Kaspersky 2011 will not allow Firefox Sync to sync



8 years ago
2 years ago


(Reporter: ctampir, Assigned: alexey.drozdov)





(2 attachments)



8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20101026 Firefox/3.6.12
Build Identifier: 3.6.12

I have to turn Kaspersky Ver 2011 off to sync Firefox and bookmarks etc.

Reproducible: Always

Steps to Reproduce:
1.Go to Tools/Sync
2.Left click Sync
3.Kaspersky will not allow the web site to make contact(Self Defense blocks       website considered dangerous.                     
Actual Results:  
Sync fails

Expected Results:  
Sync Fails

Kaspersky 2011 ships with the capability to man-in-the-middle intercept SSL sessions.  When it does so, Firefox will see a self-signed Kaspersky client SSL certificate rather than the CA-signed Mozilla certificate.  The Kaspersky software includes a UI button that, when clicked, installs the self-signed SSL certificate into the Firefox certificate store.  (I suspect this is also done at time of installation, if SSL interception is enabled.)  However, if SSL interception is enabled WITHOUT adding the certificate to the current Firefox profile's certificate store, the browser will not be able to validate the SSL certificate and Sync fails to operate as expected.

This issue is a direct result of a Kaspersky setting, and can only be resolved through the Kaspersky UI.  Two solutions are available:

1. Open Firefox with the desired profile, then quit Firefox.  Click the Kaspersky "Install Certificate" button.
2. Disable Kaspersky SSL interception.

The Kaspersky support instructions for "Install Certificate" and enabling/disabling SSL interception, including video, are at http://support.kaspersky.com/kav2011/tech?qid=208282018
Component: Operations → General
QA Contact: operations → general
IRC notes:

We should add a support note about this somewhere, as other users are going to encounter this.

Firefox Sync could present a more helpful UI when there is an SSL certificate error - a yellow error bar with a View Certificate button perhaps?
Duplicate of this bug: 613355
Created attachment 491689 [details]
evidence of Kaspersky SSL interception

We were able to view the interception certificate by going to https://auth.services.mozilla.com/1.0/ in the browser and then using the standard UI to view certificate.
Ever confirmed: true


8 years ago
Keywords: user-doc-needed

Comment 5

8 years ago
Created attachment 497487 [details]
add ssl excludes via domain name/mask

Comment 6

8 years ago
Firefox have some forcibly limitation on ssl-proxy for domain *.mozilla.org

Browser check CA certificate for "Buildin Object Token" attribute.
We have special certificate installation wazard for integrate certificate to firefox NSS CertBD, but use legal way for it and therefore KIS certificate dont' have such attribute.

KIS/KAV 2011 support ssl-excludes via doman name/mask.
Users can add ssl excludes https://*.mozilla.org manually (see attach)

We have some predefined ssl-excludes (including "https://*.mozilla.org") in product unstallation. But it's available for clean installation and not pick up at upgrade.
Note that this bug is regarding *.services.mozilla.com, not *.mozilla.org.
OS: Windows 7 → Windows XP

Comment 8

8 years ago
*.services.mozilla.com is subset of *.mozilla.org.

For example we also detect errors with *.addons.mozilla.org etc.
How does a wildcard ending in ".org" match a domain ending in ".com"?

Comment 10

8 years ago
Im's sorry ...
Thereby https://*.mozilla.com exclude require :)

Comment 11

8 years ago
Thanks, Alexey. Can this second include be added to the application defaults so we can lessen the impact as much as possible?

Comment 12

8 years ago
Yes, we'll add this service URL.
But only for next product version.
Because this excludes cann't be update differently :(


8 years ago
Assignee: nobody → alexey.drozdov

Comment 13

8 years ago
We're now tracking such bugs. This doesn't mean it's something we can fix, merely something we hope to be able to point vendors to so they can investigate. This is an automated message.
Assignee: alexey.drozdov → nobody
Component: General → Kaspersky AV
Product: Mozilla Services → Plugins
QA Contact: general → kaspersky-antivirus


8 years ago
Assignee: nobody → alexey.drozdov

Comment 14

2 years ago
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Last Resolved: 2 years ago
Resolution: --- → INCOMPLETE
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.