Mozilla enables unsafe encryption algorithm again to resolve issues with antivirus software

Posted 08 January 2016 17:44 CEST by Jan Willem Aldershoff

A new version of Mozilla’s Firefox browser solves an issue that made the antivirus software of G Data crash. A component of the antivirus software that should protect users against malware during internet banking didn’t work as intended with Firefox 43.0.3.


G Data earlier also released an update that fixed the issue, but with Firefox 43.0.4 the issue has also been resolved. The most important feature of this version of Firefox is also the enabling of SHA-1 certificates again. These certificates were blocked by Firefox because the SHA-1 encryption algorithm is no longer regarded as safe. Unfortunately this caused issues with many antivirus products which is why Mozilla enabled support for SHA-1 certificates again.

The block of SHA-1 certificates caused issues as some virus scanners use a ‘man-in-the-middle‘ method when an user tries to connect to an HTTPS site. The man-in-the-middle device sends Firefox a new SHA-1 certificate instead of the server’s real certificate.

However Firefox blocks SSL certificates that are signed with the SHA-1 algorithm since the beginning of this year. This causes that SSL certificates that are generated by antivirus software are blocked and that Firefox users can no longer visit HTTPS sites.

It’s unknown whether Mozilla is working on a workaround for this issue with antivirus software and will enable the SHA-1 block later again.

MyCE Resident
Posted on: 08 Jan 16 21:35
Got FF 43.0.3 and have MSE installed and haven't noticed any problems that is described here?? Go figure....oh yeah I do have my own custom PC hosts edit so that also blocks adware and pops and redirects to prevent further MSE detection problems. In this day and age you need to have a trusted Savvy PC user to help fix problems as a safe measure.
-1 Agree

MyCE Senior Member
Posted on: 08 Jan 16 22:32
Yep, no issues either, MSE apparently has no issues with that certificate frenzy and I don't poke around with the hosts file
-1 Agree

MyCE Rookie
Posted on: 08 Jan 16 22:33
So the security of G Data users comes at the expense of everyone else? Seems fair. /s

There are multiple ways Mozilla could have handled this better.
  1. Hardball. Tell the users to use another browser until the AV company fixes their shit.
  2. Leave SHA-1 in, but disable it. Throw up an error message each time a SHA-1 certificate is encountered, explaining the likely cause and how to re-enable them.
  3. Check for the AV program during startup and disable SHA-1 if it isn't found.

I think number two would be the best for everyone. AV programs probably aren't the only things using SHA-1 for certs. Annoying error messages will let us know what else needs to be fixed (and let us make temporary exceptions in the meantime).
2 Agree

MyCE Senior Member
Posted on: 08 Jan 16 23:16
I can confirm, no issues here as far as I can see (then again, FF is not alone in the game, but nothing and I am up to date - the few times I use the very engine and frontend together
Split horizon is a clue here..... I know it is from the infrastructure world, but I think it is for the better for all, but the malware coders
0 Agree

Reactions closed

Sorry, you can't comment on this item anymore. It's either too old or comments are disabled for this post. settings

Several settings at can be changed, they are stored in cookies, which means they will be reset if you clear cookies


Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here


Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page