SSL certificate authority issue (Firefox or ESET's issues or both?)

[cmit 2]

Is this Firefox's issue or ESET's or both? (or our own issue?)
I believe my case is not related to this anymore (https://www.ghacks.net/2019/02/01/mozilla-halts-firefox-65-distribution-on-windows/) because the error message no longer says SEC_ERROR_UNKNOWN_ISSUER after Mozilla released fixed update.

Cannot say if this is affecting all our domain users but most of our users still having the "SSL_ERROR_BAD_CERT_ALERT" without any options to select.
The ONLY proper solution is to delete the ESET certificate authority from Firefox -> restart the computer (not log off) -> then will be able to access websites right away.
If not right away, at least Firefox would shows "Warning: Potential Security Risk Ahead" to allow user to have the "Accept the Risk and Continue" button to click.
We had to repeat this "solution" on every domain user of the same computer.
(i.e. if there are 5 different Windows user accounts use the same computer, had to restart this same computer 5 times. Waste of time.)

This issue also happening on brand new computer with fresh latest Firefox installed.

 

 

ESET tech support had suggested as follows:
- temporarily disable the policy
- on a client disable SSL/TLS filtering and make sure the error doesn't occur
- reboot the machine
- without launching any applications, re-enable SSL/TLS filtering
- wait ~2-3 seconds, then launch a browser and open an https website

But this solution did not work. I even clean-uninstalled and re-installed my ESET EndPoint AntiVirus.

Any ultimate proper suggestion/solutions?
I have already collected and submitted the ESET logs (collector) but nobody from ESET has detailed explanation but simply suggested a work around.
At least we need to know is this ESET's or Mozilla's issues or both or is this something else just never ends?

 

Edited May 8, 2019 by cmit
more info

[cmit 2]

Same issues still happening often on multiple domain users (some from same computers but logged in with different Windows accounts).
The suggested solutions in this link (https://support.eset.com/kb5833/?locale=en_US&viewlocale=en_US) also wastes time for system administrators.

These two additional options ("SSL/TLS protocol filtering mode" and "List of SSL/TLS filtered applications") are just temporarily workarounds and not really working in all four scan actions (auto, scan, ignore, ask) we tested.
Putting Internet Explorer, Firefox, Chrome into the excluded application from SSL/TLS scanning contradicts with what's mentioned about the "risk of disabling SSL/TLS protocol filtering".

If nobody from ESET can confirm if this is Firefox's issue (or Chrome or IE) or ESET's or our own issue, then two "ultimate" solutions can think of:
1. set an ESET policy to just disable SSL/TLS protocol filtering for all domain computers.
2. totally uninstall ESET and look for other antivirus alternatives.

 

This is probably the moment somebody from ESET gonna ask for log collectors again on our computers (mostly at different location) and still might not have a conclusion.

I have enabled the full diagnostics on a test computer but only can see the SysInspector.
Log Collectors and Diagnostic logs are empty even after requested and turned ON.
(Talked to two people from ESET Business Support chat but in my option they lack experiences about this part and just sent a few ESET Online Help links for customers to read without a full solution/explanation about these issues.)

 

What's the purpose of using ESMC to check domain computers convenient if there's file size limit for log collector?
(https://help.eset.com/esmc_admin/70/en-US/client_tasks_diagnostics.html)

Edited May 11, 2019 by cmit
add more info

[Marcos 5,074]

Do you get notifications about untrusted certificate when you open https://badssl.com/dashboard/  ?

[cmit 2]

7 minutes ago, Marcos said:

Do you get notifications about untrusted certificate when you open https://badssl.com/dashboard/  ?

Tested on three computers, these is what I saw on Firefox, Chrome, Edge, IE.

[itman 1,659]

35 minutes ago, Marcos said:

Do you get notifications about untrusted certificate when you open https://badssl.com/dashboard/  ? 

Passed all the tests except for SHA-1 Intermediate of which IE11 shows a few including Microsoft's. What about a Comodo code signing cert? Should I get rid of that one?

[itman 1,659]

17 minutes ago, cmit said:

Tested on three computers, these is what I saw on Firefox, Chrome, Edge, IE.

