Certificate Issues for Firefox 74.0 64bit

[SwartPerel 0]

I'm still on 13.1.20 and ESET will not update any furth tonight - will try again later tomorrow, or wait for April 6th & the new licence. Time will tell (at least I hope it will!).

56 minutes ago, itman said:

If "worse comes to worst," you can always switch to pre-release updates. Ver. 13.1.24 should then be available for update. Appears ver. 13.1.24 contains Internet protection module 1395.

 

[itman 1,746]

"To add more confusion to the mix," my FireFox updated to ver. 74.0.1.

[Marcos 5,267]

7 hours ago, SwartPerel said:

I'm still on 13.1.20 and ESET will not update any furth tonight - will try again later tomorrow, or wait for April 6th & the new licence. Time will tell (at least I hope it will!).

 

The previous version was 13.1.16. Do you happen to know how you got 13.1.20 installed? Or you've made a typo?
What OS do you use?

Please provide logs collected with ESET Log Collector as well as export of HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing\\Packages.

[SwartPerel 0]

No, it is not a typo! In fact this morning it has already updated 13.1.21.0

Also: Internet protection module: 1388.1 (20200219)
And as itman mentioned, my Firefox version is also now ver. 74.0.1.

And yet:

So it appears it is a Mozilla/Firefox issue, not ESET after all.

[SeriousHoax 87]

19 minutes ago, SwartPerel said:

No, it is not a typo! In fact this morning it has already updated 13.1.21.0

Also: Internet protection module: 1388.1 (20200219)
And as itman mentioned, my Firefox version is also now ver. 74.0.1.

And yet:

So it appears it is a Mozilla/Firefox issue, not ESET after all.

Your certificate is working fine. The message you're getting is expected. I got the new internet protection module after switching to pre-release module but my Eset certificate is still not working in Firefox.

[itman 1,746]

4 hours ago, SeriousHoax said:

I got the new internet protection module after switching to pre-release module but my Eset certificate is still not working in Firefox.

I have a theory of what is going one here.

It manifests when multiple Eset root CA certificates exist in the Windows root CA certificate store. Eset's root CA certificate is signed with a private key. That key is stored somewhere in the directories Eset creates at installation time. Whatever Eset certificate FireFox is extracting from the multiple ones stored in the Windows root CA certificate store has a private key that does not match the one currently stored in the applicable Eset directory. Hence use of the certificate extracted is rejected by FireFox.

I would assume that the latest dated Eset root certificate in the Windows root CA certificate store is the one being used by the current Eset installation but there is no guarantee that is the case. Refer to the below screen shot:

1. Open Eset GUI and navigate to Web and Email settings.

2. Open SSL/TLS settings.

3. Under Root Certificate section, mouse click on "View certificate."

4. Mouse click on the Details tab.

5. Scroll down to a line named Thumbprint. Mouse click on it which will duplicate the value to the box below it. Copy that thumbprint value and save it somewhere.

6. Exit the Eset GUI.

7. Enter certmgr.msc in Win 10 desktop Search bar.

8. Open certmgr. Then open Trusted Root Certification Authorities -> Certificates.

9. Now compare the prior saved Eset cert. thumbprint to the thumbprint of all Eset certificates shown.

10. When a match on thumbprint is found, keep that certificate and delete all the other Eset certificates present.

11. Exit certmgr.

At this point, FireFox should only access the remaining Eset root certificate in the Win root CA store and there should be no longer any private key issues with FireFox's use of that certificate.

Edited April 4, 2020 by itman

[SwartPerel 0]

No change, itman. I had, rather sneakily, deleted the old ESET certificates from the Trusted Root Certification Authorities -> Certificates, and when I checked in ESET and compared it with the one left in the store, they both have the same expiry dates and thumbprint. And the ESET certificate is still not recognised by Mozilla. Perhaps ESET should have a chat with Mozilla, since although all seems to be working properly, it would be preferable to have a certificate which is recognised by Mozilla.

As far as I'm concerned, at least I am not alone in this, but unless anyone knows a registry hack/work-around, it is, for me, end of the story.

