Jump to content
Nisko

You are about to override how Thunderbird identifies this site

Recommended Posts

Since installing Kaspersky Anti-Virus (trial), I have been receiving a warning that starts off with the words in the title.  I am using Mozilla Thunderbird with Google mail.  The location is: pop.googlemailcom:995.  I have checked the box that makes this a permanent exception - but the warning keeps popping up.  I know it's the Kaspersky software that is causing this because, if I shut of Kaspersky protection, I don't get this warning.  I've tried making this an exclusion but, perhaps, I made the wrong choices in the Exclusion dialog box.  Need some help.  Thanks in advance!!!

Thunderbird warning 08.08.2017.jpg

Share this post


Link to post

It's not just the trial version.  I've installed licensed KIS 2018 on 3 computers and got that message on at least 2 of them.  Clicking on "Get Certificate" resulted in a failure message.  I permanently save the exception, but I don't think there should have been an exception.  KIS 2017 had no such problem (as I recall).  I don't get the popup now but I don't know if that means I successfully saved the exception or that KIS now trusts the certificate.

Share this post


Link to post

You can manually add the kaspersky certificate to thunderbird. The setting is under options\advanced and the certificate should be located somewhere in c:\Programdata\kaspersky lab

Share this post


Link to post
5 minutes ago, drgaz said:

You can manually add the kaspersky certificate to thunderbird. The setting is under options\advanced and the certificate should be located somewhere in c:\Programdata\kaspersky lab

Your comment makes me realize I really don't understand this error.  Why it help to give the Kaspersky certificate to Thunderbird.  I obviously don't understand the flow in certificate verification.

Share this post


Link to post

To scan SSL you need to be in the middle of the connection. In order to do that Kaspersky changes the certificate flow. If you do not import it you will get a warning just like yours.
Thats just how SSL works.

Share this post


Link to post

My understanding of the authentication process is pretty feeble so this may be a dumb questions, but doesn't that make the Kaspersky code a "man in the middle"?  Won't anything Kaspersky does with the certificate flow to allow this break any man-in-the-middle detection that is one of the whole points of certificate authentication?

Is there any detailed documentation on how this is supposed to work?  I've forgotten most  everything I knew in this area but I did understand it back before I retired (6 years ago or so) and I might be able to understand a little of it.

Share this post


Link to post

>>but doesn't that make the Kaspersky code a "man in the middle"?  

Thats correct! It needs to intercept traffic to scan for malicious files

>> Won't anything Kaspersky does with the certificate flow to allow this break any man-in-the-middle

That is correct! That is exactly what it is doing with its own certificate replacement

>>is one of the whole points of certificate authentication?

That is correct! You have to do that to enable SSL/TLS scanning

 

So the point here is this. To scan SSL/TLS traffic you need to be in the middle. KIS/KAV accomplish this by introducing its own middle certificate, which randomly generated on each machine.

Some applications do not like that and for a good reason as your screenshot indicates. So you need to tell them that is OK, as you had already done so. Unfortunately, that is the downfall of way TLS/SSL works.

To scan you need to be in the middle. Or not to scan at all. Some applications gracefully handle it and some are paranoid. Well, at least I would like to get notified when someone does insert themselves in the middle. Unfortunately that is not very convenient for the end users, who are unsure what this warning is all about. So you must strike a balance between usability and security.

Share this post


Link to post

Thank you for the information.  I now understand I want to give Thunderbird Kaspersky's self-signed certificate and all will be well.  However, unlike the original poster, my selecting "Permanently store this exception" seems to have worked (for some definition of "worked") and I am no longer getting that popup.  That might mean Thunderbird is now ignoring MITM attacks for me - not what I want.  I need to undo what I've done.

The original poster should be able to just import the Kaspersky certificate into Thunderbird.  The web page http://support.kaspersky.com/general/error/13529 (among many others) tells how to find the certificate in a Windows computer.

Share this post


Link to post

Hi.

Just installed the latest version of KIS from the official website.

Immediately after i installed KIS i started having problems with Thunderbird, as you can see in the attachment.

If i disable KIS the problem is gone.

How can i solve this?

Thank you.

1.PNG

Share this post


Link to post

The solution is posted just right above your post. You manually add Kaspersky certificate to Thunderbird.

Share this post


Link to post

If you confirm the security exception (like I foolishly did) you may be telling Thunderbird to ignore certificate errors for that email server.  You can still import the Kaspersky certificate (as I eventually did) I think you (we) will be running with reduced security for that email server.  There is undoubtedly a way to remove the exception but I don't see how.  I've asked on Mozilla's Thunderbird forum.  If I find out anything I'll report it here.

Edited by pokeefe0001

Share this post


Link to post

If you clicked the 'Permanently store this exception' for that Server, it's located under the 'Server' tab in Thunderbird's 'Certificate Manager':

Tools/Options/Advanced/Manage Certificates/Servers..........................find the one, click on it, and do what you want to do with it.

If you did not click the 'Permanently store this exception' for that Server. it will not be there, as it was a one time thing.

Share this post


Link to post

If you want the SSL / TLS scanning to work you will need to grant this exception.

Share this post


Link to post

Hello everyone,

Why should we have to add exceptions for a problem that KIS has?  KIS needs to fix this problem.

Please see this question with a related problem where KIS stops Thunderbird from displaying images in email that we have set by Thunderbird is okay with that sender.

You can see my reply within that thread.   I am highly upset because I spent quite some time with Tbird forum trying to track down what was blocking images.  There is no email scanning with my 2018 KIS so I did not suspect KIS.  KIS is also causing problems intermittently with Firefox showing web pages as text only!  Also this error where page won't load at all

SEC_ERROR_REUSED_ISSUER_AND_SERIAL


I have to suspend KIS and refresh the page and then resume KIS.  I am not supposed to have to do this!  KIS needs to own up to these three problems and fix their software. I've used KIS since 2011 and never had these problems before.

thank you for you time,

Heartdaughter

 

Share this post


Link to post
10 minutes ago, HeartDaughter said:

Hello everyone,

Why should we have to add exceptions for a problem that KIS has?  KIS needs to fix this problem.

Please see this question with a related problem where KIS stops Thunderbird from displaying images in email that we have set by Thunderbird is okay with that sender.

 

 

Are you sure that problem is related to the certificate "error" that is the topic of this thread?  This issue concerns the verification/validation of the connection with the email server.

Edited by pokeefe0001

Share this post


Link to post
11 minutes ago, pokeefe0001 said:

Are you sure that problem is related to the certificate "error" that is the topic of this thread?  This issue concerns the verification/validation of the connection with the email server.

Oh yes, it is also related to certificates, there just is no error message in Thunderbird, but only a block with a broken image within it.  I started a new thread and posted all three problems within it.

Heartdaughter

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.