Did Eset certificate alert display for each test?

[cmit 2]

12 minutes ago, itman said:

Did Eset certificate alert display for each test?

No.
But I noticed one of the computers that just had a fresh latest Firefox installed does not have ESET certificate exist when I went to this Firefox's Certificate Manager (still no ESET certificate in this Firefox after computer restart).
Basically, as long as the ESET certificate is not within the web browser, all these issues go away, but loses the meaning and purpose of the "https everywhere".

Edited May 11, 2019 by cmit

[cmit 2]

1 hour ago, itman said:

Passed all the tests except for SHA-1 Intermediate of which IE11 shows a few including Microsoft's. What about a Comodo code signing cert? Should I get rid of that one?

What do you mean getting rid of Comodo code signing cert?
If you remove it from your browser, doesn't that put your web browser at risk of your antivirus not protecting the browser? (same purpose of enabling ESET SSL/TLS protocol filtering)

Edited May 11, 2019 by cmit

[Marcos 5,074]

Did you get warnings like this?

 

Are both these eicar files detected upon download?

https://secure.eicar.org/eicar_com.zip
http://www.eicar.org/download/eicar_com.zip

If ESET's root certificate is not listed in Mozilla's trusted root CA certificate list, do the following:
- disable SSL filtering
- reboot the machine
- without launching any application, re-enable SSL filtering.

[cmit 2]

39 minutes ago, Marcos said:

Did you get warnings like this? 

No, no ESET warning at all on three computers tested (Firefox and Chrome) when going to https://badssl.com/dashboard/
 

 

41 minutes ago, Marcos said:

Are both these eicar files detected upon download?

https://secure.eicar.org/eicar_com.zip
hxxp://www.eicar.org/download/eicar_com.zip

Yes on all Chrome and Firefox that has ESET certificate installed.

 

 

53 minutes ago, Marcos said:

If ESET's root certificate is not listed in Mozilla's trusted root CA certificate list, do the following:
- disable SSL filtering
- reboot the machine
- without launching any application, re-enable SSL filtering.

This method did not work on that 1 of 3 test computers' Firefox newly installed. But this computer's Chrome already has ESET certificate and did detect both the eicar_com.zip files.

[itman 1,659]

22 minutes ago, cmit said:

No, no ESET warning at all on three computers tested (Firefox and Chrome) when going to https://badssl.com/dashboard/

That is very strange indeed. Especially since Eset's root CA certificate is installed in Chrome's corresponding root CA store. Obviously, something blocked the connections since you passed all the tests; i.e. "cannot connect." Did you get any other alerts from the browser's themselves about an untrusted certificate when the test was running?

Edited May 11, 2019 by itman

[cmit 2]

2 minutes ago, itman said:

That is very strange indeed. Especially that Eset's root CA certificate is installed in Chrome's corresponding root CA store. Obviously, something blocked the connections since you passed all the tests; i.e. "cannot connect." Did you get any other alerts from the browser's themselves about an untrusted certificate when the test was running?

Are you talking about alerts from ESET or from this baddssl.com website?
No alerts from ESET.
But has a few red connected results on Firefox and Chrome.

Are all the badssl.com's "Not Secure" result supposed to be all green (cannot connect)?

[itman 1,659]

4 minutes ago, cmit said:

Are you talking about alerts from ESET or from this baddssl.com website?

Browser alerts when the baddssl.com test was running. You already stated you didn't receive any eset alerts.

Edited May 11, 2019 by itman

[cmit 2]

2 minutes ago, itman said:

Browser alerts when the baddssl.com test was running. You already stated you didn't receive any eset alerts.

@itman
"Browser alerts" from ESET when the badssl.com test was running? No.
This is why I asked Are all the badssl.com's "Not Secure" result supposed to be all green (cannot connect) since you said I "passed all the tests; i.e. "cannot connect." "

[itman 1,659]

Now I know what is going on with the https://badssl.com/dashboard/ test. I disabled Eset's SSl/TLS protocol scanning and passed all the tests using IE11; including the SHA-1 test I failed when SSl/TLS protocol was enabled. So Eset has a problem there.

