No Google

This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

Help!!

--
You know it's time to clean the refrigerator
when something closes the door from the inside.

KenK wrote:
This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

Help!!

See if TLS 1.0, 1.1, and 1.2 are checked but not SSL 3.0.

Paul in Houston TX wrote in
:

KenK wrote:
This morning Kaspersky Security, which I have installed, asked to
install a security update. Referred to Firefox? Don't remember the
details. I trust Kaspersky, used it with no problem for many years.
Now can't get Google to work on Firefox. Says insecure connection and
won't connect. However, MS Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google
has a problem.

I hate to go back to a C backup. Too many chances for worse problems
if restore goes wrong.

Help!!

See if TLS 1.0, 1.1, and 1.2 are checked but not SSL 3.0.


Sorry, don't understand. This is all Kaspersky gives me:

"Your connection is not secure

"The owner of www.google.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website.

"This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible to
add an exception for this certificate.

"Learn more…

"Report errors like this to help Mozilla identify misconfigured sites

"www.google.com uses an invalid security certificate.

"The certificate is not trusted because the issuer certificate is
unknown.
The server might not be sending the appropriate intermediate
certificates.
An additional root certificate may need to be imported.

"Error code: SEC_ERROR_UNKNOWN_ISSUER


--
You know it's time to clean the refrigerator
when something closes the door from the inside.

KenK wrote:
"Error code: SEC_ERROR_UNKNOWN_ISSUER

Google's security certificate/s are google certificating authority.

Sometimes security certificate problems can arise from your clock/date
being incorrect.

I notice that your Date in your message headers is like the date line
that news.individual.net stamps when the poster has not provided a Date
line or when the Date line information provided is 'out of whack'.

Suggestion: check your system's date/clock for accuracy.

--
Mike Easter

KenK wrote:
This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

Help!!


SSL/TLS preference setting.

Take a look in about:config or something.
(In Firefox, type "about:config" into the URL bar,
and click "OK" when the warning pops up. There is
*no* undo in the interface. Simply have a look
around in there first. Do *not* delete a line of
text in there, as there is no way to put it back
unless you made a backup of prefs.js or similar.)

For HTTPS connections (Google can switch to them
automatically), encryption is used. There
is SSL and TLS. SSL is deprecated. We're supposed
to be using TLS. There were a number of different
exploits for secure connections, and bumping
the version is part of fixing that.

Normally, SSL/TLS supports "fallback". The two ends
will negotiate and select a weaker method automatically.
So in the old days, if all your browser supported was
SSL3.0, then that is what would be used. But you
can also adjust the browser preferences, so it will
not fall back. Causing a "failure to connect" to any
site stupid enough to have only SSL3.0. My browser
has SSL3 disabled on purpose (by me). But all it
supports is TLS 1.0, which is not the best.

It could be that Kaspersky has taken it upon itself,
to modify a related setting. Alternately, it could
have made changes to lots of other parts of the
OS. And I don't know if I could make a decent list
for you of what they might be.

Another area subject to recent change, is certificate
signing. Certificate signing has switched to
SHA2 (SHA256) from SHA1. Presumably a certificate
problem would have a different message on the screen.

https://blog.cloudflare.com/sha-1-de...r-left-behind/

To evaluate your browser now, you can use this.
You could compare your browser on the "broken" setup,
to some other computer which is not yet affected.

https://www.ssllabs.com/ssltest/viewMyClient.html

You can also test web sites. In this example,
a webmail server is being tested. Webmail should
use HTTPS. And so this test case is to see what
it requires of the browser, in order to work.
This test runs between ssllabs and the roadrunner
node, without the users machine being involved.

https://www.ssllabs.com/ssltest/

https://www.ssllabs.com/ssltest/anal...l.nycap.rr.com

#1 Certificate uses: "Signature algorithm SHA256withRSA"
#3 Certificate : "Signature algorithm SHA1withRSA WEAK"

Server supports TLS 1.0 and TLS 1.2. My copy of Firefox
used in the test, only covers TLS 1.0. So TLS 1.0 would
be considered the fallback. I have specifically turned
off SSL 3 in that copy of Firefox.

HTH,
Paul

KenK wrote:
Paul in Houston TX wrote in
:

KenK wrote:
This morning Kaspersky Security, which I have installed, asked to
install a security update. Referred to Firefox? Don't remember the
details. I trust Kaspersky, used it with no problem for many years.
Now can't get Google to work on Firefox. Says insecure connection and
won't connect. However, MS Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google
has a problem.

