Getting "Secured Connection Failed" error message on a website that always worked previously
Displays error: The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
Site could always be accessed previously and can be accessed using Chrome and IE
All Replies (12)
Can you post a link to a publicly accessible page (i.e. no authentication or signing on required)?
It is possible that the website uses a deprecated RC4 cipher suite.
- https://developer.mozilla.org/en-US/Firefox/Releases/36#Security
- https://developer.mozilla.org/en-US/Firefox/Releases/36/Site_Compatibility#Security
In Firefox 36 you could bypass this, but this is no longer possible in Firefox 37.
This is now a standard and already implemented in Firefox and other browsers will likely follow.
- RFC 7465 - Prohibiting RC4 Cipher Suites:
https://tools.ietf.org/html/rfc7465
Does this mean that there is no solution to the problem since it can no longer be bypassed? The website is for Merrick Bank- you would think that a large number of people would need to access it on a daily basis.
I don't know what they use. The URL is teradatanet.teradata.com.
You can lower security and allow to fallback to TLS 1.0 to see if that works on this website.
- security.tls.version.fallback-limit = 1
Be aware of the security risks involved with changing this and reset the pref when you are done with this website.
Okay, where do I set security.tls.version.fallback-limit? I tried application.ini but that doesn't appear to have any real meaning....
Does your login link look like this: https://login.merrickbank.com/
The site uses TLS 1.0 (an older version of SSL), which Firefox 37 views as obsolete. This is a change from Firefox 36.
Weirdly, if I click forgot password, a different server is used with a newer, more trustworthy secure certificate (green lock): https://logon.merrickbank.com/LogOnRegister/ForgotPasswordExAlt
And the login form on the "obsolete" page submits to that newer server. Confusing! They really should update this...
You can make a site-specific exception for the problem server:
Here's how:
(1) Copy the host name of the server address. This is the part between the https:// protocol and the next / character, and not including either of those. In this case: login.merrickbank.com
(2) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.
(3) In the search box above the list, type or paste tls and pause while the list is filtered
(4) Double-click the security.tls.insecure_fallback_hosts preference to display a box where you can paste the copied host name. If you have something here already, add a comma at the end before pasting to separate the new host name from the previous name(s). Then click OK to save the change.
When you reload that site, Firefox 37 should show the page the same was as Firefox 36.
That did not seem to change anything. Maybe it's a different issue? I also noticed in about:config that security.tls.insecure_fallback_hosts.use_static_list is "true" - I guess that's proper.
I wish I could try forgetting the password but I don't get that far - the login page does not even come up. BTW, this is not the merrick site, and I don't know how you got that impression. As I said earlier it's teradatanet.teradata.com.
Hi GJColeman78, I see the confusion: you joined someone else's thread and your question actually is over here: https://support.mozilla.org/questions/1056008
So I'll post a reply for you in the other thread to relieve the poster here of having to read more of our discussion about this other site.
Oh! Thanks. I apologize for confusing things!
There is a built-in static list that can be disabled by setting security.tls.insecure_fallback_hosts.use_static_list to false.
- Bug 1114816 - Add a whitelist for domains that require non-secure TLS version fallback
- Bug 1128227 - Add a static TLS insecure fallback whitelist
Firefox 39 and later will also have pref for RC4.
- Bug 1138882 - Create a separate a pref to enable unrestricted RC4 fallback
Changing that preference in about:config worked like a charm. Thanks for the help...
Many thanks to cor-el & jscher2000 for their solutions. I had posted in March when the previous version of FF degraded the SSL certificate of my online bank (Intelligent Finance): https://support.mozilla.org/en-US/questions/1050629.
Comments there warned me that newer versions of FF would soon block access to my bank completely and that is exactly what has happened with the update to 37.0.1. I was getting the same "secure connection failed" message as the the one displayed by merrickbank. IE is still working for now but I was beginning to panic about losing access to my online bank accounts. I reported/complained to the bank last month about their weak encryption and they assured me the matter is being looked into, but still out of my hands.
Changing fallback to TLS 1 worked fine but making my.if.com a specific exception for the server also gave me back access to my bank and is probably the safer permanent solution until the bank sorts out their systems. Interesting that Intelligent Finance is not the only financial website still using weak & obsolete encryption.