Mozilla has halted the automatic updates to Firefox 65 as users are unable to browse web sites due to certificate errors. These errors are being caused by conflicts between various antivirus program's HTTPS scanning and Firefox 65.

Firefox 65 was released this week and with it came numerous reports from users that when they visited safe web sites, they were shown an error by Firefox 65 that states Your Connection is not secure and that there is an issue with the HTTP Strict Transport Security (HSTS) of the site.

Firefox 65 Certificate Error

If they click on the Advanced button, Firefox will then display an error stating SEC_ERROR_UNKNOWN_ISSUER, which means that the certificate provided by the site was issued by certificate authority that is unknown to Firefox and therefore will not be trusted.

SEC_ERROR_UNKNOWN_ISSUER Error

According to a Mozilla bug report, these errors are being caused by the web protection modules in antivirus software such as Avast, AVG, and Kaspersky. In order for an antivirus software to scan an encrypted SSL connection for malicious content it needs to add its own certificate to Mozilla's certificate store in order to perform a MiTM (Man-in-the-Middle) attack.

Due to this wide spread conflict, Mozilla QA Lead Ryan VanderMeulen has stated that Mozilla has halted the automatic update to Firefox 65 in Windows to avoid making the problem worse.

Comment stating Firefox 65 rollout is halted

In response to this bug ticket, Avast network security research David Jursa stated that Firefox HTTPS filtering will be disabled by Avast & AVG products for the Firefox process in the next few hours until a proper fix can be created.

Avast stating a fix will be released soon

Avast has told BleepingComputer that this hotfix is currently being rolled out and will disable HTTPS scanning for the Firefox process only. Furthermore, Lukáš Rypáček of Avast has stated that normal HTTP scanning in Firefox will continue to work as normal.

"A hotfix has been issued (Virus Definition Update 190201-6) and users should no longer experience issues in Firefox 65 with encrypted or unencrypted websites. Users do not need to take any action to apply the changes. Avast Threat Labs will continue to monitor any further changes and work on full fix. All other browsers are unimpacted."

Fixing the certificate errors in Firefox 65

If you have upgraded to Firefox 65 and are seeing errors when browsing the web that state the "Connection is not secure", then you are most likely affected by this bug and seeing a conflict between the browser and your antivirus software.

With this said, you have two options that can help you browser the web properly again, but neither option is ideal.

Option 1: Disable HTTPS scanning in your antivirus software

To temporarily fix this issue, you can disable HTTPS scanning in your antivirus program. This is not the recommended solution as you will no longer be protected from malicious SSL web sites.

The instructions on how to disable HTTPS scanning is different for each program. Below are various articles that explain how to disable HTTPS scanning:

As Avast and AVG are on the process of pushing out a hotfix to disable HTTPS filtering in their products, you do not need to disable it in their program as that will cause this protection to be disabled for all browers on your computer.

It should be noted that when you disable HTTPS scanning in your antivirus software's web protection module, you are no longer protected malicious SSL sites. For this reason, we recommend the next option instead.

Options 2: Allows Firefox to use certificates from Windows certificate store

By default, Firefox 65 will use only use the certificates in their built in browser certificate store. It is possible, though, to enable the ability to also use the antivirus engine's certificate that are created in the Windows certificate store to validate other web sites certificates.

Avast certificate in Windows

To enable Firefox to use the certificates installed as a Windows Trusted Certificate Authority, you can enable to the security.enterprise_roots.enabled option. To do this, please follow these steps:

Type about:config in the Firefox address bar and then press enter. When Firefox asks, click on the button stating that you accept the risks. In the search field enter security.enterprise_roots.enabled and press enter. Double-click on security.enterprise_roots.enabled so that it toggles to true as shown below. security.enterprise_roots.enabled option You can now close the about:config page.

You have now enabled Firefox to use the Avast root certificate located in the Windows certificate store and you should be able to properly browse the web again.

Updated 2/1/19 1:37 PM EST:

Added statement from Avast.

H/T: Techdows.com