Mozilla サポートの検索

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

詳しく学ぶ

このスレッドはアーカイブに保管されました。 必要であれば新たに質問してください。

"Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

  • 6 件の返信
  • 14 人がこの問題に困っています
  • 92 回表示
  • 最後の返信者: grodech

more options

This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update.

In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server.

But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ...

Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?

This message appears in regular intervals. I think it is intended to prevent Man-in-the-middle-attacks that want to foist you a rogue Firefox update. In my company the "Microsoft Forefront Threat Management Gateway" with HTTPS inspection is used. This HTTPS inspection is done by installing a local (company-controlled) Certification Authority in the browser on the users computer and then performing a de/encryption of the SSL-stream on the proxy server. But as Firefox not only verifies the certificate of the update server, but also the Issuer of the certificate, the update is rejected because of a possible Man-In-The-Middle-attack. In case of the "Microsoft Forefront TMG" this is an intended MITM-attack ... Is there any possibility to change the expected certificate chain of the update server in Mozilla Firefox?

この投稿は mogra により に変更されました

選ばれた解決策

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

この回答をすべて読む 👍 2

すべての返信 (6)

more options

This can happen if you still have leftover files from an older Firefox version in the Firefox program folder (C:\Program Files\Mozilla Firefox\defaults\pref)
There should only be a channel-prefs.js file in that defaults\pref folder.

See also:

more options

cor-el, thanks for your reply. But actually, as described above, this is not my problem. Firefox correctly displays the warning, as there is a Man-in-the-middle-attack when performing the update - although an intended one (Microsoft Forefront TMG performing HTTPS-inspection).

My question was: "How can I change the expected certificate attributes of the update server?" I want to accept the Firefox update that is correctly served by the Mozilla update server via the Microsoft proxy.

more options

選ばれた解決策

As a quick fix you can change the pref app.update.certs.1.issuerName to the value used by your MITM box. Or maybe better, add new prefs app.update.certs.3.commonName and app.update.certs.3.issuerName with appropriate values. These two prefs could be passed along to other folks at your organization as a user.js file perhaps, or a restartless add-on.

Not a user-friendly solution, but should get you going again.

この投稿は dveditz により に変更されました

more options

We're having this issue with newer versions of Firefox (10+) that connect through our SonicWall firewall that is doing SSL-DPI. Even though the Sonicwall cert is loaded in the Authorities section of the Firefox cert store, we still get the error. How do I set the app.update.certs.1.issuerName pref, as mentioned above?

more options

To access the preferences:
Type about:config into the url bar and hit enter. Click on the I'll be Careful button. Then type app.update.certs.1.issuerName in the filter or search box. Then double-click the pref or right-click > Modify and fill in the new value. Then close Firefox to save the changes.

To add the other 2 preferences (app.update.certs.3.commonName & app.update.certs.3.issuerName) that are not there by default, right-click on one of the prefs inside the the about:config window. Then choose New > String. Then fill in your custom values in the boxes that pop up for each preference. Make sure to close Firefox to save the changes.

Example screenshot:

この投稿は NoahSUMO により に変更されました

more options

For what it's worth, what finally got it working for me was to change app.update.cert.requireBuiltIn to false. So for all you SonicWall users out there that do SSL DPI, that's what you need to do.