User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:126.96.36.199) Gecko/20101026 Firefox/3.6.12 Build Identifier: 3.6.12 I have to turn Kaspersky Ver 2011 off to sync Firefox and bookmarks etc. Reproducible: Always Steps to Reproduce: 1.Go to Tools/Sync 2.Left click Sync 3.Kaspersky will not allow the web site to make contact(Self Defense blocks website considered dangerous. Actual Results: Sync fails Expected Results: Sync Fails NA
Kaspersky 2011 ships with the capability to man-in-the-middle intercept SSL sessions. When it does so, Firefox will see a self-signed Kaspersky client SSL certificate rather than the CA-signed Mozilla certificate. The Kaspersky software includes a UI button that, when clicked, installs the self-signed SSL certificate into the Firefox certificate store. (I suspect this is also done at time of installation, if SSL interception is enabled.) However, if SSL interception is enabled WITHOUT adding the certificate to the current Firefox profile's certificate store, the browser will not be able to validate the SSL certificate and Sync fails to operate as expected. This issue is a direct result of a Kaspersky setting, and can only be resolved through the Kaspersky UI. Two solutions are available: 1. Open Firefox with the desired profile, then quit Firefox. Click the Kaspersky "Install Certificate" button. 2. Disable Kaspersky SSL interception. The Kaspersky support instructions for "Install Certificate" and enabling/disabling SSL interception, including video, are at http://support.kaspersky.com/kav2011/tech?qid=208282018
Component: Operations → General
QA Contact: operations → general
IRC notes: We should add a support note about this somewhere, as other users are going to encounter this. Firefox Sync could present a more helpful UI when there is an SSL certificate error - a yellow error bar with a View Certificate button perhaps?
Created attachment 491689 [details] evidence of Kaspersky SSL interception We were able to view the interception certificate by going to https://auth.services.mozilla.com/1.0/ in the browser and then using the standard UI to view certificate.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Firefox have some forcibly limitation on ssl-proxy for domain *.mozilla.org https://bugzilla.mozilla.org/show_bug.cgi?id=340198 Browser check CA certificate for "Buildin Object Token" attribute. We have special certificate installation wazard for integrate certificate to firefox NSS CertBD, but use legal way for it and therefore KIS certificate dont' have such attribute. KIS/KAV 2011 support ssl-excludes via doman name/mask. Users can add ssl excludes https://*.mozilla.org manually (see attach) We have some predefined ssl-excludes (including "https://*.mozilla.org") in product unstallation. But it's available for clean installation and not pick up at upgrade.
Note that this bug is regarding *.services.mozilla.com, not *.mozilla.org.
OS: Windows 7 → Windows XP
*.services.mozilla.com is subset of *.mozilla.org. For example we also detect errors with *.addons.mozilla.org etc.
How does a wildcard ending in ".org" match a domain ending in ".com"?
Im's sorry ... Thereby https://*.mozilla.com exclude require :)
Thanks, Alexey. Can this second include be added to the application defaults so we can lessen the impact as much as possible?
Yes, we'll add this service URL. But only for next product version. Because this excludes cann't be update differently :(
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Assignee: alexey.drozdov → nobody
Component: General → Kaspersky AV
Product: Mozilla Services → Plugins
QA Contact: general → kaspersky-antivirus
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/ If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.