sfw/fix
MOZILLA_PKIX_ERROR_MITM_DETECTED high

MOZILLA_PKIX_ERROR_MITM_DETECTED in Firefox

Firefox saw a certificate signed by a root it doesn't trust and flagged the connection as intercepted by software or a proxy.

What you see

Warning: Potential Security Risk Ahead
Something is interfering with your secure connection to www.example.com.
MOZILLA_PKIX_ERROR_MITM_DETECTED

What’s actually happening

Every HTTPS site breaks at once, not just one, which is the tell. Firefox built the chain up to a root it has never heard of and concluded the traffic is being intercepted. In practice that intercepting party is friendly: antivirus 'HTTPS scanning' (Avast, ESET, Kaspersky, Bitdefender) or a corporate TLS-inspection proxy that re-signs every site with its own root. Firefox uses its own trust store by default, so a root the OS trusts is still a stranger to Firefox.

Common causes

  • Antivirus HTTPS/SSL scanning is on, decrypting and re-encrypting traffic with the AV's local root certificate
  • A corporate proxy or firewall (Zscaler, Palo Alto, Fortinet) is doing TLS inspection and substituting its own CA
  • security.enterprise_roots.enabled is false, so Firefox ignores the OS/enterprise root store where the interception CA lives
  • Malware or a sketchy browser extension injecting its own root to snoop traffic
  • A self-signed root was installed into Windows/macOS but never into Firefox's separate store

How to fix it

  1. Let Firefox read the OS root storeabout:config, set security.enterprise_roots.enabled to true. Firefox then imports roots from the Windows/macOS store, which usually covers a legit AV or corporate-proxy CA. Restart Firefox and retry. This is the right fix in a managed/enterprise environment.
  2. Turn off the AV's HTTPS scanningIn the antivirus settings find HTTPS/SSL/encrypted-connection scanning (named differently per vendor) and disable it. The AV stops re-signing traffic, so Firefox sees the real cert again. Verify the error clears immediately on reload.
  3. Confirm it's interception, not a bad certClick the cert in the warning (or visit a known-good site) and look at the issuer. If it reads 'Avast/ESET/Kaspersky Web/Mail Shield', a company name, or some unfamiliar local CA instead of a public CA like ISRG or DigiCert, that's your interceptor.
  4. Manually import the interceptor's root if you want to keep scanning onExport the AV/proxy root as a .cer, then Settings > Privacy & Security > Certificates > View Certificates > Authorities > Import, and trust it for websites. Now Firefox accepts the re-signed certs without disabling protection.
  5. If nothing's supposed to be intercepting, scan for malwareOn an unmanaged home machine with no AV doing this, an unknown interception root points at malware or a rogue extension. Run a full malware scan and audit installed extensions and OS root certs.

Stop it recurring

On managed fleets, push security.enterprise_roots.enabled=true (or the inspection root into Firefox's store) via policy so re-signed traffic validates cleanly.

Related errors

NET::ERR_CERT_REVOKED

critical

The issuing CA revoked this certificate before its expiry date, so the browser refuses the connection and offers no bypass.

SSL Certificate Expired

critical

An expired SSL certificate triggers a full-page "Your connection is not private" warning that blocks every visitor.

Mixed Content Warning

medium

Mixed content is an HTTPS page loading some resources over insecure HTTP — it breaks the padlock and blocks assets.

NET::ERR_CERT_AUTHORITY_INVALID

critical

The browser doesn't trust who issued the certificate — usually a missing intermediate cert or a self-signed one, not an expired one.