Firefox 43.0.1 says google.com uses invalid certificate and does not allow to add exceptions

certificatefirefox

I assume Firefox developers did something wrong with last release (43.0.1) since I get this error after installing updates:

This Connection is Untrusted

You have asked Firefox to connect securely to www.google.com, but we
can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted
identification to prove that you are going to the right place.
However, this site's identity can't be verified.

What Should I Do?

If you usually connect to this site without problems, this error could
mean that someone is trying to impersonate the site, and you shouldn't
continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox only connect to it securely. As a result, it is not possible
to add an exception for this certificate.
Get me out of there

Technical Details

www.google.com uses an invalid security certificate.

The certificate is not trusted because it was signed using a signature
algorithm that was disabled because that algorithm is not secure.

(Error code: sec_error_cert_signature_algorithm_disabled)

Screenshot of the problem.

I would like to emphasize that everything worked before the update. Also right after update the new version screen advertised new and better security.

My question is "How do I fix this?" – unless I am actually trying to connect to fake google server. Is something wrong with my computer, so suddenly?

Best Answer

The immediate reason you are getting this error is because of this explanation.

In Bug 942515, we configured Firefox to reject SHA-1 certificates with a notBefore date after 2016-01-01. That appears to be causing some users with MitM software installed to be unable to access any HTTPS sites.

Firefox 43.0.4 fixes Bug 1236975 which that explanation is from.

It is important to point out that Google does not use SHA1 certificates, so if you are getting this error, it means you have a security product that is performing a man in the middle attack on all your secure content in order to secure it.

If this is a personal machine you should disable that security feature immediately. OEMs are also known to submit forged certificates in order to offer after market services, in those cases from those OEMs, they have been used to install signed malware because those OEMs can't do security properly.

Your inability to upgrade Firefox through the upgrade system, was because Firefox was silently rejecting the connection for a similar reason, it was attempting to instantiate that connection using a similar forged certificate. In other words while you have fixed the problem described in your question, you are still using the forged certificate, and thus you might as well be sending everything over plain text.

The easiest thing to do is to install the newest version of Firefox. You will need to do this manually, using an unaffected copy of Firefox or a different browser, since we only provide Firefox updates over HTTPS.

Man-in-the-Middle Interfering with Increased Security

Related Question