new ssl_error_bad_cert_domain error window

Discussion about official Mozilla Firefox builds
User avatar
LoudNoise
New Member
Posts: 39900
Joined: October 18th, 2007, 1:45 pm
Location: Next door to the west

Re: new ssl_error_bad_cert_domain error window

Post by LoudNoise »

Err, we have nothing to do with development. We are a user to user support forum. We are not associated with Mozilla. And trust me, if this thread gets locked it will have nothing to do with Schapel.
Post wrangler
"Choose between the Food Select Feature or other Functions. If no food or function is chosen, Toast is the default."
megamanx
Posts: 107
Joined: April 6th, 2011, 8:35 am

Re: new ssl_error_bad_cert_domain error window

Post by megamanx »

schapel wrote:I'm a user like you, not part of the development moderating team. I am asking you questions so I can determine what the problem is. You have not provided answers, so I cannot help. All you want to do is argue with me, so I'll not attempt to give help any more. Once again, we don't see any screen shots!!!


I have already posted the screenshots, that's the clearest I can get. I can't read your mind and get what you want because that's as far as I can go, put yourself in my position and it would be almost the same, or not. I've answered whatever I could, or did you not read the part where I've said that I talked to an admin from the Tech Department in the University?
JayHawk is throwing me suggestions while you just go on about and not throw anything that would seem like a solution. It's the idea that counts, whether it doesn't solve the problem.

Don't take it wrong, I appreciate the aid from JayHawk, said his name enough times already. I'll wait for the University to give me their side of the story.

Edit: Thank you, LoudNoise. I am just awaiting for someone that knows Firefox inside and out, even to the binary code, there has to be 1 in millions of forum users, that can provide me with many things to try with about:config or etc.; to solve this problem. Because if the problem started from 3.0+, there had to be a security layer that is preventing the browser from allowing this log-in process.
teoli2003
Posts: 5091
Joined: November 10th, 2005, 2:54 am
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by teoli2003 »

Ok I've taken a few more minutes and I think I've understood what happens.

When you start your Firefox, it tries at once to connect to other sites via a crypted connection: addons.mozilla.org to check if some extensions have been updated and Xmarks as you are using Xmarks.

As you didn't logged in yet, the page is sent by your school proxy, with the school certificate which is not issued for AMO or XMarks sites hence the error (which is correct, though I think the UI lead to bad UX).

Just click cancel on the two error messages, than log in normally. After that background connections to AMO and XMarks can happen normally (and you won't notice it). It shoudl work ok.

As it is bad UI leading to bad UX, I can create an entry in bugzilla. Do you accept that I used the last screenshot you posted (the two first are inaccessible). Of course, I need that you first confirm that my proposed workaround did the trick.
megamanx
Posts: 107
Joined: April 6th, 2011, 8:35 am

Re: new ssl_error_bad_cert_domain error window

Post by megamanx »

teoli2003 wrote:Just click cancel on the two error messages, than log in normally. After that background connections to AMO and XMarks can happen normally (and you won't notice it). It shoudl work ok.


I go to the University on Saturday, I'll try this method.

The screenshots inaccessible? If you need them for a report, then by all means use them.

Edit: That didn't seem to solve the problem because if I happen to press Cancel, I still get thrown out into a "Site interrupted," maybe more Cancels are in order, due to the fact that one of them led to LastPass. I assume it's trying to update my add-ons when I start the browser, normal activity, possible that I disable Firefox Update checker and try again?

I have been patiently waiting for this problem to be solved since Firefox 3.0, that's a long time, so I think it was time to complain.
schapel
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by schapel »

teoli2003 wrote:When you start your Firefox, it tries at once to connect to other sites via a crypted connection: addons.mozilla.org to check if some extensions have been updated and Xmarks as you are using Xmarks.

