21

I keep receiving this message whenever I open any site from Google:

My Firefox is up-to-date, and so my Windows 8.1. Since I don't know much about HSTS, I don't know what's going on, and obviously, I can't google it.

Using a VPN doesn't solve the problem. I am using Kaspersky Antivirus.

Anders
  • 64,406
  • 24
  • 178
  • 215
Eibo
  • 2,485
  • 3
  • 19
  • 32
  • 7
    Probably some capture portal, firewall with SSL interception, local AV with SSL interception or similar. You should at least be able to look at the certificate you got and can provide the details here for closer inspection. – Steffen Ullrich Apr 06 '16 at 07:42
  • you're right! it's my stupid Kaspersky AV. I stopped it and everything worked again .... thanks, you've saved my day :) – Eibo Apr 06 '16 at 07:46
  • There's no problem connecting to https://google.com via BlueCoat. Does Kaspersky enforce HTTP? – techraf Apr 06 '16 at 07:50
  • You can disable SSL scanning in Kaspersky. Find that option in your version and just disable it. –  Apr 06 '16 at 08:14
  • so, from a technical perspective ... what is the problem exactly ? – Eibo Apr 06 '16 at 08:40
  • 1
    You have connected to Google.com but the response contains the HSTS header that forces all future connections to be made via HTTPS. However something is preventing the HTTPS connection with the previously loaded certificate. Your AV is using their own certificate but that one does not validate the same certificate path and thus the connection is cancelled because of safety and security concerns (MITM, sslstrip) – GiantTree Apr 06 '16 at 10:09

4 Answers4

17

Kaspersky, like most AV products these days, is performing a local MITM against your secure HTTP traffic. It does this in order to be able to scan payloads in HTTP transactions, be it in the request or the response.

In order for this to be done correctly, Kaspersky has to generate its own root CA certificate, and generate spoofed certificates on the fly, feeding them to your browser. Kaspersky also has to install this CA into your operating system's Trusted Certificate store.

The reason why it needs to install it into the OS certificate store is because this is where most software looks to validate that the Certificate Authority who has issued the certificate it has received is a valid, trusted Authority. If that authority is not there, boom, you get this error.

FireFox is the only mainstream web browser that is paranoid. It refuses to trust your OS's cert store, precisely because its so easy to simply install a fake CA into it and start MITM'ing peoples connections. Instead, FireFox is distributed with a complete list of all CAs that Mozilla trusts.

What's cute about this is that it's not actually adding any security whatsoever. You can simply compile the open source Mozilla NSS package and, included in it is a utility called CertUtil that can transparently inject certificates, even root CAs, into FireFox's trusted cert store. This does not require the user to accept it, nor does it even alert the user that this has happened. You can see how easy this is to do in a C# function I wrote here.

So what's happening here is that Kaspersky is not properly MITM'ing FireFox, so when FireFox gets fed certs issued by Kaspersky's CA, it's throwing all the alarms and screaming at you that you're under attack.

3

I had the same issue. Any website I went to wouldn't work. The computers date was off and set back to 2006. I changed the system date by right clicking on the date in the lower right tool bar of windows. After, Mozilla and explorer both worked just fine.

Christopher X
  • 31
  • 1
  • 1
    To all those flagging these answers, I can replicate the behaviour on my Win10 Firefox. This is a legitimate answer. – schroeder Feb 04 '18 at 00:15
-2

I once ran into the same problem once. Funny enough, my solution was the date and time settings. Someone had changed the date on my computer to the year 2006. That was what was causing firefox to act all buggy. Perhaps it could be the same problem?

Anders
  • 64,406
  • 24
  • 178
  • 215
Wertopiu
  • 21
  • 4
    Rejecting certificates with their date out of scope is not buggy at at all, but the least one can exepct from a trustworthy browser. – Marcel Mar 09 '17 at 09:20
  • 1
    To all those flagging these answers, I can replicate the behaviour on my Win10 Firefox. This is a legitimate answer. (except the "buggy" part ...) – schroeder Feb 04 '18 at 00:15
-3

I had the same issue after installing latest firefox. The date on my system was set in mm//dd/yyyy format. I changed it to dd-mm-yyyy format and it started working.

Addie
  • 11
  • Answers stating "it happens to me" are not welcome since they do not provide a solution to the problem. Please rewrite your answer to include _how_ yo changed the date – Purefan Mar 09 '17 at 10:01
  • 2
    That sounds like a change of locale, and I don't think it helps answer the question - did the change of date format on your machine cause HSTS to fail? If so, what steps did you take to return firefox to a working state? – iwaseatenbyagrue Mar 09 '17 at 10:36
  • To all those flagging these answers, I can replicate the behaviour on my Win10 Firefox. This is a legitimate answer. – schroeder Feb 04 '18 at 00:15
  • @iwaseatenbyagrue the user appears to have answered your question already. I'm not sure that it is required to analyse how this caused a failure in HSTS. It is enough to be able to show that it applies to the question. – schroeder Feb 04 '18 at 00:19