Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Secure Connection Failed to google.com

  • 7 replies
  • 27 have this problem
  • 52 views
  • Last reply by mattcamp

more options

FF ESR 52.2.0 Windows XP sp3

Today I changed the following two OCSP settings from False to True:

security.OCSP.GET.enabled;true security.OCSP.require;true

Since then I'm unable to go to google.com, get the error message:

"Secure Connection Failed

An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem."

But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc.

So, could someone help me to figure out why Google is not secure for me?

I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

FF ESR 52.2.0 Windows XP sp3 Today I changed the following two OCSP settings from False to True: security.OCSP.GET.enabled;true security.OCSP.require;true Since then I'm unable to go to google.com, get the error message: "Secure Connection Failed An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem." But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc. So, could someone help me to figure out why Google is not secure for me? I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

Chosen solution

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

Read this answer in context 👍 6

All Replies (7)

more options

Chosen Solution

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

more options

mattcamp: Thanks for your answer, I knew, that it wasn't FF fault, but I posted my question here because FF gurus for sure know what these config elements do. Since I use Google a lot, I set this element "security.OCSP.require" to false, now I'm OK, just a bit disappointed.

I noticed, that there are 5 elements in FF config that deal with PKI, can you tell me what is the meaning of level 3 here:

security.pki.sha1_enforcement_level;3

and what other options are out there for this element?

more options

The fact is SHA1 hashing algorithm has proven to be insecure, because a collision is possible.

A collision is when an algorithm calculates the same hash value for two different files.

This should never happen, because each file should have a unique hash signature, so Mozilla banned SHA1n favor of more secure algorithms.

More details here.

The NSA, too, deprecated SHA1 for the same reasons.

more options

I see. So, by any chance do you know, that then how can anyone make sure, or trust the system that when you're using Google using FF, indeed you're communicating with a real Google server and not for e.g. a cuckoo's egg between you and a real Google server? Or we just have accept the familiar request "just trust us!"

more options

Hi, It's a complex matter. However, I want to remind you that the people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.

If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

more options

mattcamp: Thank you for patience and all your answers!

more options

You're very welcome.

I love to help, that's why I'm here.