MozillaZine

sec_error_untrusted_issuer

User Help for Mozilla Firefox
(Anonymous/guest posting allowed)
Post a reply
patrickdrd
 
Posts: 29
Joined: October 18th, 2007, 4:35 pm
Location: Athens, Greece
October 20th, 2008, 12:20 am

Post Posted October 20th, 2008, 12:20 am

Hi guys,
I'm having problems with SSL sites,
I'm behind a proxy, using fx 3.0.3 (portable),
my time and date is set correct
and antivirus is mcaffee and disabling it didn't fix my problem,
while IE shows everything properly

the error is:

Code: Select all
Secure Connection Failed

[sitename] uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is not trusted.

(Error code: sec_error_untrusted_issuer)


Can somebody help me out?

Thanks in advance!
patrickdrd
 
Posts: 29
Joined: October 18th, 2007, 4:35 pm
Location: Athens, Greece
October 20th, 2008, 12:37 am

Post Posted October 20th, 2008, 12:37 am

actually after googling a lot,
found that the bank I work for,
puts her name on every certificate issuer!!!

i.e. when I enter ANY site,
I get the error "issuer certificate is not trusted"
and it's logical,
since it shows that the issuer for that certificate is always the bank!

The only way to solve this is adding every https site under the bank issuer certificate,
but is there a more "elegant" way of doing this?

Thanks in advance!
teoli2003
 
Posts: 3798
Joined: November 10th, 2005, 2:54 am
October 20th, 2008, 5:33 am

Post Posted October 20th, 2008, 5:33 am

Add the certificate the bank used to create these certificate to your list of CA.
patrickdrd
 
Posts: 29
Joined: October 18th, 2007, 4:35 pm
Location: Athens, Greece
October 20th, 2008, 5:41 am

Post Posted October 20th, 2008, 5:41 am

I don't think that this is the case,
i.e. the bank didn't create or issued these certificates,
but somehow the proxy server somehow "takes over" from the certificate issuers and so fx shows the bank as the issuer
teoli2003
 
Posts: 3798
Joined: November 10th, 2005, 2:54 am
October 20th, 2008, 6:20 am

Post Posted October 20th, 2008, 6:20 am

No, it does a 'Man-in-the-middle attack' (don't be scarred by the word attack). It issues a new certificate for the server with itself as issuer and signed it by its private key (whose cert is sent to you during the SSL/TLS handshake).

If the certificate was tempered, you would get another error (invalid certificate) as it wouldn't be able to fix the signature of it and note (untrusted issuer) which mean the cert is ok but I don't know the issuer.

Some of these proxies always use the same cert/private key to generate it (no problem, just add it to the CA trusted list), some use self-signed certificate (more problematic as you can't distinguish one from your proxy (that you trust) from one of an attacker (that you won't trust).
patrickdrd
 
Posts: 29
Joined: October 18th, 2007, 4:35 pm
Location: Athens, Greece
June 19th, 2009, 2:26 am

Post Posted June 19th, 2009, 2:26 am

when using foxyproxy,
the problem gets more serious, since:

When I click on add exception, it says
"Unable to obtain identification status for the given site"
(and of course NO WAY to add it)

Is there any way to bypass this?

Post a reply

Quote Selected

Enter the code exactly as it appears. All letters are case insensitive, there is no zero.
 

Return to Firefox Support

Post a reply

Who is online

Users browsing this forum: Exabot [Bot], Google [Bot] and 17 guests