Firefox reports a TLS error for a website that I trust, but provides no way to override the error message.
For the last couple of months (late 2015) Firefox has returned a "secure connection failed" error when I try to access my account at a major health insurance provider. The site worked fine in Firefox for years and works fine with Microsoft Edge, but I prefer to use Firefox. The "more info" link in the error message says the message indicates the site uses outdated TLS security and that I should contact the owners to tell them to update it. I tried that and failed; Blue Cross makes it even harder to "contact us" than Mozilla does.
Why is there no "I trust this site - go there anyway" option? I'm experienced enough to make my own security decisions.
الحل المُختار
Thank you! The setting for security.tls.version.max was "user set" with a value of 1, and I reset it as you indicated. The value is now 3 and I was able to get to my Blue Cross account normally.
I'm guessing that this problem dates to when I got my new computer and did a new installation of Firefox around August 10. Perhaps the TLS setting is the one that came with the download.
BTW, I noticed BitDefender in the page info too. The error page didn't identify its source; the "more info" links led to Mozilla Support but I was wondering if my antivirus was the culprit. Apparently it was the Firefox security setting instead.
Problem solved, thank you, jscher2000!
Read this answer in context 👍 1All Replies (10)
I don't think I can answer the "why" question of why some secure connection errors have the option to make an exception and some do not. Perhaps only problems with certificates allow that option, and not problems with connection methods and encryption protocols.
Do you want to post the URL of the link/address that won't load? If not, you could research it further using a page such as the following and see whether it has an obvious problem that may be triggering this behavior in Firefox.
Here's the URL, since it includes no personal information: https://custserv.fepblue.org/fepesvc/home.do
Thanks for the SSL Labs link. Their test reports that the site is subject to the POODLE TLS attack and gives it an overall F rating for that reason despite high marks for the other tests it performed.
Hmm, I'm not getting an error on that page, but it redirects to this address:
That one has a good grade, but perhaps it's not helpful because you still need to use the other server?
Although Poodle is a problem, I don't think Firefox checks for that; mine definitely doesn't.
Can you double-check that your Firefox uses TLS 1.2? If you are on this page, when you check the Security panel of the Page Info dialog, toward the bottom next to Connection it should have a parenthetical reference ending with TLS 1.2. You can call that up using either:
- right-click a blank area of the page and choose View Page Info > Security
- (menu bar) Tools > Page Info > Security
- click the padlock or globe icon in the address bar > click the ">" and then More Information
I've attached a screen shot for comparison.
Modified
Very strange. The "Connection" box says: "Connection not encrypted..." (screenshot attached) and the padlock icon is replaced with a globe icon in the URL field.
This must apply to the error message only. The page that links to the secure areas of my account, https://www.fepblue.org/pilot/landingpage (which you probably cannot access without a password), is encrypted and Firefox reports the connection as TLS 1.0. Does this mean that the problem is with my Firefox setup rather than the site? The About Firefox menu item says my Firefox is up to date.
Here's a screenshot of the page info for the parent page that _is_ encrypted.
You should get TLS 1.2 on the one that is working. Could you check these settings:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste TLS and pause while the list is filtered
(3) If the security.tls.version.max preference is bolded and "user set" to some value other than 3, right-click > Reset it so it returns to the default value
(4) If the security.tls.version.fallback-limit preference is bolded and "user set" to some value other than 3, right-click > Reset it so it returns to the default value
Does that change how the site loads?
That last screenshot shows BitDefender instead of what I see, which is Verisign (compare attached). As you probably know, BitDefender has an option to intercept your secure connections for filtering. Hopefully this is not the cause of the problem but if it is, you likely can turn off filtering of secure connections in BitDefender.
الحل المُختار
Thank you! The setting for security.tls.version.max was "user set" with a value of 1, and I reset it as you indicated. The value is now 3 and I was able to get to my Blue Cross account normally.
I'm guessing that this problem dates to when I got my new computer and did a new installation of Firefox around August 10. Perhaps the TLS setting is the one that came with the download.
BTW, I noticed BitDefender in the page info too. The error page didn't identify its source; the "more info" links led to Mozilla Support but I was wondering if my antivirus was the culprit. Apparently it was the Firefox security setting instead.
Problem solved, thank you, jscher2000!
There is security software like Avast and Kaspersky and BitDefender and ESET that intercept secure connections and send their own certificate.
- BitDefender -> Privacy settings -> disable Scan SSL
If you can't inspect the certificate via "I Understand the Risks" then try this:
Open the "Add Security Exception" window by pasting this chrome URL in the Firefox location/address bar and check the certificate:
- chrome://pippki/content/exceptionDialog.xul
In the location field of this window type or paste the URL of the website.
- retrieve the certificate via the "Get certificate" button
- click the "View..." button to inspect the certificate in the Certificate Viewer
You can inspect details like the issuer and the certificate chain in the Details tab of the Certificate Viewer. Check who is the issuer of the certificate. If necessary then you can attach a screenshot that shows the certificate viewer.
Thanks, cor-el, the problem turned out to be an outdated TLS setting in my copy of Firefox (see above) reacting to outdated TLS security on the website, but I'll save your trick for inspecting a site certificate for future reference.
If Bitdefender sends it own certificate then you will never see the site's certificate and you need to trust Bitdefender. I don't know how this works out with EV certificates like this website uses and that shows a Mozilla Foundation (US) label.
- Firefox verified that you are securely connected to this site, run by: