In Firefox 61, Mozilla added a new error message called "MOZILLA_PKIX_ERROR_MITM_DETECTED" that warns a user that a program is attempting to perform a man-in-the-middle SSL attack. In Firefox 65, Mozilla has revised the accompanying info to explain that software, such as an antivirus program, could be the cause of this error.

A man-in-the-middle (MiTM) attack is when a program adds their own certificate as a certificate authority in the browser so that it can listen in on, or sniff, the encrypted SSL traffic between your browser and an SSL encrypted site. This allows the program to see all the transmitted traffic between your browser and the site, including passwords, entered financial information, or any other transmitted data.

While this may sound scary, MiTM can be used for legitimate reasons such as giving antivirus programs the ability to scan encrypted traffic for malicious content or for HTTP debugging tools, like Fiddler, to analyze HTTPS traffic.

At the same time, there are adware and malware programs that utilize this method so that they can inject ads or steal transmitted information.

In order to make it easier to understand and allow users to see what certificates may be attempting to perform a MiTM attack, Firefox has changed the information that is used to describe a MOZILLA_PKIX_ERROR_MITM_DETECTED error.

Firefox 65 to add more detailed info in error message

In Firefox 64 and below, when a certificate is used in a MiTM attack the browser would simply display an error stating "Warning: Potential Security Risk Ahead". It did not, though, provide any real information regarding what certificate is causing the error, which is pretty useless for most users.

Firefox 64 MiTM Warning

In Firefox 65, a new error message has been added that is much more descriptive and includes information regarding the specific certificate that is being detected as performing the MiTM attack. This will allow a user to determine if it's a program they are intentionally using such as an antivirus software or a web debugger like Fiddler, shown below, causing the error.

Firefox 65 MiTM Error

As it very common for antivirus software to utilize their own certificates so they can scan SSL traffic for malicious scripts and behavior, it is useful that Firefox now includes information about this AV feature in their error message.

Software is Preventing Firefox From Safely Connecting to This Site www.bleepingcomputer.com is most likely a safe site, but a secure connection could not be established. This issue is caused by DO_NOT_TRUST_FiddlerRoot, which is either software on your computer or your network. What can you do about it? If your antivirus software includes a feature that scans encrypted connections (often called “web scanning” or “https scanning”), you can disable that feature. If that doesn’t work, you can remove and reinstall the antivirus software. If you are on a corporate network, you can contact your IT department. If you are not familiar with DO_NOT_TRUST_FiddlerRoot, then this could be an attack and you should not continue to the site. Learn more… Websites prove their identity via certificates, which are issued by certificate authorities. Firefox is backed by the non-profit Mozilla, which administers a completely open certificate authority (CA) store. The CA store helps ensure that certificate authorities are following best practices for user security. Firefox uses the Mozilla CA store to verify that a connection is secure, rather than certificates supplied by the user’s operating system. So, if an antivirus program or a network is intercepting a connection with a security certificate issued by a CA that is not in the Mozilla CA store, the connection is considered unsafe. Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED View Certificate

Troubleshooting MOZILLA_PKIX_ERROR_MITM_DETECTED errors

If Firefox continues to display MOZILLA_PKIX_ERROR_MITM_DETECTED errors, then you have a program trying to inject their own certificates so that they can listen in on your encrypted web site traffic. The problem is that this certificate is not trusted by Firefox, so it displays this error.

Therefore, if you see this error while browsing the web, you need to figure out what program is utilizing this certificate so that your data is not at risk.

If the certificate is from your antivirus program, Mozilla suggests that you disable SSL or HTTPS scanning and enable it again. Doing this should allow the antivirus software to add their certificate to the Firefox certificate store so that it can listen in on SSL connections and not generate a warning.

On the other hand, if you are seeing a certificate that is not from an antivirus vendor, then you need to determine what program is trying to inject the certificate and terminate it. Unfortunately, if its an adware or malware process, determining what software is doing this can be difficult and you should perform a scan of your computer using an antivirus software.

If you need any help identifying a certificate displayed in this error, feel free to leave a comment and we will try and help.

H/T Techdows.com