Closed Bug 1449115 Opened 2 years ago Closed 5 months ago

“Your connection is not secure" error message is displayed while accessing webpages in FF if Kaspersky Free Edition AV is installed

Categories

(External Software Affecting Firefox :: Other, defect, major)

All
Windows
defect
Not set
major

Tracking

(firefox-esr52 ?, firefox59 affected, firefox60 affected, firefox61 unaffected)

RESOLVED FIXED
Tracking Status
firefox-esr52 --- ?
firefox59 --- affected
firefox60 --- affected
firefox61 --- unaffected

People

(Reporter: Anca, Unassigned)

References

Details

Attachments

(1 file)

[Affected versions]: 
- 59.0.1 (20180315233128)
- 60.0b7 (20180326164103)

[Affected platforms]:
- Windows 10 x64
- Windows 8.1 x64
- Windows 7 x64

[Steps to reproduce]:
1. Install the free Kaspersky antivirus from https://www.kaspersky.com/free-antivirus
2. Open Firefox with a new profile
3. Open any website

[Expected result]:
- The website is successfully loaded

[Actual result]:
- “Your connection is not secure” error message is displayed: https://imgur.com/a/4wj4O

[Regression range]:
- The same behaviour can be observed on older Firefox release builds all the way back to 47.0.2 (20161031133903).

[Additional notes]:
- The issue is reproducible both with .zip and .exe builds.
- It seems that there are no different behaviors when installing Firefox first, then the AV or viceversa.
- It’s worth mentioning that Kaspersky Free Edition AV comes with the Kaspersky Protection extension which somehow triggered this issue. 
- It appears that all websites are affected by this.

- We’ve managed to reproduce this issue using the following scenarios:

    - Scenario 1: Install Kaspersky with Firefox closed
The error is triggered when Firefox is opened with a new profile. See the content inside about:support - https://i.imgur.com/0iiL3bQ.png (note that for the Kaspersky paid version there is no extension)
Output from the browser console: https://pastebin.com/9TTZ6MNP
It seems that the Kaspersky Protection extension (this extension was installed in Firefox once the antivirus completed its installation) was disabled by default in the browser, once you enable it and restart Firefox, the issue was no longer reproducible.

    - Scenario 2: Install Kaspersky with Firefox opened
If refreshing the existing tabs or open new ones the issue is reproducible, but the Kaspersky extensions and security software sections in about:support are blank After Firefox is restarted the issue is no longer reproducible, regardless if the Kaspersky Protection extension is enabled or not (details about the antivirus are displayed in the extensions and security software sections in about:support) 

- Other attempt to open any pages in Firefox when reopened the browser with a clean profile triggers the error.

- The following  antiviruses were not affected by this behavior: paid - Kaspersky Endpoint Security 10 (10.3.0.6294), free -  Avast, AVG, Bitdefender Internet Security, ESET Online Scanner Norton Security, Avira, 360 Total Security, Panda, Webroot, Comodo.
See Also: → 1448418
3.78% of our Windows users have prremote.dll injected into Firefox, meaning they likely run Kaspersky.
Do you happen to know which DLL is loaded by Kaspersky Protection extension so we can assess the share of our release users impacted?
The extension is likely installed automatically when you install Kaspersky.
See Also: → 1423384, 1451260
I could reproduce too (Win10 64 bit).
Jim, this seems like it could be impacting a lot of our users, is this a case where we need to isolate the DLL causing this and getting it blocked?
Flags: needinfo?(jmathies)
I don't think blocking the dll will help here. What's probably going on is Kaspersky is intercepting all outgoing https connections the system makes (this is independent of the dll injecting into Firefox). Since it can hook into Windows APIs and since other browsers use the Windows APIs to make TLS connections and verify certificates, they all succeed in connecting. Firefox doesn't use the Windows certificate verification or TLS connection APIs, so it sees an untrusted root and throws up a warning (rightly so). The common solution to this is for the AV program to add an additional root into the user's certificate DB in their profile. This apparently isn't working. One solution would be for Kaspersky to fix whatever's broken about their implementation. Other than that, the best we can manage is probably to continue our work improving Firefox's certificate error pages (see e.g. bug 1450967).
Thanks David, do we have telemetry about how often we display the cert error page?
Adam or Chris do you have contacts at Kaspersky to raise this?
Flags: needinfo?(jmathies)
Flags: needinfo?(cpeterson)
Flags: needinfo?(astevenson)
Alexey, is this something you can help with?
Flags: needinfo?(astevenson) → needinfo?(alexey.totmakov)
(Clearing my needinfo because Adam already pinged Alexey at Kaspersky.)
Flags: needinfo?(cpeterson)
Hello guys. We will investigate the problem in Kaspersky Lab, i will answer as soon as possible. For the first look the problem is connected with installing Kaspersky certificate in Firefox storage.
Flags: needinfo?(alexey.totmakov)
We investigated the issue. 
There were several bugs concerning firefox, in Kaspersky Free 2018.
1. First Firefox start.
2. First start of new Firefox profile.
3. Firefox was already started, before installing the Kaspersky.
It seems to me, that here there is case 2. We already fixed this issues in the latest patch G.

