avast ssl issues
I have read several support articles about avast not working with firefox. I had the same issues installing the lastest firefox 43.0.1-2. The problem has been blamed on avast and requires you disable their SSL web piece. I believe this is actually a firefox issue and how it accesses certificates on the mac.
In the keychain access application I can see the Avast certificate is installed In the System group with some other custom certificates. Firefox does not see them though it only appears to see certificates in the SystemRoot group. Safari and Chrome both had no issue using the Avast certificate. I even installed Chrome fresh just to be sure.
See article http://www.techrepublic.com/blog/apple-in-the-enterprise/managing-ssl-certificate-authorities-on-os-x/. System is the recommended location for installing custom certificates.
Again this seems to be a issue with firefox and how it looks up certificates.
선택된 해결법
Have you shut down and restarted your Mac since then? Some AV programs may do the certificate insertion at startup.
문맥에 따라 이 답변을 읽어주세요 👍 0모든 댓글 (8)
hi, firefox has always used it's "own" certificate store on all platforms, so this is to be expected. since root certificates are an extremely sensitive area (which would allow an attacker to "take over" the secure web for affected trust stores), a little bit of "competition" and independent implementations are beneficial to the health of the web in my view. avast would have to insert its certificate into the firefox trusted root ca store for this to work without any issues like the error message you are seeing.
hmmm.. That would mean every unique certificate would have to be installed in every piece of software that doesn't trust the machine certificates. That sort of defeats the purpose of something like keychain on the mac. If you protecting from the machine being infected well if my keystore is corrupt its to late anyway.
I would have to say as a user that is unreasonable and very confusing for the majority of users. Given the amount of traffic on the net talking about the issue people would seem to agree. It would seem it should use the system keystore by default and allow for firefox to provide a additional option to use its custom keystore instead.
If nothing else there should be clear documentation which tells users how to move system specific certificates to the firefox keystore.
i was arguing less out of a perspective of individual security but the overall health of the web. there are intentions publicized every now and then by interested parties to be able to eavesdrop on encrypted communications if deemed necessary - certificate stores would be a tempting single point of failure for such a scenario, so it is good that there is an open sourced independent implementation out there as well (at least in my mind). in addition as firefox is a multi-platform product (windows, os x, linux), it would be more difficult to create a separate implementation for each platform or might be confusing as well if firefox behaved different on each platform.
in general i would recommend disabling man-in-the-middling https scan features as the one avast is providing, since they are of dubious benefit as their implementation will often cause encrypted connections to be less secure: http://www.scmagazineuk.com/updated-kaspersky-leaves-users-open-to-freak-attack/article/411470/
Yes I do understand what Avast does could undermine my security. If they are going to replace the certificate they should be validating the original certificate. I understand that. I also understand why they are doing it. The implementation is certainly lacking.
Since this is happening on a work machine I have internal certificates installed as well which I would also have to move into firefox. They are legitimate in every way. I still have to manually add them to firefox or allow the exception. I don't agree putting this burden on the user is useful.
I do understand that firefox runs on multiple platforms. But I also don't agree its implementation should be platform agnostic. On the mac for example it should at least have the option to use the system keystore as all the other browsers I have used do. And from a user perspective the 98% case would not even know it was doing it unless they hit a problem. Easier does not mean right.
You can close the ticket. If I keep hitting these types of issues though I will probably move back to chrome. I had switched recently because of all the annoying things chrome has been doing lately with plugin support. Overall I do like the browser, so that would be a shame.
Avast usually sets up Firefox automatically to trust its signing certificate. Otherwise there would be thousands of posts about this instead of dozens. I don't know how you can trigger that to happen if it failed the first time; I think some users have reported that re-running the Avast installer will do the trick, but I can't remember whether that is for Windows only or Mac as well.
Corporate machine. Unfortunately I just can't rerun. I was lucky to be able to change the configuration form past experience with companies. I did look to see if there was anything in avast I could push. But didn't see anything. Firefox was acting buggy so I did a clean install and thats when the problem started.
선택된 해결법
Have you shut down and restarted your Mac since then? Some AV programs may do the certificate insertion at startup.
ok. So I turned it back on and rebooted and it is working. I verified the Avast certificate is installed in firefox. I was pretty sure I rebooted before but maybe only after turning it off.
Well for future reference that worked. Thanks!