Secure Connection Failed

Reece · 10-14-17, 10:27 PM

I am running Firefox and am getting the following error when I try to login to AliExpress:

Quote:

Secure Connection Failed
An error occurred during a connection to login.aliexpress.com. Invalid OCSP signing certificate in OCSP response. Error code: SEC_ERROR_OCSP_INVALID_SIGNING_CERT

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

I tried on my Tablet and is the same, have also noticed this with other sites as well.
Has anyone got any ideas on how to fix this?

Sean C · 10-14-17, 11:00 PM

Not sure if this will work, but you can try it:

When you visit the site, click on the "i" icon to the left of the address bar.
In the window that pops up, to the right of the website name, click the arrow pointing to the right.
At the bottom of the window, click "More Information".
In the new window that pops up, under the "Security" tab, click "View Certificate".
Under the "Details" tab of the certificate window, click "Export" and save the certificate somewhere you'll remember.
Open Firefox's options via the drop-down menu in the upper right corner.
Under the "Security" tab, scroll down and click "View Certificates".
In the Certificate Manager, click "Import" and select the certificate of the website from the location you saved it to.
If necessary, edit the trust of the certificate.

***NOTE***
Only do the above if you are sure you can trust the site you are on and that it is not being spoofed or redirected. When I visit the site you mentioned, I get a "secure connection" which has been verified by Symantec. One way to verify that this is the same site you've been visiting is to look at the "Privacy and History" section of the window that opened in step 4 above. It will tell you if you've visited the site before and how many times.

Hope this helps. Cheers!

Reece · 10-15-17, 01:08 AM

OK, I got as far as saving the certificate but in the Firefox Options/Security there is only:

Quote:

Security..................?

General

A tick box for "Warn me when sites try to install add-ons"............Exceptions.
A tick box for "Block reported attack sites"
A tick box for "Block reported web forgeries"

Logins

A tick box for "Remember logins for sites"............Exceptions.
A tick box for "Use a Master Password"...............Change Master Password.
.................................................. ................Saved Logins.

Sean C · 10-15-17, 02:12 AM

Hmmm...that's strange. Here is what my options look like. (I added an arrow pointing to the certificates button.)

What version of Firefox are you using? Mine is 56.0.1. You can find the version number in the menu at the top right...click the little question mark and select "About Firefox".

Sean C · 10-15-17, 02:28 AM

Another solution might be to open the location where you saved the certificate, right-click on it and select "install certificate".

Reece · 10-15-17, 03:47 AM

I just found that I have more selections on the left

Applications
Content
Sync
Advanced

Under Advanced there is "View Certificates" so I will carry on there.
There is a tab in the Certificate Manager called "Authorities" with an import tab, should I use that?

Just found under Advanced a ticked box "Query OCSP responder servers to confirm the current validity of certificates" should I just try unticking that since it seems to be related to the fault?

Sean C · 10-15-17, 05:34 AM

I wouldn't untick the box about querying servers to confirm current validity. It may solve the problem in the short term, but it may allow a bad actor to use an outdated certificate in the future to spoof a website.

The "import" button under the authorities tab should work. Perhaps I should explain a little bit about what I think is going on so that you can make an informed decision about what is the best choice for you:

Websites that want to perform secure transactions (password and sensitive information exchanges) create a certificate which securely identifies themselves to the rest of the world. These certificates are unique and very hard (if not impossible) for most hackers to duplicate. But, that alone is not enough. It would be child's play for a hacker to generate a certificate with the website's name and try to pass it off as genuine. So, the website has their certificate signed by an authority to verify its authenticity. Very few CAs (Certificate Authorities) exist and they have worked hard to build a good online reputation.

This is an expensive process and requires a lot of information from the website wishing to have their certificate signed. In addition, the signatures and the certificates themselves have an expiration date. Every so often, the website must have their certificate re-signed to ensure that it is still valid. If a signature expires or if a website thinks their certificate may have been compromised or if they generate a new one for whatever reason, they must request a new signature from the CA. Also, if the CA itself generates a new certificate and the old signature expires, the website will need to request a new signature from the CA to remain up-to-date.

Browsers such as Firefox keep a list of valid Certificate Authority certificates and query servers to determine whether these certificates are up-to-date. If a website has a certificate which is signed by a current CA's certificate, it is deemed trustworthy. If, for whatever reason, things don't match up (and the browser is configured to protect you)...the browser will block the website from exchanging information which might be sensitive in nature.