There are two options to get this patch.
a. Update your current installation of Kaspersky Free 2018 to patch G, by pressing Update button.
b. Download Kaspersky Free 2018 with integrated patch G https://box.kaspersky.com/f/aed5306e6b754cde977c/?dl=1
Reeboot is necessary. 

Please check the issue with Kaspersky Free 2018 patch G.
Anca, Romain, could you re-test with the patched version (provided you don't run into bug 1451260)?
Flags: needinfo?(rtestard)
Flags: needinfo?(anca.soncutean)
I can confirm it fixes the issue for me.
Alexey, can you please clarify since when users may have been hitting this issue and the share of your users who would have been affected. I 'm trying to understand how it impacted our users.
Flags: needinfo?(rtestard)
We have this issue in our products from the beginning of time. However, it began reproduced only with Firefox 58 and later. When we found it, we release patches for Kaspersky 2017 and 2018. Currently all active users should have patches. There may be users with disabled updates, or who just install Kaspersky, without patch.
I will publish stats of our user without patches little bit later.
It looks like this is still not fixed on my side (tested on Windows 10 x64). I ran into the same problem mentioned in bug 1451260. I was able to open the browser only after I ended the ffcert.exe process from the task manager. The error message "Your connection is not secure" was still displayed. Firefox seems to start afterwards without any issues, moreover any website loads properly without the connection error.
Flags: needinfo?(anca.soncutean)
(In reply to Romain Testard [:RT] from comment #11)
> ... share of your users who would have been affected. I 'm trying
> to understand how it impacted our users.

18.0.0.405.g - ~10 000 000 users
18.0.0.405.(a.b.c.d.e.f) - <400 000 users 

17.0.0.611.k - ~7 000 000 users
17.0.0.611.(a.b.c.d.e.f.g.h.i.j) - <500 000 users

So there is less than 1 000 000 users, potentially has this problem.
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #13)
> It looks like this is still not fixed on my side (tested on Windows 10 x64).
> I ran into the same problem mentioned in bug 1451260. 

We investigating the problem in bug 1451260. When result will be ready, i post it in bug 1451260.
(In reply to Alexey Totmakov from comment #14)
> (In reply to Romain Testard [:RT] from comment #11)
> > ... share of your users who would have been affected. I 'm trying
> > to understand how it impacted our users.
> 
> 18.0.0.405.g - ~10 000 000 users
> 18.0.0.405.(a.b.c.d.e.f) - <400 000 users 
> 
> 17.0.0.611.k - ~7 000 000 users
> 17.0.0.611.(a.b.c.d.e.f.g.h.i.j) - <500 000 users
> 
> So there is less than 1 000 000 users, potentially has this problem.

Thanks Alexey, to be clear, are these 1M Firefox users with Kaspersky having the problem or 1M Kaspersky users who would encounter the problem if they install Firefox?
Flags: needinfo?(alexey.totmakov)
(In reply to Romain Testard [:RT] from comment #16)
> Thanks Alexey, to be clear, are these 1M Firefox users with Kaspersky having
> the problem or 1M Kaspersky users who would encounter the problem if they
> install Firefox?

1M Kaspersky users who would encounter the problem if they install Firefox.
Flags: needinfo?(alexey.totmakov)
Do we know if this is still an issue?
Anca, can you still reproduce?
Flags: needinfo?(anca.soncutean)
Yes, the issue is still reproducible on my side on the latest Beta 62.0b20 and latest Nightly 63.0a1 (2018-08-26) under Windows 10 x64 and Windows 7 x32. I can see a change only on how the error message is displayed on Nightly build (see screenshot: https://drive.google.com/file/d/1ZMHSDMvv8PK2ifwKBw8m99m43Wj-9ZE-/view?usp=sharing ).
Flags: needinfo?(anca.soncutean)
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #20)
> Yes, the issue is still reproducible on my side on the latest Beta 62.0b20

Anca, please note the Kaspersky version.
(In reply to Alexey Totmakov from comment #21)

> Anca, please note the Kaspersky version.

The Kaspersky version is 19.0.0.1088.
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #22)
> The Kaspersky version is 19.0.0.1088.

We will investigate the issue on KL side, i will answer soon.
(In reply to Anca Soncutean [:Anca], Desktop Release QA from comment #22)
> (In reply to Alexey Totmakov from comment #21)
> 
> > Anca, please note the Kaspersky version.
> 
> The Kaspersky version is 19.0.0.1088.

Hello, Anca.
1. Could you check if error depend on how many profiles installed?
2. Is it reproducible if you instal antivirus, update it, run FF?
We've reproduced bug on FF 61.02
With Free AV: 19.0.0.1088 (b)
Steps to reproduce:
1. Stop AV
2. Firefox.exe -CreateProfile Joe
3. Start AV
4. Firefox.exe -P Joe

2Anca. Is it the same problem you have reported?
Attached image Network settings.png
We narrowed down the problem and we observed that "Scan encrypted connections upon request from protection components" (found inside the Network settings section of the Kaspersky antivirus) could be the "culprit" that triggers the "Warning: Potential Security Risk Ahead" error message. When "Do not scan encrypted connections" is selected the issue is no longer reproducible.

