Categories: Nightly specific

Symantec Distrust in Firefox Nightly 63

As of today, TLS certificates issued by Symantec are distrusted in Firefox Nightly.

You can learn more about what this change means for websites and our release schedule for that change in our Update on the Distrust of Symantec TLS Certificates post published last July by the Mozilla security team.

The Symantec distrust is already effective in Chrome Canary which means that visitors to a web site with a Symantec certificate which was not replaced now get a warning page:

(left is Chrome Canary, right is Firefox Nightly)

We strongly encourage website operators to replace their distrusted Symantec certificate as soon as possible before this change hits the Firefox 63 release planned for October 23.

If you are a Firefox Nightly user, you can also get involved and help this transition by contacting the support channels of these websites to warn them about this change!

14 comments on “Symantec Distrust in Firefox Nightly 63”

Post a comment

  1. Mikalai wrote on

    Well I’m using Nightly as my daily browser (for many years now), and now I can’t open a few sites I’m visiting daily, like my Bank (card issuer) site.
    I’m quite sure they won’t replace these certificates earlier than in a month time or so, so basically you are forcing me to use some other browser (Chrome?) to visit these sites.

    IMHO leaving your users without an option to bypass that check (after showing a huge warning and pressing a few buttons like Advanced and ‘I acknowledge’) was a very ill made decision. As far as I love Firefox, that just hurts.

    Reply

    1. Pascal Chevrel wrote on

      Mikalai,

      We are not forcing you to use Chrome, Chrome Canary (the equivalent of Firefox Nightly) got the same change 2 weeks ago! You can perfectly use Firefox on the Release channel to access your bank, this is what I personnally do with my own bank (HSBC) which hasn’t updated their certificate yet. Here is a video tutorial to install Firefox next to Firefox Nightly on Windows: https://www.youtube.com/watch?v=Gvh3PxD_p50

      Also, the main article about the distrust on the Mozilla Security blog indicates that this is pref-controlled, I let you check on this article which pref allows you to roll back this change.

      At some point, we have to put these changes announced more than a year ago in effect and we can’t just land it on the release channel and break tons of websites for hundreds of millions of users from one day to the other. Pre-release channels such as Nightly, Dev Edition and Beta (or Canary and Dev for Chrome) also exist to roll out these changes progressively, first to a more technical audience, and raise awareness about upcoming changes to web operators.

      Reply

      1. Mikalai wrote on

        Pascal,

        Unfortunately warning screen says nothing about Symantec, or gives any links to problem description.
        “The certificate does not come from a trusted source. Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED”

        Finding the real reason takes a bit of googling, reading Firefox Security blogs, etc.
        Even the chrome error is more self-explaining: NET::ERR_CERT_SYMANTEC_LEGACY.

        I wouldn’t say a word if warning screen will have a link to issue description, especially with easy to spot on instruction on disabling the check for now (security.pki.distrust_ca_policy).

        Reply

    2. Curtis K wrote on

      Chrome is going to distrust Symantec: https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html and https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html

      Reply

    3. Jerome Panagis wrote on

      The real problem here is you using Nightly as a daily browser, and refusing to take responsibility for your choices when something happens. If you really feel this way, please go back to regular Firefox.

      Reply

    4. F wrote on

      Just add an exception. More -> Accept the Risk and Continue.

      Reply

    5. Brenda wrote on

      I completely agree with you. Firefox are forcing us to use alternative browsers because we cannot access sites we use every day. This is ridiculous! and extremely frustrating, and may force many of us to change browsers permanantly!
      A REALLY bad move!!

      Reply

  2. Matthias Versen wrote on

    I agree that the error message is really bad.
    There is no hint for an advanced user to find out why this certificate isn’t trusted.

    You did the same with HSTS : You can not override the error but no explanation given why

    Reply

  3. Dawood Morris wrote on

    Hi Gentlemen, am just a cs student, thus not grown up technically. I use Firefox Nightly daily and I love it. I abruptly met that big yellow border around my screen during one of my browsing sessions on websites that I even visited everyday. What does it really mean to distrust them (Symantec Certs)? As for switching the browsers, I think it is the same, because it does not make any difference seeing the warning or not based on what browser one is using. The fact is that as it stands, the solution lies in upgrading the certificates….. make the web a better and safer place…

    Reply

  4. Spirit King wrote on

    This has caused one of my billers to block my online payments because it interrupted me making my payment to them and the system thought someone was trying to fraud my account. Not good. SMH!!! I thought my computer was being hacked until I did my research and found out what you guys were doing and yes, it “can be” very hard to bypass. Now I have to use another browser to make my payments and anything else I have to sign into so this doesn’t happen again.

    Reply

  5. Åsta Yggeseth wrote on

    I will from now on use the regular Chrome version for anything that has to do with money. I do understand where you are coming from though. Please see it from a user side too. I am very particular and attentive when dealing with money on the net, trying to force my way through several pages and trying to find solutions, just make me frustrated, very frustrated. I am an avid Firefox Nightly user and pretty puter savvy and will return when these issues have been fixed. 🙂

    Reply

  6. Chaddaï Fouché wrote on

    I agree with the other answers : it’s perfectly fine to roll this out in Nightly and I’m all for this kind of decision (bad CA are a real problem) but I would have liked it very much if the error message could have been even a bit explicit, as is I was going to explore HPKP and probably try to create a erroneous bug…

    Reply

  7. Jerome Panagis wrote on

    You are stupid if you believe the problem lies with Firefox and not Symantec. The certificates are a legitimate issue. This is like asking your locksmith to get rid of keys because they are annoying to use.

    Reply

    1. Curtis K wrote on

      Warning see https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html:

      Simple version – Chrome 70 is coming on October 16, 2018. This version will contain Symantec certificate distrust.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *