cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

"Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

Jump to solution

Greetings all,

This error from Firefox  has been a thorn in our side for quite some time.  We do SSL inspection which I assume is the source of the issue.   I've added a lot of sites to SSL bypass, figuring this is a certificate pinning issue and that something Firefox is doing in its updates is crying foul here, but I'm still apaprently missing something as this error persists in this environment.

...in the process of pasting the following, I found an errant space  in the versioncheck-bg  pattern  (i.e.  mozilla.org  !=  mozilla. org ) that I believe may be the reason this was still not fixed.... While I'm hopeful that finding this errant space in my url pattern will solve my problem, I'm still curious to share notes with others on this one.

SSL Scanner

     URL matches in list SSL URL Bypass List  -> stop ruleset

SSL URL Bypass List

1https://*.mozilla.org/update/*/update.xmlBelieved to be what causes the warnings for Mozilla updates.  See about:config app.update. properties aus3.mozilla.org is typical
2https://versioncheck-bg.addons.mozilla.org/*  Yeah, url.host faster, but let's keep all rules for mozilla in one place until we get this figured out
3https://services.addons.mozilla.org/*
0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: "Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

Jump to solution

SSL bypasses for full URLs (as you have above) will not work because knowning the full URL implies that the SSL tunnel has already been broken.

The updates for firefox from my experience have mainly come from mozilla.org, so it should suffice to bypass that top-level domain as the application is hardcoded to trust only their top level CA (not any other CA that may be in the trusted store).

Best,
jon

0 Kudos
2 Replies
McAfee Employee

Re: "Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

Jump to solution

SSL bypasses for full URLs (as you have above) will not work because knowning the full URL implies that the SSL tunnel has already been broken.

The updates for firefox from my experience have mainly come from mozilla.org, so it should suffice to bypass that top-level domain as the application is hardcoded to trust only their top level CA (not any other CA that may be in the trusted store).

Best,
jon

0 Kudos
Regis
Level 12

Re: "Something is trying to trick Firefox into accepting an insecure update. Please contact your network provider and seek help."

Jump to solution

Great goggly moggley.     That would explain a few things.   My prior rule had 2 url.host rules that were probably working but I was trying to be a bit surgical with the *.mozilla.org rule to restrict it to update paths and the like... but, good point, won't work!     Thanks much Jon.  Wish I'd asked months ago.  

0 Kudos