The number of profiles doesn't seem to have any influence on this behavior.
We ran the investigation on Windows 10 x64, on the latest Nightly build 64.0a1 (20180905223809) and on the latest Kaspersky free version [19.0.0.1088.0.1634.0 (a)].
It looks like the problem connected to Kaspersky certificate installation to FireFox storage. In our latest product (in dev) we stoped doing this, instead we install certificate to windows trusted storage.

For 2018 and 2019 Kaspersky product we are going to publish the patches to the end of the year.
> In our latest product (in dev) we stoped doing this, instead we install certificate to windows trusted storage.

So how are you solving the certificate problem on Firefox?
(In reply to Mike Kaply [:mkaply] from comment #28)
> > In our latest product (in dev) we stoped doing this, instead we install certificate to windows trusted storage.
> 
> So how are you solving the certificate problem on Firefox?

Sorry Mike, i did not understand your question.
As i wrote above, we solve the problem by disabling installation of our certificate in FireFox storage. That's it.
> As i wrote above, we solve the problem by disabling installation of our certificate in FireFox storage. That's it.

Does that mean that Firefox users will be broke if they don't enable the enterprise roots preference?
> Does that mean that Firefox users will be broke if they don't enable the
> enterprise roots preference?

If setting “enable the enterprise roots” is switched off, Kaspersky product will not be intercept FireFox traffic, so user will have security risks. In new products, we are going to notify user about this issue.
> If setting “enable the enterprise roots” is switched off, Kaspersky product will not be intercept FireFox traffic, so user will have security risks. In new products, we are going to notify user about this issue.

Won't that cause things not to work at all?

Are you still redirecting traffic?
(In reply to Mike Kaply [:mkaply] from comment #32)
> Won't that cause things not to work at all?
No.
 
> Are you still redirecting traffic?
No.

If there is no Kaspersky certificate in FireFox storage (could be manually installed by user) and “enable the enterprise roots” is switched off, Kaspersky product do not see FireFox traffic and has no influence.

Note, that this behavior, will be only in our next product. For already released product, we are going to publish patches, with almost similar behavior to the end of the year.
(In reply to Alexey Totmakov from comment #33)
> (In reply to Mike Kaply [:mkaply] from comment #32)
> > Won't that cause things not to work at all?
> No.
>  
> > Are you still redirecting traffic?
> No.
> 
> If there is no Kaspersky certificate in FireFox storage (could be manually
> installed by user) and “enable the enterprise roots” is switched off,
> Kaspersky product do not see FireFox traffic and has no influence.
> 
> Note, that this behavior, will be only in our next product. For already
> released product, we are going to publish patches, with almost similar
> behavior to the end of the year.

Alexey, in order to help with our QA (Kaspersky + Firefox), can you please confirm the Kaspersky product and versions we should be using to test the changes outlined above?
Flags: needinfo?(alexey.totmakov)
(In reply to Romain Testard [:RT] from comment #34)
Roman, give me couple days for answer.
Flags: needinfo?(alexey.totmakov)
(In reply to Romain Testard [:RT] from comment #34)
> Alexey, in order to help with our QA (Kaspersky + Firefox), can you please
> confirm the Kaspersky product and versions we should be using to test the
> changes outlined above?

We are going to publish patch to our released product Kaspersky Internet Security 2019 till 17-December-2018. It will be Patch D. I will let you know, when patch will be fully published. 

Also, we are going to release Kaspersky Internet Security 2020 till the end of H1 2020.
(In reply to Romain Testard [:RT] from comment #34)

Romain the Patch D for Kaspersky Internet Security 2019 is fully published. You can test that Kaspersky product in no longer try to install certificates to Firefox storage. 

Before testing, please make sure that Patch D for Kaspersky 2019 is installed.
(In reply to Alexey Totmakov from comment #37)
> (In reply to Romain Testard [:RT] from comment #34)
> 
> Romain the Patch D for Kaspersky Internet Security 2019 is fully published.
> You can test that Kaspersky product in no longer try to install certificates
> to Firefox storage. 
> 
> Before testing, please make sure that Patch D for Kaspersky 2019 is
> installed.

Thanks so much for keeping us updated Alexey
I NI Tania so this comes-up on her radar since she's looking after the QA plan
Flags: needinfo?(tmaity)
I can no longer reproduce this issue with the Kaspersky Internet Security 2019 - version 19.0.0.1088(d). I've tested with the latest Nightly(66.0a1 - 2018-12-17) and latest Beta(65.0b4) builds on Windows 10 x86 and Windows 7 x64.
Flags: needinfo?(tmaity)
See Also: → 1508624

I'm marking this bug as FIXED since Patch D fixed the issue by enabling the enterprise roots feature.
Also please note that Firefox 68 will ship the ability to auto enable the enterprise roots preference upon detection of these types of issues: https://www.mozilla.org/en-US/firefox/68.0beta/releasenotes/

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.