Open Bug 1434731 Opened 6 years ago Updated 2 years ago

Certificate trust check box setting is lost which results SSL Error with Firefox 58.0.1 (64-Bit) plus active FF MASTER Password and installed Kaspersky Internet Security

Categories

(External Software Affecting Firefox :: Other, defect)

defect

Tracking

(firefox58 wontfix)

UNCONFIRMED
Tracking Status
firefox58 --- wontfix

People

(Reporter: firefox-problem, Unassigned)

Details

(Keywords: regression)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20180128191252

Steps to reproduce:

> Use Kaspersky Internet Security 2017 or 2018 under Windows 10 Home
> for reference: see at security settings the Kaspersky certificate (AO Kaspersky Lab) and 1st of 3 boxes trust flag is set / active
>Set FF Master PW
 


Actual results:

> Close FF and restart
> all Https pages now are blocked with SSL error ("This connection is not secure")
Fehlercode: SEC_ERROR_UNKNOWN_ISSUER
> all non secure http:/ pages work well
> for reference: see at security settings the Kaspersky certificate (AO Kaspersky Lab) and now at all 3 boxes the flag is removed / deactivated 
>> ABOVE seems to be a BUG

> Now the 1st trust flag can be set again. Then FF ask for input Master PW.
Then FF works until next restart - the same issue ...
> other temp solution is to remove FF Master PW. Then Trust flag is saved and never lost by restart.   But .. then PW security at FF is lost and very weak.


Expected results:

> Once the TRUST FLAG at Kaspersky certificate was set (with active Master PW), the flag must remain also for next restart and so avoid SSL error.
from your sumo question at https://support.mozilla.org/en-US/questions/1202457 i gather this is a new problem in 58, so i'm marking it as such.

as a general note: after the 58 update there have been more questions from kaspersky users on various support channels about getting SEC_ERROR_UNKNOWN_ISSUER on all secure connections than usual...
Hi again dear philipp :-)
dear all:
for details see also >>  https://support.mozilla.org/en-US/questions/1202457#answer-1073059.

Temp workarround to avoid the SSL error:
Change profile files. cert8.db, cert9.db, pkcs11.txt, secmode.db by right click to read-only.
BUT Problem now is: 
> From FF screen I can not anymore change or remove the Master PW
> I'm afraid that no certificates can be updated anymore in future.
So I frequnetly will need to remove the read-only flag from this files for any updates.

But this countermeasure also helps and confirms that FF problems seems to be at start-up, not when FF is closed.

I still feel this is a BUG in FF58. 
So I will wait for final correction from the developers.
Thanks for this link. Seems to be same issue. 
Info: I use No FF web Sync but Only local PC version.
does it make any difference if you go to about:config and set security.use_sqldb to false?
perhaps this is related to the other reported kaspersky-induced troubles at 1433289, 1433818 & 1434749?
Flags: needinfo?(dkeeler)
Probably. Robbi-Fox - what happens if you set cert8.db and key3.db to read-only but not cert9.db or key4.db?
Flags: needinfo?(dkeeler) → needinfo?(firefox-problem)
One additional note: while we don't know why FF doesn't accept or store the "AO Kaspersky Cert" when a FF master pw is set, it's fairly clear what happens after that: Kaspersky vets the incoming SSL connection, and replaces the cert of the website with its own. Now, as FF doesn't trust the Kaspersky cert, all SSL enabled connections will be blocked.
This behaviour can be confirmed by disabling "Check secure connections" in Kaspersky, ensuring no Cert is replaced by Kaspersky anymore, causing FF to work just fine with all sorts of https web pages.
(In reply to [:philipp] from comment #5)
> does it make any difference if you go to about:config and set
> security.use_sqldb to false?

THANKS! about:config and set security.use_sqldb to false => also works and solves the Problem ! 
Effective only after FF re-start, not while same session.  >> OK. solved!  BUT: Question if there are security risks ??

See my answer at Support.mozzila for Dulverton's similar solution: 
to set "security.enterprise_roots.enabled"  value by double click from false to >> true.
This works w/o restart and imediatelly SSL error is gone and all https:/ pages work again OK. solved!

BUT: Do you know any negaitive side effects ??

Maybe now the certificate check is unabled and FF security  is weak ??
Can you confirm that security is same as before and that this is no risk ?
(In reply to David Keeler [:keeler] (use needinfo) from comment #7)
> Probably. Robbi-Fox - what happens if you set cert8.db and key3.db to
> read-only but not cert9.db or key4.db?

NO, this did NOT solve the Problem! Same SSL error after FF re-start.
Only when all 4 files are read only it is solved. So I hope this TEST result helps to solve the issue.
BUT: I dont like this idea as a fix, not for two and not for more files becasue it is hard to Control and has negative effects that Master PW cant be changed and may certificates will no more updated.
So I hope for FF update with official fix.