Ah, now that I see that the screenshots are in the last link provided (even though the other two result in Server Not Found) this makes sense. On the other hand, I regularly connect to Wi-Fi hotspots that redirect to a start page where I need to provide a login, as well as hotspots where I simply click on a button to accept the terms and conditions. I have never seen this problem with Firefox 3.6 on Linux. Whenever I get a dialog about a bad certificate, it really is expired or for a different domain or from an authority not recognized by Mozilla. If many Firefox users were experiencing certificate problems when using Wi-Fi logins, I think we'd hear a lot about the problem. Maybe it has something specifically to do with Xmarks or some other add-on.
teoli2003
Posts: 5091
Joined: November 10th, 2005, 2:54 am
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by teoli2003 »

What is this LastPass thing?

Once you canceled the window, you should go to a normal page. Your proxy will hijack it, and, as its certificate is probably autosigned, it will lead to an error page, but there you will be able to add an exception for the certifacte. Then you'll be able to login normally.
megamanx
Posts: 107
Joined: April 6th, 2011, 8:35 am

Re: new ssl_error_bad_cert_domain error window

Post by megamanx »

schapel wrote:If many Firefox users were experiencing certificate problems when using Wi-Fi logins, I think we'd hear a lot about the problem. Maybe it has something specifically to do with Xmarks or some other add-on.

They just use Chrome or IE, so you don't see them complaining, they have another alternative. I choose not to switch just to log in, when it shouldn't be giving me this trouble. It couldn't be because of the add-ons, because I've tried the clean portable version advised early before, nothing on it but I still got the error. Services...blah blah thing.

I canceled the window that showed the LastPass, that was after the buy.xmarks thing, then I might get another one, then another, then another. So many clicks on Cancel to login? Ouch! I will try it, though. Anything to keep logging with FF, I am currently using Nightly, but it's the same on all, even Palemoon. :)
schapel
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by schapel »

If even 1% of Firefox users experience this problem, that's three million users. Millions of users silently use Chrome or IE because of this problem? I don't think so. There's something different about the Wi-Fi point you're logging into or the configuration on your computer, and this difference is what's causing the problem for you and not the many millions of other Firefox users. That's not to say it's not a problem with Firefox, but it is to say if you talk with others about the problem they will not understand or be able to fix the problem because they are not experiencing the problem themselves. Maybe it's "this LastPass thing" which you are not explaining.
megamanx
Posts: 107
Joined: April 6th, 2011, 8:35 am

Re: new ssl_error_bad_cert_domain error window

Post by megamanx »

This is getting nowhere. I would have had the solution by now if someone that is very well into the subject. I thank the guys with suggestions, anything helpful is what I was looking for, whether it works or not. All I hear is that Firefox is not to blame, but why not, when the other browsers log in? People use a browser and expect it to work, it's the majority of the users that use any browser. What are you talking about? My friends that use Firefox can't get on the wireless login either, unless they use another browser to logon, so they give up and use other alternative, I don't want to give up on Firefox.

First it's Xmarks, then it's LastPass, so I should get rid of my add-ons to make it work? What's up with that? I don't have to remove any add-ons on ChromePlus! or IE9 to be able to login, it's Firefox's security feature too paranoid or updater intervening while I to get log on to the wireless. I repeat, it did work under 3.0, it all began with 3.0+, so they might have implemented something. It's something in Firefox that needs to be tweaked, yet I don't have enough knowledge to figure it out, thus I come here.

The Last Pass thing wasn't in the Portable version(It was free of add-ons), which got me into an error also, so I can rule out the add-ons.
User avatar
JayhawksRock
Posts: 10433
Joined: October 24th, 2010, 8:51 am

Re: new ssl_error_bad_cert_domain error window

Post by JayhawksRock »

megamanx wrote:The Last Pass thing wasn't in the Portable version(It was free of add-ons), which got me into an error also, so I can rule out the add-ons.


I only use portable. When you tried portable did you use the default profile or did you copy your current profile into portable? If you copied you may have moved the problem into portable. Do you have any problems using an eathernet connection? Did you try with only one tab open? Are you allowing 3rd party cookies?

