Търсене в помощните статии

Избягвайте измамите при поддръжката. Никога няма да ви помолим да се обадите или изпратите SMS на телефонен номер или да споделите лична информация. Моля, докладвайте подозрителна активност на "Докладване за злоупотреба".

Научете повече

Secure Connection Failed to google.com

  • 7 отговора
  • 27 имат този проблем
  • 1 изглед
  • Последен отговор от mattcamp

more options

FF ESR 52.2.0 Windows XP sp3

Today I changed the following two OCSP settings from False to True:

security.OCSP.GET.enabled;true security.OCSP.require;true

Since then I'm unable to go to google.com, get the error message:

"Secure Connection Failed

An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR

   The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
   Please contact the website owners to inform them of this problem."

But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc.

So, could someone help me to figure out why Google is not secure for me?

I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

FF ESR 52.2.0 Windows XP sp3 Today I changed the following two OCSP settings from False to True: security.OCSP.GET.enabled;true security.OCSP.require;true Since then I'm unable to go to google.com, get the error message: "Secure Connection Failed An error occurred during a connection to www.google.com. The OCSP server experienced an internal error. Error code: SEC_ERROR_OCSP_SERVER_ERROR The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem." But, at the same time I have no problem loading any other major websites like DuckDuckgo, rt.com, cnn.com, etc. So, could someone help me to figure out why Google is not secure for me? I don't know if it makes any difference, the IP address of google.com when I ping it is 216.58.209.196

Избрано решение

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

Прочетете този отговор в контекста 👍 6

Всички отговори (7)

more options

Избрано решение

The IP address you report belongs to Google, from the whois command.

I don't think the problem is about Firefox, but with Google settings.

Google might have setup their servers in a way to trigger a specific action if those settings you altered are configured that way, we cannot know.

My take on this, reasoning on what OSCP is as follows: OSCP is used for obtaining the revocation status of an X.509 digital certificate, but Google could use a PKI infrastructure and not implement OSCP security. It's not mandatory.

more options

mattcamp: Thanks for your answer, I knew, that it wasn't FF fault, but I posted my question here because FF gurus for sure know what these config elements do. Since I use Google a lot, I set this element "security.OCSP.require" to false, now I'm OK, just a bit disappointed.

I noticed, that there are 5 elements in FF config that deal with PKI, can you tell me what is the meaning of level 3 here:

security.pki.sha1_enforcement_level;3

and what other options are out there for this element?

more options

The fact is SHA1 hashing algorithm has proven to be insecure, because a collision is possible.

A collision is when an algorithm calculates the same hash value for two different files.

This should never happen, because each file should have a unique hash signature, so Mozilla banned SHA1n favor of more secure algorithms.

More details here.

The NSA, too, deprecated SHA1 for the same reasons.

more options

I see. So, by any chance do you know, that then how can anyone make sure, or trust the system that when you're using Google using FF, indeed you're communicating with a real Google server and not for e.g. a cuckoo's egg between you and a real Google server? Or we just have accept the familiar request "just trust us!"

more options

Hi, It's a complex matter. However, I want to remind you that the people who answer questions here, for the most part, are other Firefox users volunteering their time (like me), not Mozilla employees or Firefox developers.

If you want to leave feedback for Firefox developers, you can go to the Firefox Help menu and select Submit Feedback... or use this link. Your feedback gets collected by a team of people who read it and gather data about the most common issues.

more options

mattcamp: Thank you for patience and all your answers!

more options

You're very welcome.

I love to help, that's why I'm here.