I hate to go back to a C backup. Too many chances for worse problems
if restore goes wrong.

Help!!
See if TLS 1.0, 1.1, and 1.2 are checked but not SSL 3.0.


Sorry, don't understand. This is all Kaspersky gives me:

"Your connection is not secure

"The owner of www.google.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website.

"This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible to
add an exception for this certificate.

"Learn more…

"Report errors like this to help Mozilla identify misconfigured sites

"www.google.com uses an invalid security certificate.

"The certificate is not trusted because the issuer certificate is
unknown.
The server might not be sending the appropriate intermediate
certificates.
An additional root certificate may need to be imported.

"Error code: SEC_ERROR_UNKNOWN_ISSUER



I could find a couple examples that blame the AV
product setting as the root cause. But so far,
no explanation of what the AV product was actually
doing to the browser itself.

https://support.mozilla.org/en-US/questions/1106977

Paul

[Default] On 5 Jul 2016 16:51:05 GMT, in
microsoft.public.windowsxp.general KenK wrote:

This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

FWIW, I just got a script error on the google search page**. Their
daily cartoon, I guess. All my other pages now ask me before I let
them run scripts. 80% of the most common category of page asks me,
but about 90%+ of them work fine even when I don't answer.

**Firefox came with its own google search page, which wouldn't have
this problem but I don't remember what it was. Anyone know?

Also, I checked Stop Script and Don't ask me again, but I've never
found out what that means. It sounds like it means: Run the
standard length of time, maybe 15 seconds, and if you don't finish in
that time, stop yourself, and don't bother asking me if you should.
But I don't know.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

That's my feeling, but I've never actually done it.

Wait for another Kapersky update?
Help!!

Hello Paul,

Just reading through this thread,..

Would refreshing FF be of any help?

Robert

In article ,
, KenK says...

This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

Help!!

Is your PC date and time good? Just that I've seen similar when the SSL
certs come up expired, cos the PC date is out by *miles* - like a year.
(Just a thought).

--
Duncan.

Mark Twain wrote:
Hello Paul,

Just reading through this thread,..

Would refreshing FF be of any help?

Robert

It's probably an Avast setting.

https://forum.avast.com/index.php?topic=158300.0

"Disable https scanning till avast has a fix for it"

You would go look for that setting in Avast.

Paul

KenK wrote:

This morning Kaspersky Security, which I have installed, asked to install a
security update. Referred to Firefox? Don't remember the details. I trust
Kaspersky, used it with no problem for many years. Now can't get Google to
work on Firefox. Says insecure connection and won't connect. However, MS
Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google has a
problem.

I hate to go back to a C backup. Too many chances for worse problems if
restore goes wrong.

Help!!

Kaspersky, Avast, Bitdefender, and other anti-virus software allow you
to interrogate your HTTPS (not just HTTP) web traffic to check for
malicious content. Intercepting HTTPS traffic is not possible without
using a MITM (man in the middle) scheme where your client connects to
their local proxy (instead of the target server) and their proxy
connects to the target server (pretending to be your client). That
requires installing a certificate to use since both ends of an HTTPS
connection must be secure. For their proxy to work, they need to use
their cert for your client to connect to it.

Mozilla decided to use a private certificate store. That is, Firefox
uses only those certificates that have been installed into its private
certificate store. No other program can use that private certificate
store. Mozilla has never divulged why they think they need a private
cert store when Internet Explorer and Chromium-based web browsers manage
just fine to use the global cert store (the one managed by the OS). The
global cert store can be seen using certmgr.msc. To see Firefox's
private cert store, you have to go into its config, Advanced,
Certificates, View Certificates.

Normally a program that needs to use its own certificate, like some
anti-virus programs and streaming capture software, installs it in the
global cert store. That is where the vast majority of apps put their
certs. With Mozilla, nope, the program has to install yet another copy
of its cert in Firefox's own private cert store.

You will find that programs that install their own certs work just fine
in other web browser than Firefox. IE uses the global cert store.
Google Chrome uses the global cert store. Mozilla had to make setup
more difficult by using their own private cert store. Imaging the mess
if every web-centric app managed its own private cert store. A program
that installed its cert would have to do so in the global cert store and
also in every app that had its own private cert store. In this regard,
Mozilla sucks. I use Firefox but it is a royal pain in the ass to use
it with programs that need to install a cert.

