Insecure Connection
August 13, 2019 2:28 PM Subscribe
Why do I keep getting this error today on many different websites? I can access many others without a problem, including metafilter and google. "Your connection is not secure The owner of www.foodnetwork.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website."
If I hit the Advanced button, I get this:
"www.foodnetwork.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER"
I have vague memories of this happening last spring where a ton of security certs expired or were unreadable. Did something similar happen again?
Windows 7 - Firefox 60.6.2esr
If I hit the Advanced button, I get this:
"www.foodnetwork.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER"
I have vague memories of this happening last spring where a ton of security certs expired or were unreadable. Did something similar happen again?
Windows 7 - Firefox 60.6.2esr
Response by poster: Yes, it is updated (not my computer, just using it) and shows the correct date. I have restarted FF a few times.
posted by soelo at 2:40 PM on August 13, 2019
posted by soelo at 2:40 PM on August 13, 2019
Firefox uses its own certificate storage, so the OS version is probably irrelevant to this issue. I think nickggully is on the right track otherwise: you might just need a more recent set of certificates. The version of Firefox you're using is months out of date, and it looks like some significant security issues were fixed in that time. The current ESR version of Firefox is 60.8; I recommend installing it if you can. I would assume that the newer version also contains the missing certificates.
posted by skymt at 2:46 PM on August 13, 2019 [3 favorites]
posted by skymt at 2:46 PM on August 13, 2019 [3 favorites]
If you'd prefer not to or can't update firefox on the machine you are using you could try the portable apps version (you just have to download and run it; no install required).
Do you get the same error with IE/Edge?
posted by Mitheral at 6:28 PM on August 13, 2019 [1 favorite]
Do you get the same error with IE/Edge?
posted by Mitheral at 6:28 PM on August 13, 2019 [1 favorite]
Are you on a different network than normally? I get similar results sometimes from corporate firewalls.
posted by Akke at 4:19 AM on August 14, 2019 [1 favorite]
posted by Akke at 4:19 AM on August 14, 2019 [1 favorite]
Hi, Soelo - I work for Mozilla, and that sort of thing shouldn't be happening.
For what it's worth, in your example - can you ask for the details, and tell us what certificate Firefox thinks the food network is using? Skynt's suggestion that you keep your ESR Firefox up to date is a good idea - you should definitely do that! - but "unknown issuer" makes me think that's not the problem here.
By far the most common reason that our users see this is because of a (frankly substandard, most of them are) antivirus or network monitoring programs intercepting traffic internally on their machine. Because Firefox relies on its own certificate store, and doesn't use the one baked into the operating system, AV/monitoring tools that install their own custom certificates to the operating system store to intercept your communications can't maintain the illusion of channel integrity while they're monitoring your traffic.
I'm willing to wager that you've got some AV software with a network monitoring feature turned on - though sometimes it's child-safety applications of some stripe? - and that's what's causing the problem.
Feel free to memail me if you'd like to talk through the details.
posted by mhoye at 4:54 AM on August 14, 2019 [2 favorites]
For what it's worth, in your example - can you ask for the details, and tell us what certificate Firefox thinks the food network is using? Skynt's suggestion that you keep your ESR Firefox up to date is a good idea - you should definitely do that! - but "unknown issuer" makes me think that's not the problem here.
By far the most common reason that our users see this is because of a (frankly substandard, most of them are) antivirus or network monitoring programs intercepting traffic internally on their machine. Because Firefox relies on its own certificate store, and doesn't use the one baked into the operating system, AV/monitoring tools that install their own custom certificates to the operating system store to intercept your communications can't maintain the illusion of channel integrity while they're monitoring your traffic.
I'm willing to wager that you've got some AV software with a network monitoring feature turned on - though sometimes it's child-safety applications of some stripe? - and that's what's causing the problem.
Feel free to memail me if you'd like to talk through the details.
posted by mhoye at 4:54 AM on August 14, 2019 [2 favorites]
Response by poster: Thanks for all of the suggestions. This is not a computer I own, but it is provided for me (and others) to use and so updates are not my responsibility, though I can sometimes push them through. It is behind a firewall and I am not allowed to run portable apps on it, unfortunately. Also, the AV is installed and maintained by other people. I wish I had thought to try IE at the time and I will do so the next time I use that machine.
posted by soelo at 5:21 AM on August 14, 2019
posted by soelo at 5:21 AM on August 14, 2019
Is this a computer that's managed by a business or organization? My guess would be that you're encountering a corporate firewall/proxy that monitors client traffic by doing a "man in the middle" intervention. I'd say "man in the middle attack" but it's such a common pattern in large organizations that I'm hedging my language. (I love you, benevolent corporate overlords!)
It basically works like this: the organization pushes their own trusted root certificate authority to your machine. Why is it trusted? Because the organization says so, and they control the machine's software. Then, any traffic that uses HTTPS is signed with that certificate between your machine and the corporate proxy. Traffic then uses the end destination's HTTPS cert between the proxy and the end destination.
What probably happened is Firefox isn't set up to pick up the organization's cert and another browser they want you to use is, or the process to push a new cert to the machine failed and the company's proxy is no longer trusted.
posted by mikeh at 7:10 AM on August 14, 2019
It basically works like this: the organization pushes their own trusted root certificate authority to your machine. Why is it trusted? Because the organization says so, and they control the machine's software. Then, any traffic that uses HTTPS is signed with that certificate between your machine and the corporate proxy. Traffic then uses the end destination's HTTPS cert between the proxy and the end destination.
What probably happened is Firefox isn't set up to pick up the organization's cert and another browser they want you to use is, or the process to push a new cert to the machine failed and the company's proxy is no longer trusted.
posted by mikeh at 7:10 AM on August 14, 2019
Response by poster: Yep, org managed. I get that they want to manage all of my internet traffic (and should on their own machine), but I wonder why I could read metafilter (on https) and other non-org related sites but could not look up a recipe yesterday. Most other days, foodnetwork.com and similar websites work fine from that machine.
posted by soelo at 7:59 AM on August 14, 2019
posted by soelo at 7:59 AM on August 14, 2019
More than likely, their proxy is busted or load-balanced and you're getting a different cert depending on some arbitrary ruleset that's decipherable only to the proxy admins.
I'd check the certificate (click on the (i) next to the URL in Firefox, arrow next to "Connection", and then "More Information" at the bottom) on a site that works, and then on a site that doesn't. It'd also be worth seeing if you could accept the bad cert and check if you can still get to the page after that -- it could be that for blocked domains they're doing something dumb like redirecting to an error page that has an actual invalid certificate and you just can't get to Food Network, etc. at all.
posted by mikeh at 8:08 AM on August 14, 2019
I'd check the certificate (click on the (i) next to the URL in Firefox, arrow next to "Connection", and then "More Information" at the bottom) on a site that works, and then on a site that doesn't. It'd also be worth seeing if you could accept the bad cert and check if you can still get to the page after that -- it could be that for blocked domains they're doing something dumb like redirecting to an error page that has an actual invalid certificate and you just can't get to Food Network, etc. at all.
posted by mikeh at 8:08 AM on August 14, 2019
This thread is closed to new comments.
The OS might not have updates for the latest styles of certificates
posted by nickggully at 2:29 PM on August 13, 2019 [3 favorites]