Many thanks for your input, itman, Marcos & SeriousHoax

[itman 1,746]

12 minutes ago, SwartPerel said:

And the ESET certificate is still not recognised by Mozilla. Perhaps ESET should have a chat with Mozilla, since although all seems to be working properly, it would be preferable to have a certificate which is recognised by Mozilla.

Based on the screenshot you posted here: https://forum.eset.com/topic/23125-certificate-issues-for-firefox-740-64bit/?do=findComment&comment=111963 and per @SeriousHoax previous reply to you, Eset's cert. is being used by FireFox w/o issue. So I really don't know what leads you to believe it is not.

[SwartPerel 0]

And yet:

If there are no issues, surely Mozilla would state that this certficate issuer is a trusted issuer. <shrug>.

[itman 1,746]

17 minutes ago, SwartPerel said:

If there are no issues, surely Mozilla would state that this certficate issuer is a trusted issuer. <shrug>.

This is the standard display from Firefox when a third part root certificate is being used. It has always been displayed as such. You probably just never checked the HTTPS certificate status previously.

-EDIT- The message display is slightly different now that FireFox is now deferring to the Win root CA store; i.e. security.enterprise_roots.enabled.

Edited April 4, 2020 by itman

[SwartPerel 0]

Perhaps not. But then, when a website displays properly, I would have no reason to. Thanks.

[SeriousHoax 87]

1 hour ago, itman said:

I have a theory of what is going one here.

It manifests when multiple Eset root CA certificates exist in the Windows root CA certificate store. Eset's root CA certificate is signed with a private key. That key is stored somewhere in the directories Eset creates at installation time. Whatever Eset certificate FireFox is extracting from the multiple ones stored in the Windows root CA certificate store has a private key that does not match the one currently stored in the applicable Eset directory. Hence use of the certificate extracted is rejected by FireFox.

I would assume that the latest dated Eset root certificate in the Windows root CA certificate store is the one being used by the current Eset installation but there is no guarantee that is the case. Refer to the below screen shot:

1. Open Eset GUI and navigate to Web and Email settings.

2. Open SSL/TLS settings.

3. Under Root Certificate section, mouse click on "View certificate."

4. Mouse click on the Details tab.

5. Scroll down to a line named Thumbprint. Mouse click on it which will duplicate the value to the box below it. Copy that thumbprint value and save it somewhere.

6. Exit the Eset GUI.

7. Enter certmgr.msc in Win 10 desktop Search bar.

8. Open certmgr. Then open Trusted Root Certification Authorities -> Certificates.

9. Now compare the prior saved Eset cert. thumbprint to the thumbprint of all Eset certificates shown.

10. When a match on thumbprint is found, keep that certificate and delete all the other Eset certificates present.

11. Exit certmgr.

At this point, FireFox should only access the remaining Eset root certificate in the Win root CA store and there should be no longer any private key issues with FireFox's use of that certificate.

I actually checked that already. I had only one certificate in the trusted authority and it was also the same one but for some reason it was still not working. But anyway I fixed it by manually deleting it from the windows store, restarted the system, a new certificate has been created by Eset automatically and now everything is working fine. Thanks

[itman 1,746]

Just now, SeriousHoax said:

But anyway I fixed it by manually deleting it from the windows store, restarted the system, a new certificate has been created by Eset automatically and now everything is working fine.

Interesting. Appears the Eset cert. in the Win root CA store got corrupted somehow. Never seen that one before.

However, there are malware that have been known to deploy certmgr.msc; e.g. https://thehackernews.com/2018/07/cryptocurrency-mining-ransomware.html . Maybe something escaped your VM with all the malware testing you do?😬

[itman 1,746]

The above malware reference also brings up the issue if this move by FireFox/Eset to defer to the Win root CA store is the most secure thing to do?

[SeriousHoax 87]

20 minutes ago, itman said:

Interesting. Appears the Eset cert. in the Win root CA store got corrupted somehow. Never seen that one before.

However, there are malware that have been known to deploy certmgr.msc; e.g. https://thehackernews.com/2018/07/cryptocurrency-mining-ransomware.html . Maybe something escaped your VM with all the malware testing you do?😬

Haha no it wasn't malware testing related. This is a new installation of Windows. Maybe some sort of problem occurred after the installation of Eset. The link you shared is interesting. Malware installing fake certificate to make itself trusted.

