Why do I get a Secure Connection Error on some sites?

5

1

I am using Firefox version 37.0.2 with an ethernet connection at a university in Bangkok. I consider the university a network a hostile environment as the majority of the computers on this network are running counterfeit versions of Windows, and I have seen a lot of viruses on them.

When I try to visit https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx (and other secure pages on microsoft.com), I get this error:

Firefox Error: Secure Connection Failed

Secure Connection Failed The connection to the server was reset while the page was loading.

Notes:

  • I get no error when visiting the same url using Google Chrome v42.0.2311.135 or with Microsoft Internet Explorer v11.0.96
  • If I connect to the Internet through a VPN (CyberGhost), I don't get the error at all.
  • I have never added my university's security certificate to my Windows trusted store. I have checked certmgr and cannot see anything related to my university.

I would be really grateful if anyone can answer:

  • Why only Firefox?
  • Why does using a VPN fix it?
  • If I don't trust the university network, would I be safer doing all my web browsing through a trusted VPN?

Kit Johnson

Posted 2015-04-30T06:18:44.090

Reputation: 886

2If you review the certificate(s) provided by the web page when using VPN/not using VPN, what differences, if any, can you see? – Alasjo – 2015-04-30T06:24:06.237

When not using a VPN, there is no certificate that I can see. Firefox says technet.microsoft.com "This web site does not supply ownership information." There is no padlock. – Kit Johnson – 2015-05-09T00:27:38.580

Answers

4

The last FF update messed with my settings. Deleted my homepage, some stored certificates, and it might have even messed with some config information.

My guess is the university network does a MitM of your TLS connections which isn't uncommon for larger organizations. And the last FF update deleted the stored certificate for the university.

  1. It's only on Firefox because the last update seriously messed with some stuff. As @Ramhound pointed out Firefox uses its own certificate store while Chrome and IE use the OS's certificate store for the user. If Firefox decided to reset a lot of its configuration then any user added certificates could have been removed.
  2. The VPN fixes it because it most likely bypasses their TLS MitM. Although why they allow VPNs at all might be a counter argument to this point.
  3. If you don't trust the university network using a trusted VPN would be a better solution in general.

As a solution I would look at your Chrome trusted certificates and see if any are installed that relate to your university. Check to see if that certificate(s) are installed in Firefox.

RoraΖ

Posted 2015-04-30T06:18:44.090

Reputation: 186

1Its also only Firefox because Firefox is the only browser that uses its own certificate store. Chrome and IE use the operating system's certificate store, specifically, the user's certificate store ( vs the machine's certificate store ). – Ramhound – 2015-05-01T11:35:59.100

Good point! I completely forgot about that. I added it to my answer. – RoraΖ – 2015-05-01T11:59:02.803

You had already earned an upvote, since your conclusion, is technically sound. I have been doing lots of certificate questions so I had done prior research. – Ramhound – 2015-05-01T14:23:31.480

Thank you so much for this answer. I've got two more questions: why do large organisations do MitM on their users? If this is the case with my university, and it looks like it might be, I should do everything through a VPN. Second question: I never added my university's certificate to my trusted root certificates in Windows (since I don't really trust them). So why wouldn't Chrome and IE also complain about this? – Kit Johnson – 2015-05-09T00:47:33.773

On 'why do organisations do MitM', I found this interesting piece on slashdot

– Kit Johnson – 2015-05-09T01:11:28.803

I've checked Firefox's certificates and removed everything to do with my university. I never added my university's certificates to my Windows trusted store--just doubled checked there is nothing to do with my university in certmgr.msc. So I don't understand why the certificate of https://technet.microsoft.com appears valid in Chrome or IE but unvisitable in Firefox. If there is a MitM, wouldn't it give me some kind of invalid certificate in Chrome and IE?

– Kit Johnson – 2015-05-20T09:39:43.580

I think you need to run Wireshark and see what exactly is being sent. Can you post the technet.microsoft.com certificate? – RoraΖ – 2015-05-20T11:15:04.617

Asked: 2015-04-30T06:18:44.090

Viewed: 3 284 times

Active: 2015-05-20T09:41:46.040