since updates i am unable to access sertain websites
When attempting to access a TDAmeritrade website page (Research.ameritrade) after logging into my account, I am unable to proceed to other pages on the TDAmeritrade website, getting the following:
research.ameritrade.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)
This is a trusted site, having used it for many years. Until recent Firefox updates, I have always been able to proceed on this website. I NEED THIS FIXED ASAP!
Please help.
All Replies (16)
The site has a valid certificate in my Firefox (see attached screen shot), so let's try to figure out why your Firefox is unhappy.
Please bear in mind that the question is not whether you trust TD Ameritrade or its site, but whether the page you are viewing is what it says it is. If the page you are viewing does not serve the SSL certificate correctly, you should be at least a little suspicious that it is not the real site.
I notice you have Kaspersky. Do you have the SSL Scan feature enabled and if so, is your Firefox set up to trust all of the fake certificates that Kaspersky generates with this setting?
Does the error page have an "I understand the risks" section with an "Add Exception" button? If so, you can use that button to view the certificate without actually adding an exception (I don't recommend adding one until we figure out the issue). In the Add Exception dialog, click the View button and compare what you see in the "Issued by" section and the "Details" tab to the attached. Any differences?
jscher2000 - thanks for the response! To answer your questions:
1. I've looked at my version of Kaspersky and do not see anything about an SSL feature (in settings, security, protection, etc). Can you advise more about this? 2. The Firefox error / warning does NOT offer an exception button in this case, only the "get me outa here" escape button, which takes me entirely out of the website without even allowing me to log off. 3. You mention an 'add exception'; the only one I've seen is in the Options section of the Firefox menu, and I read where that was only for allowing add-ons and should not be exercised. Can you explain more?
Thank you for taking an interest in my problem. I use the TDA website for investments and strategy and when I need to make changes (about 2-3x/year) I need to do it quickly. This restriction by Firefox is really causing me problems. I HATE to use another browser (i.e., Internet Explorer) since it is the most hacked browser out there, so your assistance is greatly appreciated.
Hi Don2bugs, I don't have Kaspersky, so I can only refer you to their site for assistance with the SSL Scan feature. In this article for the 2013 release, it is under Settings > Network and you can turn Encrypted Connection Scan on and off. The article also has steps for exporting a certificate you can use to have Firefox trust this feature, but for the moment, you might just test with the feature disabled:
http://support.kaspersky.com/us/9093#block1
The "Add Exception" button does not appear in the error page in at least two cases. One is when the page is framed, so it has a different address than the one you see in the address bar. I doubt this is the issue on that site. Another is when the server has specified mandatory SSL (by sending a strict transport security header) and then Firefox won't display the button.
The Exceptions button in Security Options is unrelated, as you note.
I went to the Kaspersky site you provided a link to and exported their certificate. No change. I forgot to toggle the Encrypted Connection Scan, so I'll try that and get back with you. So far, I'm really getting frustrated by Firefox. When their warning comes up, there's no way to get it to go away! If I push "get me outa here", it closes the website. I do appreciate your assistance, though.
Hi Don, I realize it is frustrating. Kaspersky often can update Firefox for you, but sometimes it doesn't.
Did it make any different to toggle off the Encrypted Connection Scan? If that resolved the issue but you want to use that feature, here's how you import that certificate into Firefox that you exported. Start from:
"3-bar" menu button (or Tools menu) > Options > Advanced > Certificates mini-tab > "View Certificates" button
That will pop up the Certificate Viewer dialog, which has numerous tabs. Click the Authorities tab and use the Import button at the bottom of that tab to import the Kaspersky certificate.
Thank you for the additional suggestions. I went into Kaspersky and toggled OFF the 'Encrypted Connection Scan'.
I then followed your instructions for importing certificates into Firefox. Toggling the 'Import' button brought up a computer screen with a list of about a dozen files to select from. I tried them all.... (Examples: Acro ext., AIR, Browser, ID Template, etc.) with the few that had a subfile, clicking on them either produced (nothing), or brought me back to the "Select File Containing CA Cartificates" screen.
I have tried going into TDAmeritrade's (Search) subscreens again, to no avail. The warning screen keeps coming up with "Get me outta here" as the only option.
I guess I'm going to have to change from Firefox or Kaspersky???
Hi Don2bugs, when you first click the Import button, it probably is not pointed at the correct folder. Can you point it to the folder that contains your Kaspersky certificate, either the one where Kaspersky stores it or the one you exported it to from Kaspersky's settings? (I think the steps for exporting it were in one of the Kaspersky help articles.)
Forgive my ignorance, but I don't know what you mean when you advise me to "point it to the folder that contains the Kaspersky cert.". (I haven't found 'a' certificate yet.) I have found the "import certificates" setting and clicked on that, but it didn't ask for a specific certificate. Am I supposed to use the Ameritrade website to name the cert, or what?
