Solved

certificate exceptions

Posted on 2014-09-16
4
124 Views
Last Modified: 2014-10-16
Not sure if I am explaining this correctly.  I am the middle man.  Going to a website with firefox and it comes up with a certificate that needs to be added for this website.  I add the exception/certificate and it works until the next time I go in there or go to another area of the website.  Then it asks again.  Any ideas?
0
Comment
Question by:mkramer777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40326369
Depends which mitm solution you are using, but usually you have to add the issuing CA cert from the appliance into the root store of firefox; the solutions usually push that for IE with group policy,  but firefox has its own keystore (options> advanced)
0
 

Author Comment

by:mkramer777
ID: 40326422
Not sure what mitm is?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40327344
mitm=man in the middle... that was not what you meant by calling yourself a "middle man", I assume.
Please describe how you store the exception in firefox and, if possible, name the website and firefox version.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40327463
I may have misunderstood.

  MitM is a specific term in networking (and in cryptography, but we can put that aside for now) - It is commonly met where you have a DLP appliance (such as Cisco Ironport) that acts as a proxy for web browsers, and replaces the genuine certificate with its own one so that it can look "inside" https, which is otherwise impossible.

  Ok, now FIrefox does have the above issue with certain sites (chiefly linkedin and google) if you have certain plugins, *or* if access to intermediate certificates is blocked.

  The latter is because, for many sites, the signing certificate is *not* the root certificate. you have instead:

[CA Root] <-- stored in firefox
      |
[Intermediate] <-- stored on web, have to pull using http(s)
      |
[website] <-- what your browser sees, contains URL of Intermediate so it can be fetched

  If you are doing permissive-only blocking (a proxy that only allows access to a specified list of websites) you often find that you must add the addresses of the Intermediates to the list, or verification will fail.  If this is the issue, then look in the certificate (and usefully, firefox will offer to show you this each time) and look for the "Authority Information Access" field in the certificate. That shows you where the browser will attempt to pull the intermediate from.

  Otherwise, as McKnife says, we are going to need more info from you (an example of a website with this problem, and version of firefox) to help further.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question