Firefox 43.0.1 says google.com uses invalid certificate and does not allow to add exceptions

I assume Firefox developers did something wrong with last release (43.0.1) since I get this error after installing updates:

This Connection is Untrusted


You have asked Firefox to connect securely to but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
Get me out of there

Technical Details

uses an invalid security certificate.

The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.

(Error code: sec_error_cert_signature_algorithm_disabled)

Screenshot of the problem.

I would like to emphasize that everything worked before the update. Also right after update the new version screen advertised new and better security.

My question is "How do I fix this?" - unless I am actually trying to connect to fake google server. Is something wrong with my computer, so suddenly?

10

2 Answers

The immediate reason you are getting this error is because of this explanation.

In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01. That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites.

Firefox 43.0.4 fixes Bug 1236975 which that explanation is from.

It is important to point out that Google does not use SHA1 certificates, so if you are getting this error, it means you have a security product that is performing a man in the middle attack on all your secure content in order to secure it.

If this is a personal machine you should disable that security feature immediately. OEMs are also known to submit forged certificates in order to offer after market services, in those cases from those OEMs, they have been used to install signed malware because those OEMs can't do security properly.

Your inability to upgrade Firefox through the upgrade system, was because Firefox was silently rejecting the connection for a similar reason, it was attempting to instantiate that connection using a similar forged certificate. In other words while you have fixed the problem described in your question, you are still using the forged certificate, and thus you might as well be sending everything over plain text.

The easiest thing to do is to install the newest version of Firefox. You will need to do this manually, using an unaffected copy of Firefox or a different browser, since we only provide Firefox updates over HTTPS.

Man-in-the-Middle Interfering with Increased Security

3

This seems to be Kaspersky Antivirus issue. Please follow the below link for instructions to fix it with screenshots:

Follow these simple steps: 1. Open Firefox Preferences window. To do so Click "3-bar" menu button (or Tools menu) > Options > Advanced(section from left pane) > Certificates (mini-tab). 2. Under Certificates mini-tab, click on "View Certificates" button. 3. It'll open Firefox Certificate Manager window. In Authorities tab, click on Import button. It'll open a browse window to select the file containing CA certificate to import. 4. If you see an existing "Kaspersky Anti-Virus Personal Root Certificate" Select it and Click "Delete or Distrust". Now click "Import" button and proceed to the following directory location:C:\ProgramData\Kaspersky Lab\AVP16.0.0*(or whatever version you are using)*\Data\Cert5. Now press Enter key and the browse window will open Cert folder. Now select "(fake)Kaspersky Anti-Virus Personal Root Certificate.cer" file and click on Open button. 6. Firefox will show a confirmation window, enable all 3 checkboxes present in the window such as Trust this CA to identify websites, email users and software developers. Now click on OK button to apply changes. That's it. Now try to open Google and other HTTPS websites and Firefox will open them fine without any problem.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like