Users of Firefox 65, released by Mozilla last week, were immediately hit by 'Your connection is not secure' messages when visiting popular sites.
The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'.
The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65.
To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.
HTTPS filtering by antivirus vendors is a slightly controversial feature that's designed to inspect web content for malware in encrypted HTTPS traffic, but in the process it undermines the security and privacy afforded by HTTPS.
Avast and other antivirus firms do this by removing a site's Transport Layer Security (TLS) certificate and adding their own self-generated certificate. This certificate is signed by Avast's trusted root authority and added to the root certificate store in Windows and in major browsers.
The method used is technically a man-in-the-middle (MitM) attack, which has drawn criticism from Google, Mozilla and others for creating more security risks for users.
Avast has previously argued that its MitM technique is necessary and that its method is different to a malicious MITM.
More HTTPS certificate troubles for antivirus products could be on the way in Firefox 66, which is gaining a new feature that will detect and warn users when a third-party app is conducting an MitM attack.
A new error message, 'MOZILLA_PKIX_ERROR_MITM_DETECTED', will be displayed if Firefox detects that something on the user's system or network is intercepting the connection and injecting certificates in a way that is not trusted by Firefox. Chrome already has a similar feature.
Previous and related coverage
Starting with version 66, Firefox will let you know when antivirus products, malware, or your ISP are tapping into your HTTPs traffic.
Microsoft engineer wants Mozilla to climb down from its "philosophical ivory tower", stop making a browser that few use, and become a research organization.
Browser makers this year will be disabling Flash with its long history of security problems.
Mozilla brings Firefox Monitor to Firefox on the desktop.
Mozilla devs detail what types of websites and abusive user-tracking practices they intend to block in future Firefox versions.
Researchers call out antivirus and security appliance vendors for dangerous SSL inspection practices.
Jack Wallen outlines what he believes is the ideal combination to prevent browser tracking in Firefox.
Debate: Does Mozilla have more influence as a Chrome rival or ally?