"This Connection is Untrusted" and Firefox 38

After I updated Firefox to version 38.0.1, I keep getting “This Connection is Untrusted,” whenever I try to go to my.yahoo.com or just by using the Firefox search engine to search anything. I traced the problem to Avast since everything is OK after I disable the Web Shield in Avast’s Preferences. Can anyone tell me how to fix this? Is the latest Avast Signatures causing the problem?

Thanks!

What exactly is giving you the message ? (screenshot could be helpful)
What exact version of avast ?
What OS/SP ?
Any other security (related) software installed ? (or did you)
Are you using a proxy server ?

No other security is running other than what is in the OS X. The Avast version is 10.14 (44414) with Virus Definition Version 15052600.
I’d like to send you the screen shot, but this forum software won’t let me navigate to the Desktop. No popup window will open.

The Technical Details shows the following for any and all websites I try:

…uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)

Probably have the same issue, but slight differences - E.g., Firefox has refused to update since v34.0 came out; my Windows 8 (x64) machine has been updating and is now at v38.0.5, but Firefox Help/About Firefox has continually reported, Your Firefox is up to date, on v34.0.
When I tried to access Mozilla website for purpose of finding and downloading a Firefox for Mac version really up to date, by typing www.mozilla.com into the location slot, it did not open to Mozilla. It produced the standard error box like Mr. Levin’s, claiming the Certificate was untrusted because the Issuer was unknown. I cannot trust Firefox and cannot update it, because i cannot reach the download site.

Any helpful advice will be appreciated.

This problem is still not resolved. With Avast configured normally (i.e. with web shield activated) most web pages cannot be accessed from Firefox 39.0. Attempting to do so (e.g. attempting to log into gmail) results in the error message below.

My setup details:

MacPro, Mac OS X 10.6.8
Avast 2015, version 10.14(44414), virus definitions 15082404, web shield 0/596
No other anti-malware software installed
Firefox 39.0, no extensions, OpenH264 1.4, and Shockwave Flash 18.0.0.209 plugins active

ERROR MESSAGE:

This Connection is Untrusted

You have asked Firefox to connect securely to mail.google.com, but we can’t confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified.

What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn’t continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Technical Details

mail.google.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

(Error code: sec_error_unknown_issuer)

There were suggestions that disabling https scanning is a workaround for this problem. However, it seems to me that this is not good practice; certainly not a permanent solution.

Some months back, there was an exchange on the "Avast Free/Pro/IS/Premier forum as follows:


PCPhanatic1414
Re: Websites not being trusted with avast 2015, any suggestions ?
« Reply #11 on: November 11, 2014, 05:35:56 PM »

I’m seeing the same error message (sec_error_unknown_issuer) on Firefox 33.1 using Avast Internet 2015.10.0.2208 on ALL https sites and discovered a workaround that MAY be the intended mode of operation:

I exported the Avast Mail Shield SSL certificate, imported it into the Firefox certification authorities, and then edited the trust settings of the cert to allow it to “identify web sites.”
If I keep Avast HTTPS scanning enabled but then disable the trust of the imported “Avast! Web/Mail Shield Root” cert, I can always replicate the Firefox error message on HTTPS sites.

I checked the Chrome Browser and see no error messages when going to HTTPS sites. However, I noted that Chrome already has the Avast! Root cert in it’s collection. I didn’t deliberately import it, so perhaps Avast inserted it correctly in Chrome but not in Firefox?

lukor
Re: Websites not being trusted with avast 2015, any suggestions ?
« Reply #12 on: November 11, 2014, 07:03:46 PM »

Hi,
the way how HTTPS scanning works absolutely requires every browser to have our certificate in its trusted list ( yes it is this one: “Avast! Web/Mail Shield Root” )

So the fix, you’ve just performed is completely correct and the resulting state is exactly how it should be.

For chrome/IE we insert the certificate into the system store - that’s why it works. For firefox, we insert the certificate into the firefox private store during the start of the browsers.
So the problem here is why it fails on your PC.

L.

I’ve spent some time looking for this “Avast! Web/Mail Shield Root” certificate, unsuccessfully. Would someone please provide step-by-step instructions as to how to perform this procedure?

Sorry for the long message,

Hi,
You can find the certificate in the system Keychain, it’s called “Avast trusted CA”. You can export
it from there and import it to Firefox, however this should be done automatically by Avast. In some
cases (new user account created after Avast is installed, Firefox installed after Avast is installed)
you need to do a logout/login for the Firefox certificate import to happen.

Thank you tumic for this suggestion. However, unfortunately it did not work. After carrying out the procedure described below, I got the following (slightly different from the previous, but essentially the same) error message:

Secure Connection Failed

An error occurred during a connection to login.gmx.com. Peer’s certificate issuer has been marked as not trusted by the user. (Error code: sec_error_untrusted_issuer)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

The procedure I followed was:

  • Log into administrator account

  • Start Keychain Access

  • Select System Roots: All items: Avast trusted CA

  • File (or right-click) → Export items: to Documents/Avast trusted CA.cer

  • Quit Keychain Access

  • Start Firefox (ver 39.0)

  • Preferences → Advanced → Certificates

  • [View certificates] → Servers → [Import]
    Format:certificates
    Select: Documents/Avast trusted CA.cer
    [Open]

  • [OK]

  • Quit Firefox

  • Log out of administrator account

  • Restart

  • Repeat procedure for user account (i.e export from the user’s Keychain Access and import into user’s Firefox)

Got the same error above in both the user and administrator accounts.

By the way, if I try to import “Avast trusted CA.cer” into “Your certificates” rather than “Servers”, I get an error message:

Alert: This personal certificate can’t be installed because you do not own the corresponding private key which was created when the certificate was requested.

Also, by the way, same errors occur when attempting to access www.avast.com. Able to get here only by turning off Avast’s web shield.

I am having this problem on my Mac too. Running Firefox 40.0.3. All secure pages trigger this error (screen shot - https://monosnap.com/file/NT8U74r44C4EndSvYto0M1dPy2jiMM) Also having issues with Chrome with some sites. If I disable Web Shield, Firefox works as normal.

I’m sorry, but we really can not reproduce the issue. It works fine with Firefox for me.
If you have the “Avast trusted CA” certificate in Firefox (see the attached screenshot)
then it must work.

I have the same problem. I looked at my certificates and I don’t have the “Avast trusted CA”. What can I do to fix this?