So, here's a list of things I suspect might have happened to cause your problem:

The CA's (in this case: Symantec) certificate was not updated in your browser, thus the signature and/or certificate has expired.
The website's certificate was not updated and thus the signature and/or certificate has expired.
The CA's certificate was somehow deleted from your browser's cache of trusted authorities, resulting in an unrecognized and therefore untrusted signature.
You are actually the target of a malicious attack (such as DNS spoofing) and your computer is being presented with a false certificate which does not have a valid signature from a trusted CA.

In any case, Firefox is trying to protect you from exposing potentially sensitive information to a non-trusted source. (This is why I recommend you don't turn off the checks for whether certificates are still valid.) If you are planning on conducting financial transactions with the website in question, I would err on the side of extreme caution and download Symantec's signing certificate directly from their website. If you'd like, I may be able to export Symantec's certificate from my system and upload it here.

But, I think it would be best if you check to make sure your version of Firefox is up-to-date and that all of your certificates are also being updated. This will ensure that any online transaction you perform with a trusted source will be secure. I would be happy to explain further anything which I may have not already explained well enough. Just ask.

Cheers,
Nate B.

Reece · 10-15-17, 05:58 AM

I have the latest version (1 week old), I don't know how to update certificates, never needed to do it in the past. I think it's this latest version that has the problem but then my Android tablet gets the same fault.

Quote:

The CA's (in this case: Symantec)

Not sure where Symantec fits into this, I don't have any of their software installed.

I tried the import button but it said "This is not a Certificate Authority certificate, so it can't be imported into the Certificate Authority list."

Sean C · 10-15-17, 06:20 AM

You don't need to have any Symantec software installed for your browser to recognize their certificate as valid. The browser just needs to have their certificate listed as a trusted source for signing other websites' certificates as trusted.

Have you tried using another browser (such as Internet Explorer *shudder*) to log in to the website in question?

Reece · 10-15-17, 06:46 AM

Ni I don't have another, this is an old XP system and the version of IE is probably 1.0.
Maybe I should try and contact AliExpress to see what they suggest.
Are you able to export the Symantec certificate and upload it?

Reece · 10-15-17, 07:12 AM

I just found an old entry into AliExpress (https://login.aliexpress.com) and the sign in works there ok, from here I can go to the normal AliExpress (https://www.aliexpress.com) and it's signed in!!

Who knows what is going on, but atleast it goes now!!
Thanks for all your time and effort Nate.

Sean C · 10-15-17, 06:26 PM

No problem. Glad to hear you got it working.

10-14-17, 11:00 PM	#2
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	Not sure if this will work, but you can try it: When you visit the site, click on the "i" icon to the left of the address bar. In the window that pops up, to the right of the website name, click the arrow pointing to the right. At the bottom of the window, click "More Information". In the new window that pops up, under the "Security" tab, click "View Certificate". Under the "Details" tab of the certificate window, click "Export" and save the certificate somewhere you'll remember. Open Firefox's options via the drop-down menu in the upper right corner. Under the "Security" tab, scroll down and click "View Certificates". In the Certificate Manager, click "Import" and select the certificate of the website from the location you saved it to. If necessary, edit the trust of the certificate. *NOTE* Only do the above if you are sure you can trust the site you are on and that it is not being spoofed or redirected. When I visit the site you mentioned, I get a "secure connection" which has been verified by Symantec. One way to verify that this is the same site you've been visiting is to look at the "Privacy and History" section of the window that opened in step 4 above. It will tell you if you've visited the site before and how many times. Hope this helps. Cheers! Last edited by Sean C; 10-14-17 at 11:12 PM.

10-15-17, 03:47 AM	#6
Reece CINC Pacific Fleet Join Date: Sep 2003 Location: Down Under Posts: 34,686 Downloads: 171 Uploads: 0	I just found that I have more selections on the left Applications Content Sync Advanced Under Advanced there is "View Certificates" so I will carry on there. There is a tab in the Certificate Manager called "Authorities" with an import tab, should I use that? Just found under Advanced a ticked box "Query OCSP responder servers to confirm the current validity of certificates" should I just try unticking that since it seems to be related to the fault? __________________ *Sub captains go down with their ship!*