You will have to check where in Kaspersky you have it insert its cert
into Firefox's private cert store. With Avast (what I use), they don't
offer that feature. You have to uninstall Avast and then reinstall it.
Order of installation is important. If the AV program (or other
software that needs a cert) is installed before the web browser then it
may no means of installing their cert when you later install the web
browser (or any app with its own private cert store). You need to
install the web browser first so it exists when you install the
anti-virus software.

Some examples of software that use a MITM scheme that requires a cert:
Avast's HTTPS scanning
Applian Replay Media Capture aka Jakasta (capture video streams)

Kasperky also intercepts HTTPS to scan it. See:
https://support.kaspersky.com/6851

If Mozilla weren't such assholes and instead used the global certificate
store like everyone else then this problem would never crop up when
users update/upgrade their non-Mozilla software. Even Linux has its
global cert store so it is not an issue with Firefox being cross-
platform and Windows has a global store but Linux does not. For some
reason, Mozilla decided they would be in charge of what certs were
provided at install time.

For ANY software that incorporates its own certificate, and to use
Firefox with that software, it must install its cert into Firefox's
private cert store. Mozilla has set a bad precedent: if other programs
did the same, it would be a huge mess for one program to get its cert
installed into the private cert store of many other programs.

In message , Micky
writes:
[]
Also, I checked Stop Script and Don't ask me again, but I've never
found out what that means. It sounds like it means: Run the
standard length of time, maybe 15 seconds, and if you don't finish in
that time, stop yourself, and don't bother asking me if you should.
But I don't know.

I would guess it means stop script (immediately), and don't ask me again
under similar circumstances - either altogether, or if I visit that site
or page again, or ...
[]
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Today you wonder if the media has become the opposition - it's become the
political classes against 24-hour media.
Jon Culshaw [voice impressionist], in RT 2015/4/11-17

[Default] On Wed, 6 Jul 2016 20:05:06 +0100, in
microsoft.public.windowsxp.general "J. P. Gilliver (John)"
wrote:

In message , Micky
writes:
[]
Also, I checked Stop Script and Don't ask me again, but I've never
found out what that means. It sounds like it means: Run the
standard length of time, maybe 15 seconds, and if you don't finish in
that time, stop yourself, and don't bother asking me if you should.

Don't bother asking me next time.

But I don't know.

I would guess it means stop script (immediately), and don't ask me again
under similar circumstances - either altogether, or if I visit that site
or page again, or ...

I meant half of that, Stop immediately but future times run 15
seconds. But I can see your answer too. Maybe more clearly. The
eternal optimist, I figured it was worth 15 seconds each time on the
theory it was a fluke that it didnt' work and it will now. Or they
repaired it or the surrounding code since I blacklisted it.

I intended to make a list of script names (when they are given) but I
wasn't going to record website names and I can see now why that would
matter. But I didn't do it anyhow so it doesn't matter anymore.

I also googled the message and didn't find a good explanation, though
I didn't read every hit.

[]

[Default] On Tue, 05 Jul 2016 19:30:06 -0400, in
microsoft.public.windowsxp.general Micky
wrote:



FWIW, I just got a script error on the google search page**. Their

When I hadn't searched for anything yet. Hadn't put anything in its
search box.

daily cartoon, I guess. All my other pages now ask me before I let
them run scripts. 80% of the most common category of page asks me,
but about 90%+ of them work fine even when I don't answer.

**Firefox came with its own google search page, which wouldn't have
this problem but I don't remember what it was. Anyone know?

Solved that. The non-cartoon google page is accessible from the
search box, next to the location box in a toolbar. For me it is even
the default .

Dave Doe wrote in
:

In article ,
, KenK says...

This morning Kaspersky Security, which I have installed, asked to
install a security update. Referred to Firefox? Don't remember the
details. I trust Kaspersky, used it with no problem for many years.
Now can't get Google to work on Firefox. Says insecure connection and
won't connect. However, MS Internet Explorer works fine with Google.

I don't know how to back out of Kaspersky update. I doubt that Google
has a problem.

I hate to go back to a C backup. Too many chances for worse problems
if restore goes wrong.

Help!!

Is your PC date and time good? Just that I've seen similar when the
SSL certs come up expired, cos the PC date is out by *miles* - like a
year. (Just a thought).


That's not it. Time & date fine,

BTW, seems to be working again. Maybe a fix sent in daily database update?
Not been on line long enough to be sure - other home repair stuff taking up
my on-line time.


--
You know it's time to clean the refrigerator
when something closes the door from the inside.