If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Tip: Kaspersky blocks Firefox's secure connections
Hi All,
This took a bit to figure out, so here goes ... -T Windows XP, Kaspersky Internet Security blocks Firefox's https connections as "insecure" Brute Force: -- Kaspersky -- settings -- Additional (left column) -- Network (right pane) -- check Encrypted Connecton Scanning "Do not scan encrypted connections" The "Official Way": Close Firefox and any running application. -- Kaspersky -- Settings -- Additional (left column) -- Network (right pane) -- Advanced Settings -- Install Certificate -- Show Certificate information -- click on Details Tab, Copy to File. Save DER file to Desktop as KASP.cer Note: you can't reuse this from another machine. -- Firefox -- Hamgurger (3 horizontal lines in the top right) -- Options -- Advanced -- Certificates tab -- view certificates -- Authorities tab -- make sure AO Kaspersky certificate does not exists (if it does delete it) -- click on import and then select KSAP.cer. Make sure all 3 boxes are ticked. -- Restart Firefox to resolve issue​ |
Ads |
#2
|
|||
|
|||
Tip: Kaspersky blocks Firefox's secure connections
T on 2017/01/20 wrote:
Hi All, This took a bit to figure out, so here goes ... -T Windows XP, Kaspersky Internet Security blocks Firefox's https connections as "insecure" Brute Force: -- Kaspersky -- settings -- Additional (left column) -- Network (right pane) -- check Encrypted Connecton Scanning "Do not scan encrypted connections" The "Official Way": Close Firefox and any running application. -- Kaspersky -- Settings -- Additional (left column) -- Network (right pane) -- Advanced Settings -- Install Certificate -- Show Certificate information -- click on Details Tab, Copy to File. Save DER file to Desktop as KASP.cer Note: you can't reuse this from another machine. -- Firefox -- Hamgurger (3 horizontal lines in the top right) -- Options -- Advanced -- Certificates tab -- view certificates -- Authorities tab -- make sure AO Kaspersky certificate does not exists (if it does delete it) -- click on import and then select KSAP.cer. Make sure all 3 boxes are ticked. -- Restart Firefox to resolve issue Mozilla decided not to use the global certificate store (the one managed by the OS) as does Internet Explorer, Google Chrome, and just about every other web browser. Mozilla has never explained why they believe they are better at determining how to manage a certificate store. As a result, Firefox does not use the certificates in the global certificate store -- the one you see by running certmgr.msc in Windows (don't know what the equivalent is in *NIX). If you want a security product, or any program, to intercept HTTPS web traffic then a cert must be installed into Firefox's private cert store. For other web browsers, the same is performed in the global cert store. For example, I use a video stream capture tool (Applian Replay Media Catcher which is a rebranded version of Jaksta). To intercept HTTPS traffic requires that its cert get put into whichever cert store the web browser uses. For Firefox, that is its private cert store. For other web browsers, that is the global cert store. It took awhile of dialog with Applian for them to figure out why their interception proxy wasn't working for HTTPS with Firefox but eventually they realized that all they had to do was install their cert into Firefox's private cert store and, voila, their product worked with that web browser. Anti-virus programs that have the option to intercept HTTPS traffic work the same way: install a root cert to perform a MITM (Man In The Middle) attack. Companies use this same root cert scheme for MITM attacks to monitor the secured network traffic on their workstations. If you do not allow their root cert to get installed into whichever cert store gets used by a client then that product cannot intercept the HTTPS web traffic. Well, they could intercept but interrogation would be useless because the traffic is encrypted. They need the cert in a MITM scenario so the client thinks it has connected to the other endpoint (the HTTPS site) while the site thinks it is connected to your endpoint (your web client). The proxy intercepts the web traffic and for HTTPS pretends it is the target site. The proxy pretends to the target site that it is your web client. Applian's Replay Media Catcher has an option (overly buried) to reinstall their cert into both the global cert store and into Firefox' private cert store. Certs expire so eventually Applian has to include a new one in an update. Certs can also get removed or corrupted so a working cert must be reinstalled. I don't use Kaspersky but apparently you found its config option on how to reinstall its cert. Otherwise, you could simply disable HTTPS scanning in Kaspersky which means it cannot interrogate your HTTPS web traffic to determine if there is malicious content or sources. This is not a unique situation with Kaspersky. Any program that relies on using a local cert (global or private store) to perform a MITM attack must have a valid root cert in place. I've mentioned a non-security product (Applian) that uses the same scheme. Anything that wants to interrogate your HTTPS traffic has to perform a MITM attack. Brute force decryption is beyond the capabilities of your home PC so malware won't bother a MITM that way. They may, however, attempt to the get user to grant installation of their own cert so the malware can then intercept your HTTPS traffic. |
#3
|
|||
|
|||
Tip: Kaspersky blocks Firefox's secure connections
