Non- Secure connection warning message

Baldrick1 · ‎30-06-2016

I might just have answered my own question. I have tried disabling Kaspersky Add-ons and Extensions in Firefox and it is still reporting Kaspersky as the verification authority, so Kaspersky obviously has it by the throat. However, this only extends my query, could some other verification authority security package that hadn't properly done the necessary with Nationwide in terms of certification got it's teeth onto @shutter computer, hence no verification cerificate?

Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'

bobpullen · ‎04-04-2007

What does the certificate hierarchy look like for @shutter's Firefox-derivative l wonder?

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Anonymous · ‎06-01-2018

In all honesty @Baldrick1 Kaspersky is sticking their virtual nose in where its not wanted. When you buy a certificate you get it from a Certificate Authority. As you can see from @bobpullen’s post the Nationwide bought their certificate from Symantec who are acting as a Certificate Authority but who in turn got their issuing authority from VeriSign.

As for @shutter I don’t know what if any, AV he uses but even then, it may only have a side effect of saying something similar to what you are seeing. What we need to understand is why his various browsers are flagging the certificate as insecure.

It may be that that there is an issue with the Root CA as used by Mozilla on his machine(s) so to test it he would need to set the security.enterprise_roots.enabled flag to true in order to use the same certificate roots as used by I.E.

To do this in the address bar enter about:config this will display the following warning that needs to be accepted before you can proceed.

A very large list of settings will appear, so at this point right click in the window and select New > Boolean

and into the dialog that appears

enter: security.enterprise_roots.enabled and click OK.

Scroll through the list to verify that this value is now set to true.

I don’t think a browser restart is needed but navigate to nationwide to see what effect, if any, this has. If there’s no change then close the browser and retry.

shutter · ‎06-11-2007

@Anonymous @bobpullen @Baldrick1 @rongtw and at anyone else ! ! .. who is interested..

Thanks for sticking with this, guys,.... I have been out this morning, and had a quick read through your responses...

@Anonymous On the present HDD, I had, AVAST before FF updated... then went to AVIRA.... and because I thought they were "Hogging" resources and slowing down things, decided to remove AVIRA and just use Windows Security Essentials, (which was a "new install" a couple of days ago and updated as installed ) , which is the current state of AV on this hdd.. When I tried with the other HDD, it had AVAST on it... and that gave the same result on FF and CY browsers... ( didn`t try with IE cos it obviously works )..

I don`t have Linux MInt 18 as a dual boot, but could use my USB version to see how that works, meaning I will have to shut down this W7 and do a reboot...

Current "addons" are exactly the same as prior to this happening... so cannot see how , suddenly one of them, or all of them, are contributing to the rejection of the security on Nationwide....

addons are ... Lightshot... (screen grabber )... ANT Video downloader..... XMARKS Ghostery and Stylus.

As for the updates on W7 Pro 64 bit.... YUP ... everything is up to date...

@bobpullen the only way I could see the security on Nationwide with FF or CY would be to disregard the warning, and give the site the exception... which I did once before... but that exception only seems to last for 24 hours, or until the machine is shut down, and on re-boot it reverts back to giving out the security warning.

VileReynard · ‎01-09-2007

If you look at the information in the circled i,

it says that the https page includes references to http content.

Firefox says this is insecure (which it is), but internet explorer doesn't care.

"In The Beginning Was The Word, And The Word Was Aardvark."

TheRoadCrew · ‎14-05-2017

@shutter wrote:
[...]

SO ...I found Internet Explorer, lurking away somewhere on my computer... and brought that into the action.... same routine.... clicked for Google... put in Nationwide, and up comes the banking page, ready to log in... with a yellow padlock and a gree arrow from Trusteer Rapport

Just a thought - are you using Trusteer Rapport with Cyberfox / Firefox?

If you are, is it the latest version of Rapport?

An older version would probably work fine with I.E; I expect you'd need the latest version for Firefox 57 support

shutter · ‎06-11-2007

@TheRoadCrew Yes, was just about to post another two addons I had forgotten.... IBM Rapport ( recently downloaded mid december when I started work on this HDD )... and IM translator..

I have just been to the Tools> addons > Extensions, and disabled them all, and then tried again with no addons on Cyberfox, and still get the warning message on the Nationwide site..

Incidentally, I had a notification this morning , by post, for my car tax renewal.... and went straight on line to renew it.... as you would expect, being a .gov.uk site, it is "secure" with the green padlock,... and NO warning of insecure connection... did the deed with my debit card, and all is fine... received the confirmation email within 5 minutes...

Baldrick1 · ‎30-06-2016

@Anonymous wrote:

What we need to understand is why his various browsers are flagging the certificate as insecure.

Probably another of my daft suggestions but I note that the current certificate came into force only a couple of months ago. What if @shutter is picking up the out of date certificate somehow?

Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'

Anonymous · ‎06-01-2018

@Baldrick1, @VileReynard made a reference to some content being insecure but I don't know where or what he is referring to (hint). If what he says is correct then that's very interesting and and maybe a key to the solution.

shutter · ‎06-11-2007

@Baldrick1 Probably is a daft suggestion.... cos I only installed W7 on this hdd in Mid December ! ! check out the certificate dates shown on the screen grab off the Internet explorer.Nationwide page ! ! ..

Baldrick1 · ‎30-06-2016

OK another daft idea bites the dust. Let me try something else:

Symantic is the CA for the certificate. To confirm that the Nationwide site is reached securely the certificate has to be accessed. So every time you log into Nationwide does the browser get the certificate details from Nationwide, go onto a Symantic database, or is a copy of the certificate stored somewhere on the local computer in some sort of cache? If so, does each browser have it's own cache?

Edit. I've answered my own question, they are stored in the browser under Options\Privacy\Certificates. Is this why @shutter can use IE11 and not Firefox? Not that it helps as he's re-installed Firefox, which I note is now at 57.04.

Moderator and Customer
If this helped - select the Thumb
If it fixed it, help others - select 'This Fixed My Problem'

TheRoadCrew · ‎14-05-2017

@shutter wrote:

@TheRoadCrew Yes, was just about to post another two addons I had forgotten.... IBM Rapport ( recently downloaded mid december when I started work on this HDD )... and IM translator..

I have just been to the Tools> addons > Extensions, and disabled them all, and then tried again with no addons on Cyberfox, and still get the warning message on the Nationwide site..

Ok, when you go to the Nationwide site it tells you your connection is not secure.

The Go Back button is highlighted by default - what do you see if you click on the Advanced button?

It should provide an error code of some description..

VileReynard · ‎01-09-2007

What URL are you using?

Mine changes to https://onlinebanking.nationwide.co.uk/AccessManagement/Login

"In The Beginning Was The Word, And The Word Was Aardvark."

shutter · ‎06-11-2007

@TheRoadCrew clicking on the Advanced box... gives this...

________________________________________________________

www.nationwide.co.uk uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error code: SEC_ERROR_UNKNOWN_ISSUER

________________________________________________________________

and underneath it....

****************************************************************************************************

https://www.nationwide.co.uk/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false HTTP Public Key Pinning:false Certificate

chain: -----BEGIN CERTIFICATE-----

MIIHHjCCBgagAwIBAgIQafuEwYJE

*********************************************************************************************

Wonder if that is worth copying to Nationwide Site Security.....

Anonymous · ‎06-01-2018

@Baldrick1, the certificate from the bank isn’t held on the client it is only the root CA certificates that are provided with the browser (or those you add yourself) and as mentioned before these are used to authenticate the chain of authority when you encounter a server certificate. In bobpullen’s post above he is showing the Root CA Certificate that would be used to validate the Nationwide one.