Bottom line - the only alerts you should receive from this test are Eset alerts. This test was set up primarily to test that AV's that perform SSL/TLS protocol scanning, do it correctly.

Edited May 11, 2019 by itman

[cmit 2]

4 minutes ago, itman said:

So Eset has a problem there.

Thank you @itman

 

@Marcos ESET guru guys please fix ESET about this certificate nightmare. Thanks.

Edited May 11, 2019 by cmit

[itman 1,659]

8 minutes ago, cmit said:

This is why I asked Are all the badssl.com's "Not Secure" result supposed to be all green (cannot connect)

Yes. Or, the result shows "OK." Anything highlighted in red Is a failure.

Edited May 11, 2019 by itman

[itman 1,659]

I also suspect your issue has something to do with the domain controller environment.  What it could be I have no clue since I am not familiar with Eset's File Server or ERA; don't know what you use.

[cmit 2]

7 minutes ago, itman said:

I also suspect your issue has something to do with the domain controller environment.  What it could be I have no clue since I am not familiar with Eset's File Server or ERA; don't know what you use.

My main domain controller server has ESET File Security running. Could this be a suspected issue?

Edited May 11, 2019 by cmit

[itman 1,659]

1 minute ago, cmit said:

My main domain controller server has ESET File Security running. Could this be a suspected issue?

You will have to wait till @Marcos or someone else from Eset comments on this.

[cmit 2]

2 minutes ago, itman said:

You will have to wait till @Marcos or someone else from Eset comments on this.

The server that has our ESET Security Management Center running also has ESET File Security running.

[itman 1,659]

BTW - did you open an Eset support ticket on this? I don't know if this is solvable via forum replies.

[cmit 2]

12 minutes ago, itman said:

BTW - did you open an Eset support ticket on this? I don't know if this is solvable via forum replies.

Yes about 2 months ago but got to nowhere.
Created another ticket today. Will probably get another reply with general questions from Tier 1 ESET Support after 2+ days (1 day if lucky, usually the ESET Standard Business email support's reply is slow in my experiences so far).

[itman 1,659]

I have a theory about something.

You stated that when you ran the https://badssl.com/dashboard/ test using IE11, you did not get any Eset alerts. On the device you did the testing using IE11, run certmgr.msc. Open the Trusted Root Certification Authorities folder.  Open the Certificates folder. Navigate to the Eset SSL Filter CA certificate and open it. If the certificate doesn't exist, we have found the problem. If the certificate exists, does it show that it has been revoked, is expired, or untrusted?

If the Eset root CA certificate exists and in a valid status and/or does not exist, this mitigation if implemented, might be factor:

Quote

Windows Group Policy can be used to manage root certificates and the Flags value of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. ^[4]

https://attack.mitre.org/techniques/T1130/

Edited May 11, 2019 by itman

[cmit 2]

1 hour ago, itman said:

I have a theory about something.

You stated that when you ran the https://badssl.com/dashboard/ test using IE11, you did not get any Eset alerts. On the device you did the testing using IE11, run certmgr.msc. Open the Trusted Root Certification Authorities folder.  Open the Certificates folder. Navigate to the Eset SSL Filter CA certificate and open it. If the certificate doesn't exist, we have found the problem. If the certificate exists, does it show that it has been revoked, is expired, or untrusted?

 

Screenshots below what from three test computers I tested:

 

Quote

why is the last certificate shown with a valid from date of today?

I have no idea. Maybe (don't quite remember) I have deleted the ESET certificate authority from Firefox -> reboot computer.

------------------------------------------------------------------------------------

@itman  sry don't quite understand what you mean"If the Eset root CA certificate exists and in a valid status and/or does not exist ".
My ESET root CA certificates do exist and are in a valid status but what does then "and/or does not exist" mean?

------------------------------------------------------------------------------------

 

Now testing on a 4th computer.
When using Firefox to connect to my test router, Firefox shows this

But when using IE11, the test router's login page (in https) shows up fine.
The certmgr.msc does show valid ESET certificate on this 4th computer as well.
This 4th test computer also does not show ESET alert on Firefox and IE when going to badssl.com/dashboard (shows the red sha1-intermediate and dh1024 connected).

 

Edited May 11, 2019 by cmit
more info