I just found the following article:
https://wiki.mozilla.org/CA:AddRootToFirefox So now Firefox can supposedly be configured to use the global certificate store (managed by the OS). However, with Mozilla's history of giving and taking away, I would not rely on this option remaining permanently available in all subsequent versions of Firefox. Note that the article does not say that Firefox will actually use the global certificate store. If security.enterprise_roots.enabled = true then Firefox will *import* the global certificates but will continue to hide those global certs in its own private cert manager. Root certs are not included until Firefox version 52, so the MITM scheme used to interrogate HTTPS web traffic (by anti-virus or streaming capture tools) will still not work. The user must still ensure those tools install their MITM root certs into Firefox's private cert store ... for now. Since old versions of Firefox will still linger in use for many years after version 52, tools that use the root cert MITM scheme will still have to go through the hassle of installing their root cert into Firefox's private cert store along with installing it in the global cert store for as many years. https://www.mozilla.org/en-US/about/...y-group/certs/ That gives a starting point regarding Mozilla's private certificate store in Firefox. I've gone through all that before but do not recall that Mozilla ever provided qualification as to why users cannot trust the global certificate store. Sorry, I don't know the clinic term for "control freak". It might be Obsessive Compulsive Personality Disorder (OCPD) although that doesn't exclude Narcissistic Personality Disorder. |
#4
|
|||
|
|||
Tip: Kaspersky blocks Firefox's secure connections
On 01/20/2017 10:15 PM, VanguardLH wrote:
I just found the following article: https://wiki.mozilla.org/CA:AddRootToFirefox So now Firefox can supposedly be configured to use the global certificate store (managed by the OS). However, with Mozilla's history of giving and taking away, I would not rely on this option remaining permanently available in all subsequent versions of Firefox. Note that the article does not say that Firefox will actually use the global certificate store. If security.enterprise_roots.enabled = true then Firefox will *import* the global certificates but will continue to hide those global certs in its own private cert manager. Root certs are not included until Firefox version 52, so the MITM scheme used to interrogate HTTPS web traffic (by anti-virus or streaming capture tools) will still not work. The user must still ensure those tools install their MITM root certs into Firefox's private cert store ... for now. Since old versions of Firefox will still linger in use for many years after version 52, tools that use the root cert MITM scheme will still have to go through the hassle of installing their root cert into Firefox's private cert store along with installing it in the global cert store for as many years. https://www.mozilla.org/en-US/about/...y-group/certs/ That gives a starting point regarding Mozilla's private certificate store in Firefox. I've gone through all that before but do not recall that Mozilla ever provided qualification as to why users cannot trust the global certificate store. Sorry, I don't know the clinic term for "control freak". It might be Obsessive Compulsive Personality Disorder (OCPD) although that doesn't exclude Narcissistic Personality Disorder. Explains a lot. Thank you! |
#5
|
|||
|
|||
Tip: Kaspersky blocks Firefox's secure connections
On Fri, 20 Jan 2017 17:15:20 -0800, T wrote:
Windows XP, Kaspersky Internet Security blocks Firefox's https connections as "insecure" Even without Kaspersky, the trend to turn all websites to HTTPS is the end of the web that we once knew. Lately it seems all I do is fight with websites popping up repeated security warnings, or simply refusing to load at all. That's using XP and one of the latest versions of Firefox. An older computer, which has Window 98 and 2000 installed, I can no longer open any (secured) websites. Once again, the internet confinues to degrade due to over exxagerated fears of viruses and other malware. I used to be able to use the internet. Now, its become worthless. And the biggest joke of all, is that I have never gotten any serious malware from the internet in around 20 years of use. Sure, I've gotten a few of the trackers that send me ads, but very few. The only REAL virus I have ever gotten was from a computer I bought on ebay, that came with XP installed, along with a nasty virus. Personally, I'd rather deal with an occasional tracker, than to cope with the never ending and constant security warnings I am getting now, which often cause me to actually have to close my browser, and clear the cache, along with disconnecting from the internet and reconnecting. Why the hell do sites like Wikipedia need all this security? It's assinine. And not only does it cause all these hassles, but it also slows down browsing speed by at least 25%. I'm not paying for internet service to make my life miserable, and I have already told my ISP to disconnect my service at the end of the month. All I'm doing is paying money to have websites **** me off. Not to provide information and useful services. I spent the first 2/3 of my life without the internet, and it's time to go back to using the local library for info, shopping in brick and mortar stores, and contacting friends by telephone. First usenet died, now the web is nearly gone. Fu*k the internet! |
Thread Tools | |
Display Modes | |
|
|