I have had the Lastpass SSL popup error 1 time a while back. It was on a nightly build so I thought it would go away in a couple of days. At the same time I uninstalled laspass and deleted all leftover references in my prefs.js file and deleted every file in my profile and the application folders begining with LP. Reinstalled Lastpass a couple of days later and never had that error again. I also use Xmarks but never had the error there.

Try setting in about;config "network.dns.disableIPv6" to true. http://kb.mozillazine.org/Error_loading_any_website

Apparantly the ssl error in Lastpass is common.
Check this out. http://forums.lastpass.com/search.php?s ... l&start=20 maybe something there will help.
Also
http://forums.lastpass.com/search.php?s ... or&start=0
or here
http://forums.lastpass.com/search.php?s ... l&start=20
"The trouble with quotes on the internet is you never know if they are genuine" ...Abraham Lincoln
megamanx
Posts: 107
Joined: April 6th, 2011, 8:35 am

Re: new ssl_error_bad_cert_domain error window

Post by megamanx »

No add-ons, it simply made a profile in the USB drive. Nothing from my computer-installed Firefox or Firefox-related versions affected it.

The one that has the Firefox label is the one from the USB drive, nothing about add-ons interfering.
I'll try that IPV 6 thing.
schapel
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by schapel »

Coincidentally, today I'm having some maintenance done on my car. Sitting in the waiting room, I connected to Wi-Fi and started Firefox and Thunderbird. Firefox is able to browse the web without problems, but Thunderbird gives me errors about SSL certificates for the mail servers it connects to, stating that Fortinet is not a recognized certificate authority. It turns out that the certificates Thunderbird is receiving are marked as signed by Fortinet, which is a brand of firewall and web filter. It seems like the public Wi-Fi connection uses a Fortinet firewall, and it's trying to insert itself in a well-meaning man-in-the-middle attack. When I use Firefox to go to HTTPS sites, I get no error, so it looks as though Fortinet is intercepting secure communications on mail ports and not web ports.

I'm not sure if the problem I'm having today is related to the University of Houston-Downtown problem, but at least it's the first time I've seen what seems to be a man-in-the-middle attack. There are other people who seem to have experienced the same problem. Here's FortiNet's documentation about how you let it perform deep packet inspection on IMAPS traffic!
teoli2003
Posts: 5091
Joined: November 10th, 2005, 2:54 am
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by teoli2003 »

Schapel, this is likely similar to what is happening: the proxy is hijacking the connection, the browser (or Thunderbird) detects it and signals it, but the message is cryptic (and the certificate difficult to access, so that it is difficult to know if it is "legit").

The cryptic message is Mozilla's real problem in such cases (and not the case that it blocks the pages which is good and expected). On "regular" pages (in a tab), in three clicks we have access to the certificate, but with these background connections there is no easy way to diagnose and, eventually, to add an exception.
schapel
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by schapel »

In this case, however, you normally don't want to add an exception. The purpose of the message is to warn a user about a possible man-in-the-middle attack. If the message users get is to just unthinkingly add an exception when they get certificate errors, then they're not protected against these attacks. If a user has a problem with a proxy hijacking the connection, the user should contact the tech support for the network, so that the user can either 1) alert them of a man-in-the-middle attack, or 2) get the instructions from tech support about how to deal with the proxy appropriately.
teoli2003
Posts: 5091
Joined: November 10th, 2005, 2:54 am
Contact:

Re: new ssl_error_bad_cert_domain error window

Post by teoli2003 »

I agree with you, you don't want to add an exception in most cases. Though if it is your university, or company, network, you may want to (or maybe not).

The problem is that right now, you can probably add an exception, but it is very, very complex (if not impossible), as the analysis of what happening.

The consequence is that it looks like Firefox is not working and the others browsers are.

In others words, not being able to upgrade safely add-ons, or not being able to connect safely via Firefox Sync, should not prevent you to use the unsafe (i.e http and not https) part of the web. The problem is not that Firefox prevents extensions to be updated in the OP case, it is that the message about this problem is too invasive. It should be a message "à la" Firefox Sync, which got it right.
Post Reply