Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

https security error: Connection verified by a certificate issuer that is not recognized by Mozilla

  • 11 tontu
  • 0 am na jafe-jafe bii
  • i mujjee tontu mooy cor-el

more options

Hello, I am running Firefox on a W10-Pro PC. I always click the lock to check certificate validation. In the last month I keep seeing "Connection verified by a certificate issuer that is not recognized by Mozilla".

When I click for more information I see that "Norton Web/Mail Shield" does not recognize the certificate issuer. When I click on Learn More it takes me to a Firefox site "How to disable the Enterprise Roots preference" I also checked W10 certmgr.msc and I see Norton is listed. Images included below. I would love to resolve this issue. Thank you for your time.

Hello, I am running Firefox on a W10-Pro PC. I always click the lock to check certificate validation. In the last month I keep seeing "Connection verified by a certificate issuer that is not recognized by Mozilla". When I click for more information I see that "Norton Web/Mail Shield" does not recognize the certificate issuer. When I click on Learn More it takes me to a Firefox site "How to disable the Enterprise Roots preference" I also checked W10 certmgr.msc and I see Norton is listed. Images included below. I would love to resolve this issue. Thank you for your time.
Nataali seetu yiñ ci takkaale

All Replies (11)

more options

Firefox/Mozilla doesn't certify certificate that is done by another organization and if the certificate is invalid or out of date then it's up to one owning the certificate to update to allow access with the certificate to be used. Ad Norton also gave you the same error message so this isn't a Firefox issue.

Helpful?

more options

Mark, Thank you for the reply. Unfortunately your reply does not help me solve my issue. I did not include anything that says Norton gave me the same error message. As far as I can tell a Norton Certificate (which date appears valid) is in the W10-Pro Trusted certificate list as well as within the Firefox certificate list. Currently I am not trusting (using) Firefox with any accounts that require passwords.

Helpful?

more options

If not Norton - Firefox isn't the issuing certificate it's verifies it's up to date and matches certification that should be for site or whom issuing it and if it fails then the Browser will protects itself from malicious certificates. So you should ask the site that uses to do their proper checks.

Helpful?

more options

My apologizes, but I still don't understand your response.

I open a URL with FIrefox in protected mode, the page opens and I click on the lock icon, I check that the connection is secure and who it is verified by. If I'm happy with the verifier I continue.

Over the last couple of weeks its almost always Norton is the verifier. Click on the lock, Firefox responds with three lines of text. It tells me "You are securely connected to this site". next line Verified by: Norton Web/Mail Shield. In the next line Firefox says: Mozilla does not recognize this certificate issuer. It may have been added from your OS or by an administrator.

The certificate managers for Microsoft W10-Pro and Firefox both show Norton Web/Mail Shield Root with a date 1/1/2010 - 1/1/2040.

So my dilemma is: why does Firefox permit me access to the URL when it has no recognition of the certificate issuer?

This morning, using Firefox I opened several URL's and everyone was certified by Norton. I moved to Microsoft Edge and opened the same URL's and got a variety of certifiers, none were Norton.

Helpful?

more options

Some sites permits access but it does say use at your own risk. Without a url of the problem site no one will know why it's doing that. How Norton verifies that's Norton not Firefox.

Helpful?

more options

Your Firefox is configured to trust Norton web shield as a certificate issuer. This is standard for security software that filters your web browsing. Here's why: if the traffic is encrypted between Firefox and the web server, Norton -- which runs outside of Firefox -- can't read it and therefore can't block or clean it. In order to work as a filter, Norton sets up as a "man in the middle" and there are two separate encrypted connections: one between Firefox and the filter, and one between the filter and the web server.

Now normally Firefox will refuse to connect when there is a man in the middle because the fake site certificate can't be validated up to a trusted authority certificate. That's why the browser needs to be set to trust Norton web shield as an issuer of fake website certificates. There are two methods for that:

(1) import an Authority certificate into Firefox (your fourth screenshot) or

(2) set Firefox to use the Windows certificate store ("Enterprise roots"), which apparently is easier for security software to update

Hopefully that clarifies the situation. Next is what to do about it. What is your preference?

(A) You want your Norton software to continue filtering your browsing

In this case, there really isn't anything to change.

(B) You want Firefox to bypass Norton and connect to HTTPS addresses directly

I think you would go into the Norton web shield settings and tell it not to intercept Firefox traffic, or not to intercept HTTPS/secure traffic from Firefox, but I haven't researched what Norton's settings look like.

Helpful?

more options

Hi jscher2000, Thank you for your response. I get the idea as to how things should work.

1). This all started less than a month ago. No new browsers, no new Norton... 2). Norton always asks if I want to install their protection into the browsers I use. I always refuse those requests. 3). In the last week no matter what URL I open the lock shows "Norton Web/Mail Shield Root". 4). Microsoft Edge shows many different Certifiers and and occasionally "Norton Web/Mail Shield Root".

Why do you say Firefox is configured to trust Norton web shield as a certificate issuer when Firefox states "Mozilla does not recognize this certificate issuer". There is a disconnect here. I've lost my trust Firefox.

I do not want to bypass certification in any way.

Does Mozilla support monitor this forum?

Helpful?

more options

Hello again, I just looked at Firefox Certificate Manager (under Privacy/Security). Might this have something to do with my problem? Photo included

All the entries within the Certificate manager "Security Device" column say "Builtin Object Token" except Norton Web/Mail Shield Root which says "Software Security Device". Thank you.

Helpful?

more options

Yes, that is the Norton root certificate that Firefox has imported from the Windows certificate store and that is needed to prevent a SEC_ERROR_UNKNOWN_ISSUER error. This discussed in this support article.

Helpful?

more options

I hope everyone had a wonderful Thanksgiving.

I've noticed that "Norton Web/Mail Shield Root" certificate is now showing up on more Microsoft Edge browser checks of the Lock certification.

In looking at the Firefox Certificate Manager I see that Norton Web/Mail Shield Root is the only Certificate manager under Authorites that is "Software Security Device". See attached jpeg. All the remaining ones say Builtin Object Token.

What is a Builtin Object vs. Software Security Device. Thank you.

Helpful?

more options

Built-in root certificates are added by Mozilla and have been approved following a lengthy process whereas a certificate designates as "Software Security Device" is imported and you need to trust the issuer and can oppose a risk especially it trust bits are set to make it work as a root certificate. You can click the Edit button to see whether trust bits are set for a "Software Security Device" certificate. Firefox only sees the certificate send by the software that generated the fake website certificate and not the original certificate send by the website.

Helpful?

Laajal dara

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.