搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

"Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

  • 6 回覆
  • 14 有這個問題
  • 2 次檢視
  • 最近回覆由 grodech

more options

This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update.

In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server.

But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ...

Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?

This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update. In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server. But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ... Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?

由 mogra 於 修改

被選擇的解決方法

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

從原來的回覆中察看解決方案 👍 2

所有回覆 (6)

more options

This can happen if you still have leftover files from an older Firefox version in the Firefox program folder (C:\Program Files\Mozilla Firefox\defaults\pref)
There should only be a channel-prefs.js file in that defaults\pref folder.

See also:

more options

cor-el, thanks for your reply. But actually, as described above, this is not my problem. Firefox correctly displays the warning, as there is a Man-in-the-middle-attack when performing the update - although an intended one (Microsoft Forefront TMG performing HTTPS-inspection).

My question was: "How can I change the expected certificate attributes of the update server?" I want to accept the Firefox update that is correctly served by the Mozilla update server via the Microsoft proxy.

more options

選擇的解決方法

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

由 dveditz 於 修改

more options

We're having this issue with newer versions of Firefox (10+) that connect through our SonicWall firewall that is doing SSL-DPI. Even though the Sonicwall cert is loaded in the Authorities section of the Firefox cert store, we still get the error. How do I set the app.update.certs.1.issuerName pref, as mentioned above?

more options

To access the preferences:
Type about:config into the url bar and hit enter. Click on the I'll be Careful button. Then type app.update.certs.1.issuerName in the filter or search box. Then double-click the pref or right-click > Modify and fill in the new value. Then close Firefox to save the changes.

To add the other 2 preferences (app.update.certs.3.commonName & app.update.certs.3.issuerName) that are not there by default, right-click on one of the prefs inside the the about:config window. Then choose New > String. Then fill in your custom values in the boxes that pop up for each preference. Make sure to close Firefox to save the changes.

Example screenshot:

由 NoahSUMO 於 修改

more options

For what it's worth, what finally got it working for me was to change app.update.cert.requireBuiltIn to false. So for all you SonicWall users out there that do SSL DPI, that's what you need to do.