1

I assume Firefox developers did something wrong with last release (43.0.1) since I get this error after installing updates:

This Connection is Untrusted

You have asked Firefox to connect securely to www.google.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
Get me out of there

Technical Details

www.google.com uses an invalid security certificate.

The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.

(Error code: sec_error_cert_signature_algorithm_disabled)

Screenshot of the problem.

I would like to emphasize that everything worked before the update. Also right after update the new version screen advertised new and better security.

My question is "How do I fix this?" - unless I am actually trying to connect to fake google server. Is something wrong with my computer, so suddenly?

Improve this question
10
  • If you want us to help us. We need specifics. Is the certificate actually signed by the correct CA? What version of Firefox are you using specifically? Does IE or Chrome work? Firefox uses its own certificate store, so if IE and Chrome work, it means the certificate your attempting to trust isn't in the Firefox certificate store, if you trust the certificate, go ahead an add it. Do you have any security products MITM features enabled currently. Edit your question to include this information.
    – Ramhound
    Commented Jan 20, 2016 at 18:36
  • @Ramhound I added info about version. Regarding everything else - I have no idea what are you talking about. I never meddled with certificates in Firefox, so everything should be as default. I don't know what MITM is (and can't google) and I can't add the certificate, just as the question title says.
    – Tomáš Zato
    Commented Jan 20, 2016 at 18:41
  • 43.0.1 isn't the current version of Firefox. I am not saying this is the problem, it can't hurt, I suspect something else unrelated to Firefox specifically.
    – Ramhound
    Commented Jan 20, 2016 at 18:41
  • @Ramhound I updated yesterday, didn't know they release every day.
    – Tomáš Zato
    Commented Jan 20, 2016 at 18:42
  • I want the certificate information that your attempting to use. MITM stands for "Man in the Middle" it means somebody other then Google is initiating the SSL session allowing that person to see everything you send to Google. OEMs and Security Products have both been known to install MITM certificates in order to scan secure encrypted traffic.
    – Ramhound
    Commented Jan 20, 2016 at 18:44

2 Answers 2

Reset to default
3

The immediate reason you are getting this error is because of this explanation.

In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01. That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites.

Firefox 43.0.4 fixes Bug 1236975 which that explanation is from.

It is important to point out that Google does not use SHA1 certificates, so if you are getting this error, it means you have a security product that is performing a man in the middle attack on all your secure content in order to secure it.

If this is a personal machine you should disable that security feature immediately. OEMs are also known to submit forged certificates in order to offer after market services, in those cases from those OEMs, they have been used to install signed malware because those OEMs can't do security properly.

Your inability to upgrade Firefox through the upgrade system, was because Firefox was silently rejecting the connection for a similar reason, it was attempting to instantiate that connection using a similar forged certificate. In other words while you have fixed the problem described in your question, you are still using the forged certificate, and thus you might as well be sending everything over plain text.

The easiest thing to do is to install the newest version of Firefox. You will need to do this manually, using an unaffected copy of Firefox or a different browser, since we only provide Firefox updates over HTTPS.

Man-in-the-Middle Interfering with Increased Security

Improve this answer
3
  • Have any idea how could I check which software is doing it? And how can I check for it once the bug is gone?
    – Tomáš Zato
    Commented Jan 20, 2016 at 19:01
  • @TomášZato - I have already explained how to verify if you have one of those forged certificates installed.
    – Ramhound
    Commented Jan 20, 2016 at 19:03
  • Open the cert and look at the details. Who is the issuer? Some FF add-ons can also cause SSL warnings. Also keep in mind, that some antivirus products now intercept SSL traffic in the same manner a MITM attack would use. They do this to inspect traffic that malware may use to communicate with C&C servers.
    – Clayton
    Commented Jan 20, 2016 at 19:10
-1

This seems to be Kaspersky Antivirus issue. Please follow the below link for instructions to fix it with screenshots:

http://www.askvg.com/fix-this-connection-is-untrusted-problem-with-google-and-other-https-websites-in-mozilla-firefox/

Follow these simple steps: 1. Open Firefox Preferences window. To do so Click "3-bar" menu button (or Tools menu) > Options > Advanced(section from left pane) > Certificates (mini-tab). 2. Under Certificates mini-tab, click on "View Certificates" button. 3. It'll open Firefox Certificate Manager window. In Authorities tab, click on Import button. It'll open a browse window to select the file containing CA certificate to import. 4. If you see an existing "Kaspersky Anti-Virus Personal Root Certificate" Select it and Click "Delete or Distrust". Now click "Import" button and proceed to the following directory location: C:\ProgramData\Kaspersky Lab\AVP16.0.0*(or whatever version you are using)*\Data\Cert 5. Now press Enter key and the browse window will open Cert folder. Now select "(fake)Kaspersky Anti-Virus Personal Root Certificate.cer" file and click on Open button. 6. Firefox will show a confirmation window, enable all 3 checkboxes present in the window such as Trust this CA to identify websites, email users and software developers. Now click on OK button to apply changes. That's it. Now try to open Google and other HTTPS websites and Firefox will open them fine without any problem.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .