Does Firefox V57 change or affect any system settings?
Background:
We have three computers on a home network, all sharing the same public view through the router. Two are mine, one running Windows 7 and one running Linux. The third is my wife's, running Windows 7. I rely on a number of legacy add-ons, so I ensured that Firefox did not upgrade to V57 on my two machines. My wife's machine was set to auto-upgrade, and it upgraded to V57 a couple of days ago.
The next day, her computer was unable to connect to two of her websites (and only those two; all of her other sites worked fine). I could immediately connect to both problem websites on both of my computers using any browser. So the issue was specific to her computer.
But there was a twist. Those two websites (and only those two) were also unreachable using any other browser on her machine. Firefox produced a message "Secure connection failed...because the authenticity of the received data could not be verified". Other browsers simply timed out.
Among the diagnostics I performed was to disable the Windows firewall to see if something had changed there that was blocking those sites. It didn't make any difference and I turned the firewall back on. Those sites remained inaccessible.
The next day when my wife booted up, the computer displayed a Windows security alert that the firewall had blocked some features of Firefox. I looked at the firewall settings, and inbound traffic for Firefox was blocked (the only user program, and the only thing blocked). Firefox appears to work normally. Those two sites are accessible on her computer again; not just in Firefox but in the other browsers as well.
Apparently, V57 gave the firewall indigestion that affected all browsers. Switching the firewall off and back on triggered a reassessment. On my own Windows machine, Firefox (V56) is listed in the Windows firewall settings with an inbound rule, but it is fully allowed. Blocking Firefox V57 stopped the blocking applied to all other browsers. I can't rule out the possibility that Firefox was open when I tested the other browsers, so it's possible that the blocking behavior seen by the other browsers resulted from the firewall actively reacting to Firefox rather than a change that remained in effect when Firefox was not open.
Question:
It appears that Firefox is not simply operating within the environment provided by the system. For all other browsers to be affected, Firefox V57 must have changed, or at least affected, the environment that all browsers work in. So my question:
- Does V57 installation/upgrade explicitly change any system settings relating to networking or security?
- If not, what is different in V57 vs. V56 that makes it necessary for the firewall to block V57 incoming traffic but not V56?
Modified
Chosen solution
I realized that there is a simpler explanation; it could well be that V57 does not have different risks from V56. The problem resulted just from the auto-updater failing to replace the firewall rules.
The Windows firewall doesn't have a mechanism to assess risks and capabilities on a per-application basis. If the Firefox updater had replaced the firewall rules, it may have allowed all traffic based on knowledge of the product's capabilities. Windows Firewall just defaults to "safe" rules, which include blocking unsolicited incoming traffic.
So I'm going to consider the problem closed. (See additional discussion in my 11/24/17, 5:42 PM reply.)
Read this answer in context 👍 0All Replies (6)
There is security software like Avast, Kaspersky, BitDefender and ESET that intercept secure connections and send their own certificate.
https://support.mozilla.org/en-US/kb/firefox-cant-load-websites-other-browsers-can
https://support.mozilla.org/en-US/kb/firefox-and-other-browsers-cant-load-websites
https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message
https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
FredMcD, thanks for responding. I'm not making the connection, though, to how that information addresses the question. The question isn't about why certain sites have a problem. It's about how and why V57 affects the computer's networking/security operation, especially the Windows firewall. It requires a different setting from V56 for incoming traffic (blocked instead of allowed), or the firewall blocks certain sites for all browsers (at least if Firefox is open at the time).
The auto-upgrade doesn't deal with this, leaving a problematic installation (that isn't a problem for any other browser). I also haven't found anything explaining why incoming traffic needs to be blocked in the firewall for V57. And since the sites work when the firewall is configured to block incoming traffic, the TLS issue almost seems irrelevant, like a generic message Firefox puts up when the firewall isn't sending data back.
Modified
I do know that when you close Firefox it pings back but to what server I do not know you would have to use some Dos tools to watch and to run to pickup all that is going on. For use to say as Support Volunteers no idea.
Generally should not have a issue, friend uses a hard firewall and no problems, I use Norton, no problems.
Most often there is a icon up next to the padlock and you can grant sites permission or exempt them from that error. It is random websites. So the cure is not universal other than to keep trying to get in and click the icon. If you see one that looks like a Lego block that is Flash asking permission.
We have stuff that we give, but it is not working. Eventually you do get in, may have to delete cache and cookies for the site/s.
Please let us know if this solved your issue or if need further assistance.
Pkshadow, thanks for the response. I can appreciate that there are so many variables that problems with any specific site can be close to random. It is often easier to just use some generic tools and workarounds to solve issues with a specific site, at least as a first step, than to figure out what the specific problem with it is.
My question isn't really about getting into problem sites. It's about differences between V56 and V57 that affect the Windows 7 firewall, at least in some cases, and what may be a bug in the installation/upgrade. If what I experienced is a bug, it can be fixed so others aren't affected, or at least a workaround will be available.
After reviewing all of my own diagnostic steps, I'm guessing that this is what might have happened in my case:
- The auto-upgrade from V56 to V57 deleted the Firefox V56 entries in the firewall rules but failed to replace them with new entries for V57. (The computer with V56 has firewall entries that fully allow incoming and outgoing traffic for Firefox but I didn't see any Firefox entries on the problem computer after upgrade.)
- Without explicit rules, the firewall isn't surgical as to risks. So if there are security concerns about a site based on outdated TLS mechanisms that make it a risk for unsolicited incoming traffic, the site is blocked for any traffic.
- With no firewall entries for Firefox V57, the firewall allowed Firefox to operate with traffic from "safe sites", but blocked traffic from the two sites based on their using outdated security mechanisms. If the same bug happened to other users, they might be unaware of any issue if they do not try to access a website using outdated security.
- When I tested other browsers, Firefox was still open. The firewall blocked the "problem" sites for all browsers by blocking them for Firefox.
- My diagnostic steps of disabling the firewall and then turning it back on triggered the firewall to reassess the environment on the next reboot. It created rules for Firefox that included blocking incoming traffic.
- With those rules in place, there was no longer an issue with the "problem" sites, so they worked again in Firefox. They also worked again in the other browsers, but they might have previously worked with the other browsers, anyway, if Firefox had not been open.
So I have a plausible explanation for the problems encountered, and triggering the firewall to update its settings would be a workaround for others with the same problem.
However, that still doesn't explain what is different in V57 that the firewall sees as an issue that was not the case for V56.
Modified
I really do not know. You would have to hit up the technical/security sites. To see what they have said in Firefox reviews.
I do not have anything good to say about Windows Firewall other than they should leave that and A/V to the professionals.
May I suggest you try https://www.sevenforums.com/ is well respected. Microsoft site : https://social.technet.microsoft.com/Forums/windows/en-US/home?category=w7itpro
This would be a Microsoft Bug so could look in technet if a place to file a report.
As for Linux know it a little, installed it, played then toasted it.
Good luck with that last little bit.
Chosen Solution
I realized that there is a simpler explanation; it could well be that V57 does not have different risks from V56. The problem resulted just from the auto-updater failing to replace the firewall rules.
The Windows firewall doesn't have a mechanism to assess risks and capabilities on a per-application basis. If the Firefox updater had replaced the firewall rules, it may have allowed all traffic based on knowledge of the product's capabilities. Windows Firewall just defaults to "safe" rules, which include blocking unsolicited incoming traffic.
So I'm going to consider the problem closed. (See additional discussion in my 11/24/17, 5:42 PM reply.)
Modified