When Firefox web browser checks a security certificate, it also checks with the issuing authority if the certificate is valid. It appears that, near a certificate’s expiration date, the issuing authority may release a new certificate. The two certificates have conflicting expiration dates.
For reasons unknown, this caused Firefox to report a sec_error_revoked_certificate error and refuse to allow you to connect to the site!
To resolve this, presumably at the same time reducing the security of your browsing, complete the following:
For PC Users:
- Open Firefox.
- Go to Tools the top menu and select Options.
- Click the Advance tab.
- Click the following button:
Encryption, then
Certificates, then
Validation - Check “Do not use OCSP for certificate validation.”
- Click OK and restart Firefox.
For Mac Users:
- Open Firefox.
- Go to Firefox in the top menu and select Preferences.
- Click the Advance button.
- Click the following buttons:
Encryption, then
Validation - Un-check “Use the OCSP to confirm the validity of certificates.”
- Click OK and restart Firefox.
While this approach does “work”, and is handy for being able to work-around the problem until it is fixed at the source, please do be aware that disabling permanently the OCSP functionality in Firefox exposes you to a number of different vulnerabilities. So, you’ll want to be damn sure that the warning is, in fact, a false-positive before disabling OCSP, *especially* if the warning occurs with a very popular website.
OCSP’s primary function is to provide up-to-date, near-real-time CRL (Certificate Revocation List) data. When something like http://nakedsecurity.sophos.com/2011/03/24/fraudulent-certificates-issued-by-comodo-is-it-time-to-rethink-who-we-trust/ happens, the best way to protect one’s self is to have OCSP enabled in the browser.
Absent OCSP, you are dependent upon importing CRLs manually at regular intervals (let’s be honest; almost nobody does that) and/or hoping that an operating system or browser update provides the CRL entries that revoke rogue, fraudulent certificates that could compromise your Facebook, Yahoo, GMail, etc. accounts in a timely fashion.
So, if you disable OCSP, you should do so only as a short-term work-around in order to use a mis-configured website that you know to be “safe”, and usually, the only way to know that is if you are the site owner/operator.
You’ve been warned!
Thanks for this! Worked like a charm.
It worked Thank You………..
It worked Thank You
It worked Thank You
it worked, you saved me from failing my report by allowing me to once again open my e-mail and it out.. woot thx
Your quote that you have "owned, serviced, programmed and trashed virtually every personal computer and operating system known to man" is one of the most fanciful delusions of grandeur in a very big internet.
Anyone actually familiar with computers and their history would never make such a self indulgent and patently absurd claim.
Correct that statement to 'known to your ignorant, limited, anecdotal, insular and blinkered horizons' and you might be getting closer to the truth.
Open your eyes dreamer.
@Doubting Thomas
Hmmm. In retrospect my claim might be a little "over-the-top", but then it was never intended to be a claim to fame, but rather a way of describing my background. And, as you appeared not to notice I did say "personal computer" not "computer". And thinking more about it, my claim is closer to the truth than your alternative.
So, thanks for your somewhat ungracious comment … my claim stands unchanged.
Nigel
It worked Thank YOu