Closed Bug 612493 Opened 14 years ago Closed 8 years ago

Kaspersky 2011 will not allow Firefox Sync to sync

Categories

(Plugins Graveyard :: Kaspersky AV, defect)

Product:
Plugins Graveyard
Component:
Kaspersky AV
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: ctampir, Assigned: alexey.drozdov)

References

Details

(Keywords: user-doc-needed)

Attachments

(2 files)

evidence of Kaspersky SSL interception
54.48 KB, image/jpeg
Details
add ssl excludes via domain name/mask
15.15 KB, image/png
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: 3.6.12

I have to turn Kaspersky Ver 2011 off to sync Firefox and bookmarks etc.

Reproducible: Always

Steps to Reproduce:
1.Go to Tools/Sync
2.Left click Sync
3.Kaspersky will not allow the web site to make contact(Self Defense blocks       website considered dangerous.                     
Actual Results:  
Sync fails

Expected Results:  
Sync Fails

NA
Kaspersky 2011 ships with the capability to man-in-the-middle intercept SSL sessions.  When it does so, Firefox will see a self-signed Kaspersky client SSL certificate rather than the CA-signed Mozilla certificate.  The Kaspersky software includes a UI button that, when clicked, installs the self-signed SSL certificate into the Firefox certificate store.  (I suspect this is also done at time of installation, if SSL interception is enabled.)  However, if SSL interception is enabled WITHOUT adding the certificate to the current Firefox profile's certificate store, the browser will not be able to validate the SSL certificate and Sync fails to operate as expected.

This issue is a direct result of a Kaspersky setting, and can only be resolved through the Kaspersky UI.  Two solutions are available:

1. Open Firefox with the desired profile, then quit Firefox.  Click the Kaspersky "Install Certificate" button.
2. Disable Kaspersky SSL interception.

The Kaspersky support instructions for "Install Certificate" and enabling/disabling SSL interception, including video, are at http://support.kaspersky.com/kav2011/tech?qid=208282018
Component: Operations → General
QA Contact: operations → general
IRC notes:

We should add a support note about this somewhere, as other users are going to encounter this.

Firefox Sync could present a more helpful UI when there is an SSL certificate error - a yellow error bar with a View Certificate button perhaps?
We were able to view the interception certificate by going to https://auth.services.mozilla.com/1.0/ in the browser and then using the standard UI to view certificate.
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
Firefox have some forcibly limitation on ssl-proxy for domain *.mozilla.org
https://bugzilla.mozilla.org/show_bug.cgi?id=340198

Browser check CA certificate for "Buildin Object Token" attribute.
We have special certificate installation wazard for integrate certificate to firefox NSS CertBD, but use legal way for it and therefore KIS certificate dont' have such attribute.

KIS/KAV 2011 support ssl-excludes via doman name/mask.
Users can add ssl excludes https://*.mozilla.org manually (see attach)

We have some predefined ssl-excludes (including "https://*.mozilla.org") in product unstallation. But it's available for clean installation and not pick up at upgrade.

    
    

    
  
Note that this bug is regarding *.services.mozilla.com, not *.mozilla.org.
OS: Windows 7 → Windows XP

    
    

    
  
*.services.mozilla.com is subset of *.mozilla.org.

For example we also detect errors with *.addons.mozilla.org etc.

    
    

    
  
How does a wildcard ending in ".org" match a domain ending in ".com"?

    
    

    
  
Im's sorry ...
Thereby https://*.mozilla.com exclude require :)

    
    

    
  
Thanks, Alexey. Can this second include be added to the application defaults so we can lessen the impact as much as possible?

    
    

    
  
Yes, we'll add this service URL.
But only for next product version.
Because this excludes cann't be update differently :(

    
  
Assignee: nobody → alexey.drozdov

    
    

    
  
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Assignee: alexey.drozdov → nobody
Component: General → Kaspersky AV
Product: Mozilla Services → Plugins
QA Contact: general → kaspersky-antivirus

    
  
Assignee: nobody → alexey.drozdov

    
    

    
  
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: Plugins → Plugins Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: