66

After installing Firefox 54.0.1 on my work laptop, the first page I see warns me that "Your connection is not secure" when opening https://www.mozilla.org/.

Connection to Mozilla is not secure
"The owner of Firefox has configured their website improperly"

After browsing a bit more, I noticed that Firefox wasn't just reporting errors for Mozilla.

Firefox is reporting HTTPS security errors for Google, Microsoft, Dropbox, GitHub, Wikipedia, LastPass, Netflix, Facebook, Twitter, Skype, WhatsApp, WolframAlpha, Amazon, LinkedIn, AutoHotkey, Yahoo, Imgur, and even Stack Exchange.

There are a few things worth noting about these errors.

It's worth restating that these security errors are happening on a work-issued laptop, meaning that my employer is most likely scanning HTTPS traffic.

While HTTPS scanning can at least partially explain the HTTPS security errors, the situation still leaves me with a few questions.

  • Why is Firefox the only browser reporting these security errors?
  • Why isn't Firefox reporting security errors on banking and financial websites?
  • Why do some pages not report security errors, but only load as plain text?

*Note: While iCloud did not report any security errors, the page did eventually fail to load with a connection error.

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
  • 3
    Point IE at a page that actually has a broken SSL certificate and complain that you didn't get a certificate error. – Joshua Jul 21 '17 at 15:32
  • 7
    That's just downright hilarious. Mozilla doesn't like themselves. – NH. Jul 21 '17 at 17:33
  • Can you check certificate info on IE and/or Chrome? Specifically CA. – ave Jul 22 '17 at 05:37
  • 10
    @NH: Firefox (by default) considers "snooped by your employer" to be "not secure". Chrome and IE (on the OP's work laptop) don't, because they've been told (by the admin who set up the laptop) to trust the fake SSL certificates issued by the employer's snooping device. – Ilmari Karonen Jul 22 '17 at 11:47
  • 7
    Or in other words, Firefox is preventing a MITM attack exactly as it should! – trognanders Jul 23 '17 at 07:35
  • Related: [Is it common practice for companies to MITM HTTPS traffic?](https://security.stackexchange.com/q/107542/141087) – Stevoisiak Dec 06 '17 at 15:49

3 Answers3

78

There is a lot to unpack so I’ll do my best here (based on some assumptions).

  1. Firefox maintains its own certificate store which is likely the reason only Firefox is throwing these errors. Traditionally, SysAdmins will push out certificates through Group Policy, which works for both Chrome and IE / Edge but Firefox won’t trust it. I would imagine that your traffic is being intercepted by a transparent proxy server which is inspecting your traffic (note that looking at the certificate information will reveal whether or not this is a certificate that your work has pushed out).

  2. Assuming again, but your work is probably explicitly not filtering financial website traffic — presumably to avoid any potential liability with doing so.

  3. I have no idea why some load as plain text. This might be something to do with the proxying process.

    EDIT: As Arminius astutely pointed out, pages loading as plain text is likely due to certificate errors happening with resources being pulled from third party domains. It is likely that the images and CSS are not loading as the cert errors from those domains prevent the resources from being transmitted.

Community
  • 1
DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 42
    The reason why they load as plain text is presumably that the resources (images, CSS) are fetched from different domains that throw the certificate errors in the background too. – Arminius Jul 20 '17 at 15:15
  • On point 2, how would an employer be able to identify financial traffic over an HTTPS connection? Wouldn't it be difficult to distinguish what type of traffic is being transmitted? – Stevoisiak Jul 20 '17 at 15:15
  • @Arminius that would make perfect sense. – DKNUCKLES Jul 20 '17 at 15:16
  • 9
    @StevenVascellaro The exception is probably done via DNS lookups, which is not part of the encrypted traffic. – DKNUCKLES Jul 20 '17 at 15:17
  • 4
    @StevenVascellaro the first request is intercepted by the proxy, seing an url of financial services it 'walk back' store the session as not to be intercepted and transmit as is (in bluecoats and palo alto systems from what I did saw). – Tensibai Jul 20 '17 at 15:23
  • Some site pins tell the browser to pin their SSL cert with HPKP. – mootmoot Jul 20 '17 at 16:45
  • 6
    @StevenVascellaro The content of the request is encrypted, but the server address isn't, or the packet couldn't be delivered (the part of the address that specifies the *page* you're requesting from that server can be encrypted, though.) So they can just have a big list of financial sites and don't mess with any traffic to them. – Ray Jul 20 '17 at 21:14
  • 2
    In a previous company i had the same behaviour with a proxy, which intercepted SSL communication, but excluded all sites with an EV certificate (extended validation). Since almost all banks use that, bank sites where not intercepted. I guess that's the same case here. – dunni Jul 21 '17 at 22:33
  • @dunni: Steve Gibson [claims](https://www.grc.com/ssl/ev.htm) that EV certs are immune to SSL interception for browsers other than IE. I have no idea whether this is actually true. – Kevin Jul 21 '17 at 23:13
  • 1
    @Kevin: EV certs are not immune to SSL interception. The client being intercepted will receive a "normal" certificate (and thus won't have a green bar) but I'm pretty sure most people won't notice that if they have the interceptor's CA already installed in their browsers. HPKP is the only way to ensure that your cert is not interceptable (EV or not) – NuTTyX Jul 22 '17 at 11:16
13

Why is Firefox the only browser reporting these security errors?

As already said, Firefox use its own Certificate Authority store, managing it from a company point of view is hard and usually not worth it when Chrome is allowed.

Why isn't Firefox reporting security errors on banking and financial websites?

HTTPS inspection by a transparent proxy is usually not allowed by laws as it would break the banking confidentiality of the user and is generally considered as illegal.

Why do some pages not report security errors, but only load as plain text?

Usually (from what saw) it is because the front page is categorized as 'should not be intercepted' as financial sites are (which is the case for Wells Fargo on bluecoat's list here), but the images come from another CDN, so the interception fires on the CDN and the images are not loaded because the authority certificate is unknown to Firefox.

TRiG
  • 609
  • 5
  • 14
Tensibai
  • 513
  • 2
  • 10
  • Is the 'should not be intercepted' status reported by the website itself, or is it up to the provider to identify which sites not to intercept? – Stevoisiak Jul 20 '17 at 15:24
  • 1
    A list is defined by the provider, proxy admins can extend the list on their side and if needed tell the provider to extend the list also. Example for bluecoat's list: http://sitereview.bluecoat.com/sitereview.jsp#/?search=https%3A%2F%2Fwww.wellsfargo.com%2F – Tensibai Jul 20 '17 at 15:30
2

In my case, Avast was interfering with proper site loading on Firefox but it was fine on other browsers.

I un-ticked "scan safe connections" in the Web Shield settings and my problems were solved.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ansjovis86
  • 121
  • 3
  • 1
    While part of the SSL inspection that is mentioned in other answers, this is a specific solution. Thanks for posting! – schroeder Dec 21 '18 at 12:11