https security error: Connection verified by a certificate issuer that is not recognized by Mozilla
Hello, I am running Firefox on a W10-Pro PC. I always click the lock to check certificate validation. In the last month I keep seeing "Connection verified by a certificate issuer that is not recognized by Mozilla".
When I click for more information I see that "Norton Web/Mail Shield" does not recognize the certificate issuer. When I click on Learn More it takes me to a Firefox site "How to disable the Enterprise Roots preference" I also checked W10 certmgr.msc and I see Norton is listed. Images included below. I would love to resolve this issue. Thank you for your time.
Wšykne wótegrona (9)
Firefox/Mozilla doesn't certify certificate that is done by another organization and if the certificate is invalid or out of date then it's up to one owning the certificate to update to allow access with the certificate to be used. Ad Norton also gave you the same error message so this isn't a Firefox issue.
Mark, Thank you for the reply. Unfortunately your reply does not help me solve my issue. I did not include anything that says Norton gave me the same error message. As far as I can tell a Norton Certificate (which date appears valid) is in the W10-Pro Trusted certificate list as well as within the Firefox certificate list. Currently I am not trusting (using) Firefox with any accounts that require passwords.
If not Norton - Firefox isn't the issuing certificate it's verifies it's up to date and matches certification that should be for site or whom issuing it and if it fails then the Browser will protects itself from malicious certificates. So you should ask the site that uses to do their proper checks.
My apologizes, but I still don't understand your response.
I open a URL with FIrefox in protected mode, the page opens and I click on the lock icon, I check that the connection is secure and who it is verified by. If I'm happy with the verifier I continue.
Over the last couple of weeks its almost always Norton is the verifier. Click on the lock, Firefox responds with three lines of text. It tells me "You are securely connected to this site". next line Verified by: Norton Web/Mail Shield. In the next line Firefox says: Mozilla does not recognize this certificate issuer. It may have been added from your OS or by an administrator.
The certificate managers for Microsoft W10-Pro and Firefox both show Norton Web/Mail Shield Root with a date 1/1/2010 - 1/1/2040.
So my dilemma is: why does Firefox permit me access to the URL when it has no recognition of the certificate issuer?
This morning, using Firefox I opened several URL's and everyone was certified by Norton. I moved to Microsoft Edge and opened the same URL's and got a variety of certifiers, none were Norton.
Some sites permits access but it does say use at your own risk. Without a url of the problem site no one will know why it's doing that. How Norton verifies that's Norton not Firefox.
Your Firefox is configured to trust Norton web shield as a certificate issuer. This is standard for security software that filters your web browsing. Here's why: if the traffic is encrypted between Firefox and the web server, Norton -- which runs outside of Firefox -- can't read it and therefore can't block or clean it. In order to work as a filter, Norton sets up as a "man in the middle" and there are two separate encrypted connections: one between Firefox and the filter, and one between the filter and the web server.
Now normally Firefox will refuse to connect when there is a man in the middle because the fake site certificate can't be validated up to a trusted authority certificate. That's why the browser needs to be set to trust Norton web shield as an issuer of fake website certificates. There are two methods for that:
(1) import an Authority certificate into Firefox (your fourth screenshot) or
(2) set Firefox to use the Windows certificate store ("Enterprise roots"), which apparently is easier for security software to update
Hopefully that clarifies the situation. Next is what to do about it. What is your preference?
(A) You want your Norton software to continue filtering your browsing
In this case, there really isn't anything to change.
(B) You want Firefox to bypass Norton and connect to HTTPS addresses directly
I think you would go into the Norton web shield settings and tell it not to intercept Firefox traffic, or not to intercept HTTPS/secure traffic from Firefox, but I haven't researched what Norton's settings look like.
Hi jscher2000, Thank you for your response. I get the idea as to how things should work.
1). This all started less than a month ago. No new browsers, no new Norton... 2). Norton always asks if I want to install their protection into the browsers I use. I always refuse those requests. 3). In the last week no matter what URL I open the lock shows "Norton Web/Mail Shield Root". 4). Microsoft Edge shows many different Certifiers and and occasionally "Norton Web/Mail Shield Root".
Why do you say Firefox is configured to trust Norton web shield as a certificate issuer when Firefox states "Mozilla does not recognize this certificate issuer". There is a disconnect here. I've lost my trust Firefox.
I do not want to bypass certification in any way.
Does Mozilla support monitor this forum?
Hello again, I just looked at Firefox Certificate Manager (under Privacy/Security). Might this have something to do with my problem? Photo included
All the entries within the Certificate manager "Security Device" column say "Builtin Object Token" except Norton Web/Mail Shield Root which says "Software Security Device". Thank you.
Yes, that is the Norton root certificate that Firefox has imported from the Windows certificate store and that is needed to prevent a SEC_ERROR_UNKNOWN_ISSUER error. This discussed in this support article.