5

My wife's Win 7 computer is suddenly unable to connect with one web site (no problem with any other site).

  • Web site: https://fepblue.org
  • downforeveryoneorjustme.com shows no problem with the site.
  • I can access the site without even a lag on two other computers (one Win 7, one Linux), on the same home network with multiple browsers (Firefox V56 and Chromium).
  • Firefox was just upgraded to V57 only on that problem computer. The timing is suspicious. However, neither Chromium nor Internet Explorer can connect to that site on that computer, either.
  • Rebooting and clearing cookies have no effect on the problem.

The error message on Firefox:

error message

The Chromium error message is different, saying that the connection timed out.

The problem is isolated to that one computer, and only that one web site. Since the problem is at our end, contacting the website owner as suggested in the error message doesn't seem relevant.

There have been several previous questions here with a similar theme:

Just as I finished writing this question, my wife advised me that another website, https://www.judicialwatch.org/, has the same symptoms. It similarly is immediately accessible on the other computers. In this case, though, ping has no problem on any of the computers, including hers.

My networking knowledge is pretty limited. How do I go about diagnosing the problem and what information would be helpful to post?

Updates:

  • Resetting the network stack as described in this answer had no effect.
  • Disabling the Windows Firewall had no effect.
  • Tried using Wireshark to capture the activity for diagnostics. Unfortunately, the product does not support the home version of Windows or Windows 7 and refused to install. It also laughed at the computer's resources.
Improve this question
12
  • I would try resetting the network stack. See my answer Upgrading an old laptop (windows 7) with network issues
    – DavidPostill
    Commented Nov 22, 2017 at 21:07
  • Ping behaviour can be a red herring as ICMP is often blocked by net admins for security reasons.
    – DavidPostill
    Commented Nov 22, 2017 at 21:08
  • @DavidPostill, Thanks for the response, and that answer is a good resource. Unfortunately, it didn't fix this problem.
    – fixer1234
    Commented Nov 22, 2017 at 21:23
  • ICMP just proves IP/routing - but nothing above it. You appear to be failing at TCP or above. In this sort of situation, I'd start with pcaps. Collect a pcap on a machine that does work and one on the machine that doesn't work and compare the conversations.You should be able to gain some insight based on how the conversation differs, specifically where it starts failing.
    – MaQleod
    Commented Nov 22, 2017 at 21:46
  • 1
    @Louis, good observation. We had been just entering fepblue.org and letting the site address be resolved automatically. I tried explicitly entering the www and that didn't make a difference. Then I noticed that either way resolves to https://www.fepblue.org/, and then the www version is what fails.
    – fixer1234
    Commented Nov 23, 2017 at 0:58

1 Answer 1

Reset to default
2

The problem has been fixed. It appears to have been related to the Windows Firewall, so many thanks to @DrMoishePippik for the suggestion that led there. I'm still investigating the details and will update this answer if I learn more, but I'll describe the gist of what I'm guessing happened, and what fixed it.

  • According to Mozilla, the error message displayed by Firefox is triggered by websites using older TLS security mechanisms, and it is Firefox that blocks them. In this case, though, it appears that the firewall did the blocking.

  • The auto-upgrade from V56 to V57 deleted the Firefox V56 entries in the firewall rules but failed to replace them with new entries for V57. (The computer with V56 has firewall entries that fully allow incoming and outgoing traffic for Firefox but I didn't see any Firefox entries on the problem computer after upgrade.)

  • Without firewall rules for an application, the firewall doesn't surgically differentiate risks. So if there are security concerns about a site based on outdated TLS mechanisms that make it a risk for unsolicited incoming traffic, the site is blocked for any traffic.

  • With no firewall entries for Firefox V57, the firewall allowed Firefox to operate with traffic from "safe sites", but blocked traffic from the two sites based on their using outdated security mechanisms. If the same bug happened to other users, they would be unaware of any issue if they do not try to access a website that uses outdated security.

  • When I tested other browsers, Firefox was likely still open. The firewall blocked the "problem" sites for all browsers by blocking them for Firefox.

  • My diagnostic steps included temporarily disabling the firewall. Apparently, disabling it in the UI doesn't stop it when it is running, and I didn't reboot. So that action had no effect on the problem.

  • The next day when the computer rebooted, the off/on firewall cycling triggered the firewall to reassess things. A Windows security alert appeared saying that the firewall had blocked some features of Firefox.

  • It seems likely that Windows Firewall does not try to assess risks on a per-application basis. If Firefox had replaced the firewall rules, it may have allowed all traffic based on knowledge of its own capabilities. Windows Firewall probably just defaults to safe settings, which include blocking unrequested incoming traffic. So the resulting firewall settings for V57 block incoming traffic.

  • With those rules in place, there was no longer an issue with the "problem" sites, so they worked again in Firefox. They also worked again in the other browsers, but they might have previously worked with the other browsers, anyway, if Firefox had not been open.

So for anyone else who encounters a similar situation, try this:

  • Access the Windows firewall through the control panel (System and Security | Windows Firewall | Turn Windows Firewall on or off).
  • Select Turn off Windows Firewall and OK.
  • Go back in and change it back: Turn on Windows Firewall and OK.
  • Reboot.

See if you get a message that Firefox features were blocked. Note that you can directly change the blocking behavior on any Firefox entries that are there via the Advanced settings link. However, I don't know if anything else was also changed (and in my case, the Firefox entries were missing and would have required manual entry). So letting the system do its thing is the safe approach.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .