Firefox doesn’t recognize the certificate issuer if HTTPS scanning is on (with repro)

Since around October or November 2024 I have noticed the following warning message on most HTTPS websites: Connection verified by a certificate issuer that is not recognized by Mozilla.

I am curious, whether other Avast and Firefox users also see the warning on Windows, so I write the steps to reproduce below.

The warning message tends to come only after a certain (unknown) amount of HTTPS sites were already visited since I started the computer.

To give you a stable repro, in step 2 I will recommend opening 20 websites with a single cmd.exe command (PowerShell will also work, but you will have to prepend an & before the whole line):

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.amazon.com/ https://www.youtube.com/ https://www.google.com/ https://www.apple.com/ https://www.usa.gov/ https://www.gov.uk/ https://www.ox.ac.uk/ https://www.nhs.uk/ https://www.nic.cz/ https://www.sport.cz/ https://www.super.cz/ https://www.dsl.sk/ https://www.cas.sk/ https://www.pravda.sk/ https://www.hs.fi/ https://www.telia.fi/ https://www.is.fi/ https://www.dmi.dk/ https://www.dbkk.dk/ https://www.krak.dk/

Steps to reproduce:

  1. Start your computer.
  2. Open the said 20 websites.
  3. Wait until all tabs load.
  4. For all tabs:
    1. Click the padlock icon (:lock:) to the left of the URL to show the Site information popup dialog of Firefox (see picture above).
    2. Check if you see the mentioned warning message.
    3. You can switch to the previous/next tab with Ctrl+PgDn and Ctrl+PgUp to speed up your job.
  5. Close Firefox, and repeat the check from step 2. Before step 4.1, however, force reload the website (Shift+click the reload (⟳) button to the left of the URL, or press Ctrl+Shift+R). Sometimes the warning message only shows up after a force reload.

This is 40 checks in total. Did you see the warning message in at least one case? Please reply.

Additional information:

  • There are websites, for which I am not able to reproduce the bug. E.g., www.bankofamerica.com never shows the warning message, no matter how many times I reload it.
  • There is no warning message if HTTPS scanning is turned off in Avast (Menu > Settings > Protection > Core Shields > scroll down to Web Shield > Enable HTTPS scanning).
  • The warning message comes in Firefox only. Microsoft Edge is not affected. It shows the sites’ certificate correctly. I didn’t try other browsers.
  • I can reproduce the bug even with all Firefox add-ons turned off, i.e. "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode website1 ... website20. I didn’t mess with Avast or Firefox settings. The bug just appeared suddenly around two months ago. I am convinced, that other Avast and Firefox users will also see the warning message on Windows.
  • My other post on this topic. It contains almost all the information in the current post, but it is scattered in the comments. Therefore, I decided to summarize everything here, in the current post.
  • Additional screenshots.

Firefox 133.0 (64-bit)
Avast Free Antivirus 24.11.6137a (build 24.11.9615.891)
Windows 11 Pro 23H2, OS build 22631.4460

Avast developers, please fix this bug.

If you click on the > to the right of “Connection secure” you will get to a link and a Mozilla work-round if you really need it, but connection is labelled as “secure” regardless.
I see even this forum https://community.avast.com padlock shows that wording in Firefox.

From websearch I have just done, I see that it is not limited to Avast, but includes ESET and maybe other AV solutions.

Have you seen this item: https://www.reddit.com/r/firefox/comments/lh6rm7/how_to_make_explict_warning_for_mozilla_does_not/
click on “Read more” there to see reply.

Maybe also see Avast blog item: Explaining Avast’s HTTPS scanning feature

Thank you. I have read the material you linked, but I cannot say, I understood it.

What I want:

  • Have no warning message.
  • Be able to see the original certificate chain of the websites (in Firefox: Ctrl+I > Security tab > View Certificate button), i.e. I don’t want to see the Avast Web/Mail Shield Root.
  • Keep HTTPS scanning on in Avast, i.e. the antivirus checks HTTPS sites too for malware while browsing.

Can I achieve this somehow? Because, that was how it worked up until two months ago.

No answer for 4 days. I guess, this means, he doesn’t know such a method. The problem is with Avast, and not our configuration.

Anyway, if anyone else has seen, or not has seen the warning message, please reply. The more information we know, the better.

Avast developers, please fix the bug. But, first let’s not go that far. Avast developers, please read this forum. :slight_smile:

1 Like

The discussion went on in another post: How to exempt a banking website from HTTPS scanning globally at Avast s.r.o.? In the following I am summarizing the findings written there (which are in that thread off-topic, by the way):

  • In 2015 Avast antivirus contained whitelisted banking websites, which were not scanned by HTTPS scanning. You could ask Avast s.r.o. to put your bank on the whitelist by emailing them, but as of 2024 the email address is not valid any more. See the post itself.
  • We could conclude, that the whitelist also doesn’t exist any more, but we confirmed, that it exists. For two users four banking websites do not produce the warning message at all. See this reply.
  • In 2016 Avast s.r.o. announced the “transparent” HTTPS scanning for Firefox and other browsers (see this reply). This is the feature, that stopped working around two months ago.
  • A user with the beta version of the antivirus confirmed, that he doesn’t see the warning message. See this reply. He tried a lot of websites provided by me, and force reloaded them. So, there is hope, that the bug is already addressed. Although—as usual—no Avast employee commented on the bug or the whitelist.

Avast just updated itself to 24.12.6142a (build 24.12.9725.762), and the bug is still here. @NON: What version are you using?

Here it seems that it is in another more updated version than the one you said that was updated just now.
I don’t understand anything anymore, can you explain?

There are 2 version scheme here, depends on installer type (icarus or instup).
Instup type shows @PaulBlueberry’s version scheme, meaning different numbers between versions and build numbers.
Icarus type shows @New_Style_xd’s scheme, meaning (almost) same version and build numbers.

So in this case, build number should be looked at.
Mine is on beta/icarus so

24.12.9725a (build 24.12.9725.762)

1 Like

@NON: We have the same build numbers, still my Avast has the bug, while yours doesn’t. So, the program is the same. What may cause the difference?

In general, environment-dependent bugs are quite hard to track; everything could be possible as every environment are different. Below ones are possible causes I can think of, but only god knows… :zipper_mouth_face:

  • Browser configurations. Transparent HTTPS scanning needs special policy applied to your browser; you can see something like “This browser is managed by your organization” in Firefox’s settings. Also “HTTPS” contains numerous protocols, say HTTP/2, SPDY, QUIC etc. and that’s depends on browser and target server configurations.
  • Avast configurations. You may know, Avast has invisible settings around (for example, settings once existed on GUI but removed later). As a long Avast user, my Avast settings are handed over for long time so some obsolete or now-extinct settings that have some (unintended) effects may still around. Same thing can be applied to browser configs.
  • Installations status. Avast or Windows installations may have been corrupted in some way; mine is relatively fresh (installed a few month ago), but how about yours?
  • Interference with other software.

If you enable debug logs on Avast settings and have a will to look deep into them, they might shed light for you. (don’t ask me how, this is just a theoretical possibility)

Thank you for your answer.

  • My Firefox indeed says Your browser is being managed by your organization. See the Additional screenshots link at the end of my original post. I don’t know what that means, since I am not in an organization.
  • I didn’t tweak with Firefox or Avast settings. This shouldn’t be a problem.
  • My Windows 11 is about 2.5 years old.
  • I cannot think of any other software that could interfere, especially not one that I installed in October/November 2024.

At least one other person also experiences the warning message, which tells me, that the problem is not in my specific configuration, but rather it is a software bug.

Does anybody else experience this?