Closed Bug 1510355 Opened 6 years ago Closed 6 years ago

Certificate errors shown for lots of pages (due to bitdefender MITM'ing TLS connections

Categories

(Web Compatibility :: Site Reports, defect)

Product:
Web Compatibility
Component:
Site Reports
Version:
Firefox 63
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1310629

People

(Reporter: gw.graebner, Unassigned)

Details

Attachments

(5 files)

FF63_SEC_ERROR-microsoft.JPG
81.53 KB, image/jpeg
Details
FF63_SEC_ERROR-voelkner-electronics.JPG
83.64 KB, image/jpeg
Details
FF63_ContentsCorrupted_falk-maps.JPG
44.27 KB, image/jpeg
Details
SiteCorruptedDisplay-comdirect.JPG
38.09 KB, image/jpeg
Details
Bitdefender.JPG
50.75 KB, image/jpeg
Details 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

FF (63.0.3, and shortly before) is not working properly any more ! 
Presently, I'm using CLIQZ (Firefox Fork), which is working well.



Actual results:

For some weeks now, I see heavy problems using FF (and - strange enough -) with MS EDGE as well, which I use, as an alternative on occasions.
FF is putting up severe restrictions on access of most websites, claiming security issues like faulty certificates. Trying to go around these errors (on well known sites) is mostly blocked. So I was stuck, before switching to CLIQZ.

My idea of relaxing the security setup of FF didn't help (Anyway, I didn't change anything before that effect came up - with a new version ?!)

There might be a WIN10 problem as well, as - also for weeks now - MS tries to install the fall update without success (but the system is rolling back by itself, so I don't have any restrictions in using the system, and I can wait for them fixing all stuff...)

Luckily, I could work on without FF - but I wouldn't like to !



Expected results:

I report, to get at least some hints from your side : knowledge about 'seen-before' stories, and some insight into the WIN10 interface, which might be affected (or being the cause of the troubles).
Group: firefox-core-security
On the certificate errors, can you click through to get the 'advanced' certificate data? Without more details about what certificate errors you're having it's hard to help you fix them. At a guess, perhaps your antivirus or firewall application is intercepting connections, or perhaps your system clock is wrong -- but those are just guesses, it's hard to say more without more details.
Flags: needinfo?(gw.graebner)
Summary: Heavy useability problems FF 63 → Certificate errors shown for lots of pages
Flags: needinfo?(gw.graebner)

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  
Thanks for fast reply !

I add 4 examples.
As you see, the error mentioned is not the only one; there are also refused sites due to (claimed to be)'corrupted content' (Falk.de), or even broken presentation (comdirect.de).

Some errors can be corrected by the procedure you described; those are not a problem. But there are too many !
B.t.w., most of the sites I visit, are relevant ones - in terms of traffic.

My AV program is Bitdefender (updated regularly).

Never saw such a confusing mixup of things, working correctly partly, and others going wrong.
And - as mentioned - my present browser CLIQZ, as a FF fork, works (nearly) perfectly !

Regards
Guenther

    
    

    
  
(In reply to gw.graebner from comment #6)
> My AV program is Bitdefender (updated regularly).

Yeah, try disabling the "web traffic inspector" or "Encrypted web scan" in Bitdefender and/or following the instructions at https://www.bitdefender.com/support/what-to-do-when-security-certificates-cannot-be-verified-installed-1090.html (not sure exactly what version you have and where the right switch is, as I don't have a copy of bitdefender myself) . That should solve the issue. Alternatively, per https://bugzilla.mozilla.org/show_bug.cgi?id=1310629#c4 , it may be possible to turn on "security.enterprise_roots.enabled" in about:config in Firefox, and that *might* work.

As to why it works in Cliqz, I expect Bitdefender isn't trying to intercept traffic there.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE

    
  
Summary: Certificate errors shown for lots of pages → Certificate errors shown for lots of pages (due to bitdefender MITM'ing TLS connections

    
    

    
  
Guenther, can you please provide details on your bitdefender product and version to help reproduce this issue?
Flags: needinfo?(gw.graebner)

    
    

    
  

      
      
      
      

        Attached image
          
        Bitdefender.JPG
      

    


  
Flags: needinfo?(gw.graebner)

    
    

    
  
I include the present Bitdefender Version Info.

! Most important: After switching off the "online threats/ encrypted websites" in Bitdefender, things go well again !

@:Gijs - CLIQZ really seems to work 'under the radar' of Bitdefender... 

BUT, pls. let me ask finally : is there a real threat in the matter that Bitdefender deals with a, obviously, poor implementation? Or does FF help with that 'threat' anyway ?

Guenther

    
  
Component: Untriaged → Desktop
Product: Firefox → Tech Evangelism
Version: 63 Branch → Firefox 63

    
    

    
  
(In reply to gw.graebner from comment #10)
> I include the present Bitdefender Version Info.
> 
> ! Most important: After switching off the "online threats/ encrypted
> websites" in Bitdefender, things go well again !
> 
> @:Gijs - CLIQZ really seems to work 'under the radar' of Bitdefender... 
> 
> BUT, pls. let me ask finally : is there a real threat in the matter that
> Bitdefender deals with a, obviously, poor implementation? Or does FF help
> with that 'threat' anyway ?
> 
> Guenther

Other browsers tend to use the Windows cert store where we rely on our own, this may explain that the CLIQZ browser works (Bitdefender may install its certificate in Windows cert store but not on Firefox's) .
I'm unsure about the benefits of using Bitdefender based on your specific needs so hard to say whether there is a real threat there unfortunately but I personally don't use any AV on Windows.

    
    

    
  
O.k. for me !

But, in terms of the FF community: how to take care that Bitdefenders problems don't drive users to stay away from FF ?
This may cause severe image problems ! ....

Thanks to :RT and :Gijs !

Regards.
Guenther

    
    

    
  
(In reply to gw.graebner from comment #12)
> O.k. for me !
> 
> But, in terms of the FF community: how to take care that Bitdefenders
> problems don't drive users to stay away from FF ?
> This may cause severe image problems ! ....
> 
> Thanks to :RT and :Gijs !
> 
> Regards.
> Guenther

Guenther, please see bug 1512962 that we found when attempting to reproduce your issue.
Can you please confirm if the profile name you use includes non ASCII characters?
Flags: needinfo?(gw.graebner)

    
    

    
  
(In reply to Romain Testard [:RT] from comment #13)
> Guenther, please see bug 1512962 that we found when attempting to reproduce
> your issue.
> Can you please confirm if the profile name you use includes non ASCII
> characters?

(or, for that matter, if your Windows user name or any other path component for the profile path contains non-ASCII characters?)

    
    

    
  
On your latest questions (comment #13, #14):
Names of my profiles, and the paths for it, do NOT contain Non-ASCII chars ! ...
Flags: needinfo?(gw.graebner)
Product: Tech Evangelism → Web Compatibility

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: