security-error
How to troubleshoot security error codes on secure websites
For websites that are securely encrypted (the URL begins with "https://"), Abrowser must verify that the certificate presented by the website is valid. If the certificate cannot be validated, Abrowser will stop the connection to the website and show a "Warning: Potential Security Risk Ahead" error page instead. Clicking the Advanced button, you can view the specific error Abrowser encountered.
This article explains why you might see the error codes SEC_ERROR_UNKNOWN_ISSUER, MOZILLA_PKIX_ERROR_MITM_DETECTED or ERROR_SELF_SIGNED_CERT on an error page and how to troubleshoot it.
What does this error code mean?
During a secure connection, a website must provide a certificate issued by a trusted certificate authority to ensure that the user is connected to the intended target and the connection is encrypted. If you click the Advanced button on a "Warning: Potential Security Risk Ahead" error page and you see the error code SEC_ERROR_UNKNOWN_ISSUER or MOZILLA_PKIX_ERROR_MITM_DETECTED, it means that the provided certificate was issued by a certificate authority that is not known by Abrowser and, therefore, cannot be trusted by default.
The error occurs on multiple secure sites
If you get this problem on multiple unrelated HTTPS-sites, it indicates that something on your system or network is intercepting your connection and injecting certificates in a way that is not trusted by Abrowser. The most common causes are security software scanning encrypted connections, or malware listening in and replacing legitimate website certificates with their own. In particular, the error code MOZILLA_PKIX_ERROR_MITM_DETECTED indicates that Abrowser detected connection interception.
Monitoring/filtering in corporate networks
Some traffic monitoring/filtering products used in corporate environments might intercept encrypted connections by replacing a website's certificate with their own, at the same time possibly triggering errors on secure HTTPS-sites.
If you suspect this might be the case, please contact your IT department to ensure the correct configuration of Abrowser to enable it to work properly in such an environment, as the necessary certificate might have to be placed in the Abrowser trust store first.
Malware
Some forms of malware intercepting encrypted web traffic can cause this error message - refer to the article Troubleshoot Abrowser issues caused by malware on how to deal with malware problems.
The error occurs on one particular site only
In case you get this problem on one particular site only, this type of error generally indicates that the web server is not configured properly. However, if you see this error on a legitimate major website or sites where financial transactions take place, you should continue with the steps outlined above.
Certificate issued by an authority belonging to Symantec
After a number of irregularities with certificates issued by Symantec root authorities came to light, browser vendors, including Mozilla, are gradually removing trust from these certificates in their products. Abrowser will no longer trust server certificates issued by Symantec, including those issued under the GeoTrust, RapidSSL, Thawte and Verisign brands. For more information, see this Mozilla blog post.
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED will be the primary error, but with some servers, you may see the error code SEC_ERROR_UNKNOWN_ISSUER instead. If you come across such a site you should contact the owner of the website to inform them of the problem.
Mozilla strongly encourages operators of affected sites to take immediate action to replace these certificates. For more help, see this DigiCert blog post and DigiCert Tools.
Missing intermediate certificate
On a site with a missing intermediate certificate you will see the following error description after you click on Advanced on the error page: The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported.
The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing). You can test if a site is properly configured by entering a website's address into a third-party tool like SSL Labs' test page. If it is returning the result "Chain issues: Incomplete", a proper intermediate certificate is missing. You should contact the owner of the website you're having troubles accessing to inform them of that problem.
Self-signed certificate
On a site with a self-signed certificate you will see the error code ERROR_SELF_SIGNED_CERT and the following error description, after you click on Advanced on the error page: The certificate is not trusted because it is self-signed.
A self-signed certificate that wasn't issued by a recognized certificate authority is not trusted by default. Self-signed certificates can make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites.
Bypassing the warning
Warning: You should never add a certificate exception for a legitimate major website or sites where financial transactions take place – in this case an invalid certificate can be an indication that your connection is compromised by a third party.If the website allows it, you can bypass the warning in order to visit the site, even thought its certificate is not being trusted by default:
- On the warning page, click Advanced.
- Click Accept the Risk and Continue.
