A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Tip: Kaspersky blocks Firefox's secure connections



 
 
Thread Tools Display Modes
  #1  
Old January 21st 17, 02:15 AM posted to microsoft.public.windowsxp.general
T
external usenet poster
 
Posts: 4,600
Default Tip: Kaspersky blocks Firefox's secure connections

Hi All,

This took a bit to figure out, so here goes ...

-T



Windows XP, Kaspersky Internet Security blocks Firefox's https
connections as "insecure"


Brute Force:
-- Kaspersky
-- settings
-- Additional (left column)
-- Network (right pane)
-- check Encrypted Connecton Scanning "Do not scan
encrypted connections"

The "Official Way":

Close Firefox and any running application.

-- Kaspersky
-- Settings
-- Additional (left column)
-- Network (right pane)
-- Advanced Settings
-- Install Certificate
-- Show Certificate information
-- click on Details Tab, Copy to File.
Save DER file to Desktop as KASP.cer
Note: you can't reuse this from another machine.

-- Firefox
-- Hamgurger (3 horizontal lines in the top right)
-- Options
-- Advanced
-- Certificates tab
-- view certificates
-- Authorities tab

-- make sure AO Kaspersky certificate does not
exists (if it does
delete it)
-- click on import and then select KSAP.cer. Make
sure all 3 boxes are ticked.

-- Restart Firefox to resolve issue​
Ads
  #2  
Old January 21st 17, 06:48 AM posted to microsoft.public.windowsxp.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Tip: Kaspersky blocks Firefox's secure connections

T on 2017/01/20 wrote:

Hi All,

This took a bit to figure out, so here goes ...

-T

Windows XP, Kaspersky Internet Security blocks Firefox's https
connections as "insecure"

Brute Force:
-- Kaspersky
-- settings
-- Additional (left column)
-- Network (right pane)
-- check Encrypted Connecton Scanning "Do not scan
encrypted connections"

The "Official Way":

Close Firefox and any running application.

-- Kaspersky
-- Settings
-- Additional (left column)
-- Network (right pane)
-- Advanced Settings
-- Install Certificate
-- Show Certificate information
-- click on Details Tab, Copy to File.
Save DER file to Desktop as KASP.cer
Note: you can't reuse this from another machine.

-- Firefox
-- Hamgurger (3 horizontal lines in the top right)
-- Options
-- Advanced
-- Certificates tab
-- view certificates
-- Authorities tab

-- make sure AO Kaspersky certificate does not
exists (if it does
delete it)
-- click on import and then select KSAP.cer. Make
sure all 3 boxes are ticked.

-- Restart Firefox to resolve issue


Mozilla decided not to use the global certificate store (the one managed
by the OS) as does Internet Explorer, Google Chrome, and just about
every other web browser. Mozilla has never explained why they believe
they are better at determining how to manage a certificate store.

As a result, Firefox does not use the certificates in the global
certificate store -- the one you see by running certmgr.msc in Windows
(don't know what the equivalent is in *NIX). If you want a security
product, or any program, to intercept HTTPS web traffic then a cert must
be installed into Firefox's private cert store. For other web browsers,
the same is performed in the global cert store.

For example, I use a video stream capture tool (Applian Replay Media
Catcher which is a rebranded version of Jaksta). To intercept HTTPS
traffic requires that its cert get put into whichever cert store the web
browser uses. For Firefox, that is its private cert store. For other
web browsers, that is the global cert store. It took awhile of dialog
with Applian for them to figure out why their interception proxy wasn't
working for HTTPS with Firefox but eventually they realized that all
they had to do was install their cert into Firefox's private cert store
and, voila, their product worked with that web browser. Anti-virus
programs that have the option to intercept HTTPS traffic work the same
way: install a root cert to perform a MITM (Man In The Middle) attack.
Companies use this same root cert scheme for MITM attacks to monitor the
secured network traffic on their workstations.

If you do not allow their root cert to get installed into whichever cert
store gets used by a client then that product cannot intercept the HTTPS
web traffic. Well, they could intercept but interrogation would be
useless because the traffic is encrypted. They need the cert in a MITM
scenario so the client thinks it has connected to the other endpoint
(the HTTPS site) while the site thinks it is connected to your endpoint
(your web client). The proxy intercepts the web traffic and for HTTPS
pretends it is the target site. The proxy pretends to the target site
that it is your web client.

Applian's Replay Media Catcher has an option (overly buried) to
reinstall their cert into both the global cert store and into Firefox'
private cert store. Certs expire so eventually Applian has to include a
new one in an update. Certs can also get removed or corrupted so a
working cert must be reinstalled. I don't use Kaspersky but apparently
you found its config option on how to reinstall its cert. Otherwise,
you could simply disable HTTPS scanning in Kaspersky which means it
cannot interrogate your HTTPS web traffic to determine if there is
malicious content or sources.