So long I will use the other solution from Dulverton:
"security.enterprise_roots.enabled"  value by double click from false to true.
w/o restart the SSL error is gone and all https:/ pages work again OK. solved!
BUT: Do you know any negaitive side effects ??
Flags: needinfo?(madperson)
(In reply to Hermann from comment #8)
> One additional note: while we don't know why FF doesn't accept or store the
> "AO Kaspersky Cert" when a FF master pw is set, it's fairly clear what
> happens after that: Kaspersky vets the incoming SSL connection, and replaces
> the cert of the website with its own. Now, as FF doesn't trust the Kaspersky
> cert, all SSL enabled connections will be blocked.
> This behaviour can be confirmed by disabling "Check secure connections" in
> Kaspersky, ensuring no Cert is replaced by Kaspersky anymore, causing FF to
> work just fine with all sorts of https web pages.

THANKS! YES, I confirm this fixes the Problem. disabling Kaspersky > Setting> Extended >> Network > Check secure Connections = OFF
BUT: Then I guess security Level is very low or useless as it is switched off.
Question: How to make that FF can work with Kaspersky SSL check ON and FF with Master PW on to Keep high security Level ?
Flags: needinfo?(firefox-problem)
we were trying to troubleshoot and narrow down the issue in order to better understand it, not recommending a permanent workaround...
Flags: needinfo?(madperson)
 imho this is because the master password is not available at startup, when kaspersky injects the certificate.

 1. kaspersky adds this cert automagically at every ff start, which can be observed by removing the certificate manually and restarting ff.
 2. But cert trust settings are protected by master password, if a master password is set.
 3. without master password kaspersky succeeds in also setting cert trust, while with master password set the cert is added, but no trust set at all.

 maybe this is related to https://bugzilla.mozilla.org/show_bug.cgi?id=1427248
(master pwd and security.enterprise_roots.enabled leads to vanished/empty stored credentials).
Due to infos at 1427248 I have again tested 

solution 1)  > "security.enterprise_roots.enabled" = set to "true". <

Still ok for me. (imediatelly effective w/o restart / at first change of this Setting FF ask for Input Master PW)
> NO Master PW lost appears with my FF 58.0.1 (64-Bit) at Win 10
> NO Problem, also not after each restart. 
> NO Problem with stored PW's. All are shown, also Master PW can be removed and changed

BUT: > I now have changed (do not why ..:-) and prefer the other 

solution 2):      > "security.use_sqldb" = set to "false". <

Effective only after Re-Start.
> NO Master PW lost appears with my FF 58.0.1 (64-Bit) at Win 10
> NO Problem, also not after each restart. 
> NO Problem with stored PW's. All are shown, also Master PW can be removed and changed
Somehow without knowing much Background this solution 2) "feels" more safety and secure for me.
Hi Robbi-Fox, are you content with the above solutions?
Flags: needinfo?(firefox-problem)
Yes I agree that this "workaround" (??) solves the problem. 
> "security.use_sqldb" = set to "false". 

Probably there will be a real final solution at one of the next FF updates.
Thanks again for great support to all !
Flags: needinfo?(firefox-problem)
(In reply to Marius Coman [:cmarius] from comment #15)
> Hi Robbi-Fox, are you content with the above solutions?

Yes I agree that this "workaround" (??) solves the problem.
Component: Untriaged → Other
Product: Firefox → External Software Affecting Firefox
Version: 58 Branch → unspecified
This will probably be fixed by bug 1427248.
Component: Other → Security: PSM
Depends on: 1427248
Product: External Software Affecting Firefox → Core
(In reply to Marco Castelluccio [:marco] from comment #18)
> This will probably be fixed by bug 1427248.

I don't think that's necessarily the case.
No longer depends on: 1427248
... and the more that I think about it, we're not going to be able to defend against kaspersky messing up our certificate database, so I'm going to put this back in "external software affecting firefox".
Component: Security: PSM → Other
Product: Core → External Software Affecting Firefox
After my update to FF 58.0.2 (64-Bit) still same SSL blocking issue if master PW is active.
I will continue to use the "temp workarround" (I tested by true and false):
> security.use_sqldb; changee manual to > false
I'm still waiting and hoping for final and real FF countermeasure solution.
(In reply to David Keeler [:keeler] (use needinfo) from comment #20)
> ... and the more that I think about it, we're not going to be able to defend
> against kaspersky messing up our certificate database, so I'm going to put
> this back in "external software affecting firefox".

Thanks for your great help!
But I still hope that FF can finally solve this issue by future update. 
It is true that issue apperats together with external kaspersky software.
BUT: 
- Why no problem at earlier FF versions before FF 58 ?
- Why problem only if FF Master PW is set ?

Main Question which I see for this issue:
>Why since FF 58 the "trust flag" settings for kaspersky certificate 
>always are lost after FF re-start if Master PW is active ?
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.