What anti virus are you using? Recently anti virus vendors have started using man in the middle hacking to scan your encrypted communications. They do this by asking you the user to insert certain high level certificates into the certificate store of Firefox and Thundebirtd. They are able to do it themselves for the windows store, which leaves me questioning the value of a certificate store that software can mess up like that.

There is no active anti-virus involved.

This is happening, for example, with e-mails from Zappos and the Sharks (NHL) hockey team. It appears to be for links to images and other content, which consequently is not displayed because the connection failed.

When content is to be retrieved over an HTTPS connection, Thunderbird will evaluate whether the certificate presented by the site can be verified through a complete chain of trust up to the root certificates included with the product.

Can you easily extract the problem URL and try it in a browser? That may enable you to gather more information about the problem, for example, if you are infected with malware operating as a "man in the middle" of your web retrievals.

Also, your Firefox identified itself to the forum as version 28. Please do not use Firefox 28 on the web as it has many publicly disclosed security flaws.

If something is holding you back from upgrading to Firefox 52, please let us know so we can suggest solutions or workarounds. Your Firefox identified your OS as Windows XP. If that is true, see this article about the "end of life" plan for Firefox on XP: Firefox has ended support for Windows XP and Vista.

"When content is to be retrieved over an HTTPS connection, Thunderbird will evaluate whether the certificate presented by the site can be verified through a complete chain of trust up to the root certificates included with the product."

Okay, sure, but given the process is failing, how might it be resolved?

"Can you easily extract the problem URL and try it in a browser?"

Yes, perhaps this might shed a little light, if only to determine if the source URLs should be trusted.

Still, my original questions remain unanswered.

How does one upgrade T-bird's security certificates? More accurately, where does one find more recent certificates? The Thunderbird program has the facility to manage security certificates, including deleting and importing them. Presumably these functions were meant to be used, otherwise why are they included?

If I think I can trust the source URL, should I simply chose "permanently accept"?

"If something is holding you back from upgrading to Firefox 52, please let us know so we can suggest solutions or workarounds."

I am a staunch heretic who does not belong to the Church of Perpetual Software Upgrades.

Inside me a long, iconoclastic rant is brewing, informed by over forty years' experience with computers and more than twenty-five years performing all manners of technical support, regarding the general failure of the software industry to produce a (relatively) bug-free, stable platform with a sufficient yet fixed feature set -- a computing appliance if you will -- and how its insistence on the continual upgrade process merely provides cover for said failure and shifts the costs and risks to the end user with little if any benefit in return.

But not today, and not in this forum.

But, OMG, "security flaws"!!1!

Security is not a state one achieves, it is an ongoing process.

And part of the process is not always running with admin privs, not downloading & running executable content willy-nilly, using Mozilla software instead Microsoft's, and, as an old fart, generally not visiting sites that are sketchy. There's more, but that's the flavor.

Still looking for an anwer to my security certificate upgrade question.

desktech said

"When content is to be retrieved over an HTTPS connection, Thunderbird will evaluate whether the certificate presented by the site can be verified through a complete chain of trust up to the root certificates included with the product."
Okay, sure, but given the process is failing, how might it be resolved?

It would be useful to know WHY it is failing. For example, do you use security software that uses man-in-the-middle techniques to filter your web browsing? Or do you have malware doing that? Hence my next question:

"Can you easily extract the problem URL and try it in a browser?"
Yes, perhaps this might shed a little light, if only to determine if the source URLs should be trusted.

I suspect this has nothing to do with whether you can trust the URL. I think the problem is that the certificate can't be verified, so you have no idea what server or interloper you're actually connecting to.

What you need to do is inspect the certificate and check whether the issuer makes sense -- you can compare against a diagnostic tool like this:

https://www.ssllabs.com/ssltest/

How does one upgrade T-bird's security certificates? More accurately, where does one find more recent certificates? The Thunderbird program has the facility to manage security certificates, including deleting and importing them. Presumably these functions were meant to be used, otherwise why are they included?

Thunderbird already includes a set of trusted certificates when you install it. Unless you use a proxy server, you nearly never need to import anything.

Should I ask how old your Thunderbird version is, in case the problems are with newer certificate issuers?

If I think I can trust the source URL, should I simply chose "permanently accept"?

No, because it's not about the URL, as mentioned previously.

How does one upgrade T-bird's security certificates? More accurately, where does one find more recent certificates? The Thunderbird program has the facility to manage security certificates, including deleting and importing them. Presumably these functions were meant to be used, otherwise why are they included?

It may be news to you, you can use email certificates to sign and encrypt messages. When doing that, the corresponding certificates need to be imported into Thunderbird. The root CA certificates are pre-installed, because otherwise it would be very tedious to install all the ones you need manually.

Wrt your problem at hand, jscher2000 already told you what to do to determine the entire certification path. When you find a missing intermediate or root CA cert, search the web to find it (it's public), download it, and import it to your Thunderbird certificate store. Good luck.

Is there a recommended method for updating security certificates for an existing version of T-bird?

If you're talking about the built-in root CA certificates, yes there is a recommended method for updating them: get the latest version of Thunderbird. https://www.mozilla.org/thunderbird/