This is not a unique situation with Kaspersky. Any program that relies
on using a local cert (global or private store) to perform a MITM attack
must have a valid root cert in place. I've mentioned a non-security
product (Applian) that uses the same scheme. Anything that wants to
interrogate your HTTPS traffic has to perform a MITM attack. Brute
force decryption is beyond the capabilities of your home PC so malware
won't bother a MITM that way. They may, however, attempt to the get
user to grant installation of their own cert so the malware can then
intercept your HTTPS traffic.
  #3  
Old January 21st 17, 07:15 AM posted to microsoft.public.windowsxp.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Tip: Kaspersky blocks Firefox's secure connections

I just found the following article:

https://wiki.mozilla.org/CA:AddRootToFirefox

So now Firefox can supposedly be configured to use the global
certificate store (managed by the OS). However, with Mozilla's history
of giving and taking away, I would not rely on this option remaining
permanently available in all subsequent versions of Firefox.

Note that the article does not say that Firefox will actually use the
global certificate store. If security.enterprise_roots.enabled = true
then Firefox will *import* the global certificates but will continue to
hide those global certs in its own private cert manager. Root certs are
not included until Firefox version 52, so the MITM scheme used to
interrogate HTTPS web traffic (by anti-virus or streaming capture tools)
will still not work. The user must still ensure those tools install
their MITM root certs into Firefox's private cert store ... for now.

Since old versions of Firefox will still linger in use for many years
after version 52, tools that use the root cert MITM scheme will still
have to go through the hassle of installing their root cert into
Firefox's private cert store along with installing it in the global cert
store for as many years.

https://www.mozilla.org/en-US/about/...y-group/certs/

That gives a starting point regarding Mozilla's private certificate
store in Firefox. I've gone through all that before but do not recall
that Mozilla ever provided qualification as to why users cannot trust
the global certificate store. Sorry, I don't know the clinic term for
"control freak". It might be Obsessive Compulsive Personality Disorder
(OCPD) although that doesn't exclude Narcissistic Personality Disorder.
  #4  
Old January 21st 17, 09:34 PM posted to microsoft.public.windowsxp.general
T
external usenet poster
 
Posts: 4,600
Default Tip: Kaspersky blocks Firefox's secure connections

On 01/20/2017 10:15 PM, VanguardLH wrote:
I just found the following article:

https://wiki.mozilla.org/CA:AddRootToFirefox

So now Firefox can supposedly be configured to use the global
certificate store (managed by the OS). However, with Mozilla's history
of giving and taking away, I would not rely on this option remaining
permanently available in all subsequent versions of Firefox.

Note that the article does not say that Firefox will actually use the
global certificate store. If security.enterprise_roots.enabled = true
then Firefox will *import* the global certificates but will continue to
hide those global certs in its own private cert manager. Root certs are
not included until Firefox version 52, so the MITM scheme used to
interrogate HTTPS web traffic (by anti-virus or streaming capture tools)
will still not work. The user must still ensure those tools install
their MITM root certs into Firefox's private cert store ... for now.

Since old versions of Firefox will still linger in use for many years
after version 52, tools that use the root cert MITM scheme will still
have to go through the hassle of installing their root cert into
Firefox's private cert store along with installing it in the global cert
store for as many years.

https://www.mozilla.org/en-US/about/...y-group/certs/

That gives a starting point regarding Mozilla's private certificate
store in Firefox. I've gone through all that before but do not recall
that Mozilla ever provided qualification as to why users cannot trust
the global certificate store. Sorry, I don't know the clinic term for
"control freak". It might be Obsessive Compulsive Personality Disorder
(OCPD) although that doesn't exclude Narcissistic Personality Disorder.



Explains a lot. Thank you!
  #5  
Old February 7th 17, 08:13 AM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 57
Default Tip: Kaspersky blocks Firefox's secure connections

On Fri, 20 Jan 2017 17:15:20 -0800, T wrote:


Windows XP, Kaspersky Internet Security blocks Firefox's https
connections as "insecure"


Even without Kaspersky, the trend to turn all websites to HTTPS is the
end of the web that we once knew.

Lately it seems all I do is fight with websites popping up repeated
security warnings, or simply refusing to load at all. That's using XP
and one of the latest versions of Firefox.

An older computer, which has Window 98 and 2000 installed, I can no
longer open any (secured) websites.

Once again, the internet confinues to degrade due to over exxagerated
fears of viruses and other malware. I used to be able to use the
internet. Now, its become worthless. And the biggest joke of all, is
that I have never gotten any serious malware from the internet in around
20 years of use. Sure, I've gotten a few of the trackers that send me
ads, but very few. The only REAL virus I have ever gotten was from a
computer I bought on ebay, that came with XP installed, along with a
nasty virus.

Personally, I'd rather deal with an occasional tracker, than to cope
with the never ending and constant security warnings I am getting now,
which often cause me to actually have to close my browser, and clear the
cache, along with disconnecting from the internet and reconnecting.

Why the hell do sites like Wikipedia need all this security? It's
assinine. And not only does it cause all these hassles, but it also
slows down browsing speed by at least 25%.

I'm not paying for internet service to make my life miserable, and I
have already told my ISP to disconnect my service at the end of the
month. All I'm doing is paying money to have websites **** me off. Not
to provide information and useful services. I spent the first 2/3 of my
life without the internet, and it's time to go back to using the local
library for info, shopping in brick and mortar stores, and contacting
friends by telephone.

First usenet died, now the web is nearly gone. Fu*k the internet!


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:29 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.