10-15-17, 05:34 AM	#7
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	I wouldn't untick the box about querying servers to confirm current validity. It may solve the problem in the short term, but it may allow a bad actor to use an outdated certificate in the future to spoof a website. The "import" button under the authorities tab should work. Perhaps I should explain a little bit about what I think is going on so that you can make an informed decision about what is the best choice for you: Websites that want to perform secure transactions (password and sensitive information exchanges) create a certificate which securely identifies themselves to the rest of the world. These certificates are unique and very hard (if not impossible) for most hackers to duplicate. But, that alone is not enough. It would be child's play for a hacker to generate a certificate with the website's name and try to pass it off as genuine. So, the website has their certificate signed by an authority to verify its authenticity. Very few CAs (Certificate Authorities) exist and they have worked hard to build a good online reputation. This is an expensive process and requires a lot of information from the website wishing to have their certificate signed. In addition, the signatures and the certificates themselves have an expiration date. Every so often, the website must have their certificate re-signed to ensure that it is still valid. If a signature expires or if a website thinks their certificate may have been compromised or if they generate a new one for whatever reason, they must request a new signature from the CA. Also, if the CA itself generates a new certificate and the old signature expires, the website will need to request a new signature from the CA to remain up-to-date. Browsers such as Firefox keep a list of valid Certificate Authority certificates and query servers to determine whether these certificates are up-to-date. If a website has a certificate which is signed by a current CA's certificate, it is deemed trustworthy. If, for whatever reason, things don't match up (and the browser is configured to protect you)...the browser will block the website from exchanging information which might be sensitive in nature. So, here's a list of things I suspect might have happened to cause your problem: The CA's (in this case: Symantec) certificate was not updated in your browser, thus the signature and/or certificate has expired. The website's certificate was not updated and thus the signature and/or certificate has expired. The CA's certificate was somehow deleted from your browser's cache of trusted authorities, resulting in an unrecognized and therefore untrusted signature. You are actually the target of a malicious attack (such as DNS spoofing) and your computer is being presented with a false certificate which does not have a valid signature from a trusted CA. In any case, Firefox is trying to protect you from exposing potentially sensitive information to a non-trusted source. (This is why I recommend you don't turn off the checks for whether certificates are still valid.) If you are planning on conducting financial transactions with the website in question, I would err on the side of extreme caution and download Symantec's signing certificate directly from their website. If you'd like, I may be able to export Symantec's certificate from my system and upload it here. But, I think it would be best if you check to make sure your version of Firefox is up-to-date and that all of your certificates are also being updated. This will ensure that any online transaction you perform with a trusted source will be secure. I would be happy to explain further anything which I may have not already explained well enough. Just ask. Cheers, Nate B.

10-15-17, 06:46 AM	#10
Reece CINC Pacific Fleet Join Date: Sep 2003 Location: Down Under Posts: 34,686 Downloads: 171 Uploads: 0	Ni I don't have another, this is an old XP system and the version of IE is probably 1.0. Maybe I should try and contact AliExpress to see what they suggest. Are you able to export the Symantec certificate and upload it? __________________ *Sub captains go down with their ship!*

10-15-17, 07:12 AM	#11
Reece CINC Pacific Fleet Join Date: Sep 2003 Location: Down Under Posts: 34,686 Downloads: 171 Uploads: 0	I just found an old entry into AliExpress (https://login.aliexpress.com) and the sign in works there ok, from here I can go to the normal AliExpress (https://www.aliexpress.com) and it's signed in!! Who knows what is going on, but atleast it goes now!! Thanks for all your time and effort Nate. __________________ *Sub captains go down with their ship!*

10-15-17, 02:12 AM	#4
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	Hmmm...that's strange. Here is what my options look like. (I added an arrow pointing to the certificates button.) What version of Firefox are you using? Mine is 56.0.1. You can find the version number in the menu at the top right...click the little question mark and select "About Firefox".

10-15-17, 02:28 AM	#5
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	Another solution might be to open the location where you saved the certificate, right-click on it and select "install certificate".

10-15-17, 06:20 AM	#9
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	You don't need to have any Symantec software installed for your browser to recognize their certificate as valid. The browser just needs to have their certificate listed as a trusted source for signing other websites' certificates as trusted. Have you tried using another browser (such as Internet Explorer shudder) to log in to the website in question?

10-15-17, 06:26 PM	#12
Sean C Grey Wolf Join Date: Jun 2017 Location: Norfolk, VA Posts: 984 Downloads: 16 Uploads: 2	No problem. Glad to hear you got it working.