 4. Viewing the Certificate via the lock icon to the left of the URL reveals two certificates, one from *.safezone.mcafee.com (which I've never installed on my computer) and one from Bitdefender Personal CA.Net-Defender, neither of which look like anything at all like your "2021-09-15-13-43-52-79c2c4.png" image... 5. ...except for one line under *.safezone.mcafee.com, which reads: Subject Alt Names DNS Name content-signature-2.cdn.mozilla.net

I tried uploading the images, but it's stuck on "Uploading..." We'll see if it actually uploaded after I post reply. My ISP boasts consistent speeds > 100/25 Down/Up in Mbps.

swamper said

4. Viewing the Certificate via the lock icon to the left of the URL reveals two certificates, one from *.safezone.mcafee.com (which I've never installed on my computer) and one from Bitdefender Personal CA.Net-Defender, neither of which look like anything at all like your "2021-09-15-13-43-52-79c2c4.png" image...

We know why Bitdefender is in the mix, since you have the program set to intercept your web access through Firefox. The appearance of the McAfee cert is the real mystery .

I assume you don't have any McAfee security software on your computer. How about in your router? (But then why would only one browser be affected??)

Does it make any difference to set Firefox to "No Proxy" here:

  • Windows: "3-bar" menu button (or Tools menu) > Settings (previously "Options")
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it

In the search box at the top of the page, type proxy and Firefox should filter to the "Settings" button, which you can click. In the Network Settings overlay, change to "No proxy" and there should be a Save button all the way at the bottom of the panel (sometimes scrolling may be needed).

jscher2000 said

swamper said

4. Viewing the Certificate via the lock icon to the left of the URL reveals two certificates, one from *.safezone.mcafee.com (which I've never installed on my computer) and one from Bitdefender Personal CA.Net-Defender, neither of which look like anything at all like your "2021-09-15-13-43-52-79c2c4.png" image...

We know why Bitdefender is in the mix, since you have the program set to intercept your web access through Firefox. The appearance of the McAfee cert is the real mystery .

I assume you don't have any McAfee security software on your computer. How about in your router? (But then why would only one browser be affected??)

No McAfee software on my PC. The router is a late model by CenturyLink. Nothing in the admin menu screams, "McAffee," but that doesn't mean they're not using it.

Does it make any difference to set Firefox to "No Proxy" here:
  • Windows: "3-bar" menu button (or Tools menu) > Settings (previously "Options")
  • Mac: "3-bar" menu button (or Firefox menu) > Preferences
  • Linux: "3-bar" menu button (or Edit menu) > Preferences
  • Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
I'll get back to you in a minute on this, as I uninstalled Firefox and the auto-updater completely. I'll after to reinstall it after I post.

Well, a minute became three days due to unexpected life and family issues. Sorry about that!

No Bitdefender popups since I reset Application Menu/General/Network Settings/ to No proxy. For whatever reason, it was set to "Use system proxy settings."

The strange thing is the Waterfox is also set to "Use system proxy settings," yet I've never seen the Bitdefender popups while using Waterfox. Just Firefox. This makes me think Mozilla's developers of Firefox are missing something, hence the Bitdefender popups proclaiming as described in the OP.

Both Waterfox and Firefox are still set to Enable DNS over HTTPS with Cloudflare as the provider. I had Cloudflare's WARP installed last year, but uninstalled it when I upgraded to a real VPN.

Again, even after a full uninstall, fresh download and reinstallation, I was getting the Bitdefender popups out of Firefox. Switching the Network Settings from their default, "Use system proxy settings" to "No proxy" appears to have solved the problem.

Why would this be required in Firefox and not in Waterfox?

I WANT to direct the browser to use system proxy settings... Don't I?

swamper said

I WANT to direct the browser to use system proxy settings... Don't I?

Not unless you are intentionally using a proxy server in your system settings.

jscher2000 said

swamper said

I WANT to direct the browser to use system proxy settings... Don't I?

Not unless you are intentionally using a proxy server in your system settings.

Isn't that the way security suites and VPNs work?

swamper said

jscher2000 said

swamper said

I WANT to direct the browser to use system proxy settings... Don't I?
Not unless you are intentionally using a proxy server in your system settings.
Isn't that the way security suites and VPNs work?

I don't know how Bitdefender and your VPN hook your browser traffic. I think you'll need to investigate the effect on your computer. For example, you can check your IP address in Firefox to make sure it reflects the expected one, and you can view a certificate for a site intercepted by Bitdefender to see whether Bitdefender has inserted itself as a man in the middle.