Also, I assume we are talking about the Firefox settings?
Sorry for not knowing any better...
I found these steps in a post on the Kaspersky forums. The actual path on disk may vary depending on your product:
"3-bar" menu button (or Tools menu) > Options > Advanced > Certificates mini-tab > View Certificates button > Authorities mini-tab
If you see an existing "Kaspersky Anti-Virus Personal Root Certificate"
Select it and Click "Delete or Distrust"
Now click "Import..."
Proceed to "C:\ProgramData\Kaspersky Lab\AVP15.0.1\Data\Cert\"
Select "(fake)Kaspersky Anti-Virus Personal Root Certificate.cer" and Open!
Does that work on your Firefox?
Modified
You are very nice, to spend so much time trying to help me. But this didn't work, either. (I followed your instructions, but when I hit Import, a box comes up - in Documents - labeled "Select file containing CA Certificate to import." Nothing there under Firefox or Kaspersky, so I changed it from Documents to OS(C:) and typed in the code you gave me, both under Kaspersky Lab and Kaspersky Lab Setup Files and hit OPEN. Both times I got "Path does not exist".
I'm thinking this is not a Kaspersky problem but a Firefox problem, because when I get the "get me outta here" (while on a TDAmeritrade page) it appears to be a message from Firefox and not from Kaspersky (who always has a trademark or copyright mark on their messages.
Are you sure this is a Kaspersky problem, or Am I all wet? FYI, I have no qualms about deleting Kaspersky and using another software!
Thank you again
It depends: if you get secure certificate errors with most or all secure sites, making sure your Firefox is set up to work with Kaspersky would be the main focus. However, if that is the only secure site you use that gives you a secure certificate error, your Firefox already must already be set up to work with Kaspersky.
If it's just the one site, your Firefox seems to have an objection that mine does not raise, and we should focus on that instead.
If you paste the following URL into Firefox's address bar and press Enter to load it, you should see an Add Exception form:
chrome://pippki/content/exceptionDialog.xul
Try entering https://research.ameritrade.com/ into the first line on that form and click Get Certificate. Does Firefox enable the View button to let you inspect its details?
AHA!?!? When I followed your instructions, and clicked 'Get Certificate', the response was, "This cert is not trusted because it hasn't been verified as issued by a trusted authority using a secure signature.
1. On the same response, there is a box checked for "store this exception", plus at the bottom, there are two choices: "confirm security exception" and "cancel". Not sure which I should do here...
2. Does the phrase "using a secure signature" mean we can change the 'signatures'?
(I sure hope you're paid well for all you're doing! )
I suggest not adding an exception at this point until we investigate a bit further.
Could you click the View button on that screen and compare the "Issued by" and "Certificate Hierarchy" areas with my earlier screenshot (additional copy attached) to see whether they differ and what you find there?
As for paid, I did get a Thank You sweatshirt a few months ago...
ok. I got to view the certificate, and it is labeled ('common name') research.ameritrade.com; the serial # is different, It was issued by Kaspersky anti-virusPersonal root certificateOrg is Kaspersky Lab ZAO , not Verisign (as yours).
Does this help? (Review my questions in the last message).
I think the fact it was issued by Kaspersky indicates that we need to return to the Kaspersky question.
Could you check whether you previously imported a certificate for this site and, if so, remove it? You would do that here:
"3-bar" menu button (or Tools menu) > Options > Advanced > Certificates mini-tab > "View Certificates" button
In the dialog that pops up, click the Servers mini-tab, and look for the any certificate with research.ameritrade.com in the Servers column. It might be listed under Kaspersky or another issuer. If you find one anywhere, go ahead and remove it.
Then could you click the Authorities tab and look for any Kaspersky certificate listed there? I think it would be in alphabetical order with the other issues, but since I don't use Kaspersky, I'm not completely sure. Does it appear anywhere?
Regarding your other question in your previous message, you can't change the signature on a certificate, it is signed using a secret "key" that needs to match up with a particular authority certificate.
I have been very busy setting up a business and office, so forgive the tardy reply. I will try your most recent suggestion(s), but frankly, I'm ready to give up on Firefox. I have determined that the warnings ARE coming from Firefox and not Kaspersky. On other sites, I am getting similar warnings, sometimes with "Get me outta here" and others with the "I understand the risks - proceed" option. These other sites include Amazon, ebay, and other well-known sites.
I'm ready to give up on Firefox, because of the time and frustration involved. I've used them for years, happily. But now.... I've had to resort to the VERY MUCH HATED Internet Explorer more than once, just to complete my purchase or investigation. I'm even going to try Chrome!
Will let you know how your latest suggestion works. Appreciate your patience and diligence.