[SeriousHoax 87]

9 minutes ago, itman said:

The above malware reference also brings up the issue if this move by FireFox/Eset to defer to the Win root CA store is the most secure thing to do?

This is Firefox decision I think. They got tired of issues reported by the users about certificate error thing. Most of the issues were reported by Avast and Kaspersky users. Firefox's way was definitely safer. It maintains its own store and don't use windows certificate store before they decided to do change that partially to make it easy for average users I guess. Average users wouldn't know how to manually import certificate to Firefox. But I like the way Firefox still shows that it doesn't trust the certificate.

[itman 1,746]

1 hour ago, SeriousHoax said:

The link you shared is interesting. Malware installing fake certificate to make itself trusted

Sadly, this issue isn't restricted to fake certs.. Legit certs. have been stolen. The attackers then proceed to sign their malware code with them. In a couple recent incidents, stolen/misappropriated driver certs. were used. Now you can't get better than that. Win 8.1/10 Secure boot will protect you here but you need to have the hardware to support it.

Bottom line - anyone in "the security know" will flat out state the whole certificate concept is completely broken. But that's a topic for wilderssecurity.com or malwaretips.com posting and discussion.

Edited April 4, 2020 by itman

[SeriousHoax 87]

2 hours ago, itman said:

Sadly, this issue isn't restricted to fake certs.. Legit certs. have been stolen. The attackers then proceed to sign their malware code with them. In a couple recent incidents, stolen/misappropriated driver certs. were used. Now you can't get better than that. Win 8.1/10 Secure boot will protect you here but you need to have the hardware to support it.

Bottom line - anyone in "the security know" will flat out state the whole certificate concept is completely broken. But that's a topic for wilderssecurity.com or malwaretips.com posting and discussion.

Hmm right. This is upto Microsoft.

[hardwired 0]

Hi,

I'm having the same issues with a brand new install of ESET Internet Security and Firefox 74.0.1 on Windows 10. ESET doesn't seem to be properly scanning ssl/https connections on Firefox (I tested an eicar file through https and ESET detected it through http and on Chrome and Edge but did not detect it through https on Firefox). There is no ESET cert located in the Authorities section of my Firefox install but there is an ESET cert located in my Windows Cert Store. When browsing with Firefox I don't see any ESET related certifications but on Chrome and Edge I see the normal "ESET SSL Filter CA". I have the Internet Module 1395.

Edited April 7, 2020 by hardwired

[Marcos 5,267]

It's ok that you don't see the ESET root CA in the Firefox trusted certificate store.

Do you have security.enterprise_roots.enabled set to true in Firefox?

[hardwired 0]

4 hours ago, Marcos said:

It's ok that you don't see the ESET root CA in the Firefox trusted certificate store.

Do you have security.enterprise_roots.enabled set to true in Firefox?

Hi Marcos, thank you for your help. I just checked and I do see that option enabled on my Firefox install. How come I am not seeing the "Verified by ESET" or any mention of ESET when browsing with https on Firefox? I'm trying to verify if ssl filtering is working properly between ESET and Firefox.

[Marcos 5,267]

13 minutes ago, hardwired said:

Hi Marcos, thank you for your help. I just checked and I do see that option enabled on my Firefox install. How come I am not seeing the "Verified by ESET" or any mention of ESET when browsing with https on Firefox? I'm trying to verify if ssl filtering is working properly between ESET and Firefox.

Do you see ESET's certificate when you open https://tls-v1-2.badssl.com:1012/?

[hardwired 0]

1 minute ago, Marcos said:

Do you see ESET's certificate when you open https://tls-v1-2.badssl.com:1012/?

Hi, I do not see that. When looking at the certificate information it just shows Verified by Digicert.

[Marcos 5,267]

Please provide logs collected with ESET Log Collector.

[hardwired 0]

2 hours ago, Marcos said:

Please provide logs collected with ESET Log Collector.

Hi, I have added the log files.

-edit- I'm now going to try a clean install of Windows 10 Pro and see if that works, will report back.

 

eis_logs.zip

Edited April 7, 2020 by hardwired