"this add-on could not be downloaded because of a connection failure".....

1Password 4.6.0.604
Firefox 44.0.2
Windows 8.1 Pro (installed fresh two weeks ago)
When I try to install the 1Password extension in Firefox, I get this error message, "this add-on could not be downloaded because of a connection failure"

I use ESET and have turn off protection with no luck.
Disabled Add-on's with no luck.

I would like this to work with FireFox and not have to resort to using another browser to get the extension.

Any help is appreciated.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • bkh
    bkh
    Community Member
    edited March 2016

    The work-around that fixed it for me is as follows. Do you see the blue link in the middle of your screenshot above about "download the extension from its alternate location"? Right-click on that and "save link as..." to save the .xpi file onto your computer's disk. Then open that .xpi file in firefox. I did it by typing the pathname into the address bar (something along the lines of "file:///c:/directoryPath/filename.xpi") but someone said an easier way is just drag the .xpi file from windows explorer onto an open firefox window. Another way is in windows explorer right-click on the .xpi file to select open, then they'll give a dialog box saying they don't know how, and asking if you want them to search the web (no you don't) or select a program from a list of installed programs (that's what you want). Select firefox to open the file.

  • Hi guys,

    @lynnejohn_727, that is usually caused by an AV solution blocking the file before it could be installed. @bkh is correct on the workaround, here's our guide that explains this process for Firefox.

  • lynnejohn_727
    lynnejohn_727
    Community Member

    Hey Mike,
    I turned off the AV but it still did not work. It could be Windows defender doing something. My main point is that everyone is doing a workaround and in this case it is not the AV or Add On's causing the issue. I'd would like to find the root cause of this failure. Is there a FireFox log of some sort that would help point to the problem?

  • bkh
    bkh
    Community Member

    @lynnejohn_727, I'm not yet willing to agree with your conclusion when you say "My main point is that everyone is doing a workaround and in this case it is not the AV or Add On's causing the issue."

    In my case, I believe that it actually was the security software, and in your case, no offense intended, I believe you don't yet have good evidence otherwise. Please bear with me a moment while I explain.

    I say you don't yet have good evidence because, "turning off the AV" in the AV control program may not actually completely disable all the security measures that the anti-malware system installed. It may just turn off some portion of the virus signature scanner. If you really want to run the experiment, you would have to fully uninstall the antivirus signature scanner, heuristic scanner, firewall, intrusion detection subsystem, and so on, and then in firefox create a new profile that has the default settings. But beware. I tried uninstalling my anti-malware, and the result was that windows no longer had the ability to boot. Rather than trying to run Repair from the Windows install disk, I just restored from backup to fix my computer. The whole experience gave me some insight into how deeply the anti-malware extends its tendrils into diverse bits of the OS.

    I speculate that the workaround actually is the solution to the "root cause," which I suppose is that the anti-malware system (including whatever native protection is in firefox) is extra suspicious of software that is attempting an automated installation "directly from the network." Maybe the attempt to install from the network fails because the firewall blocks socket connections that subsequently would be allowed after the software is successfully vetted and installed. Maybe some suspicious heuristic scanner watches the installer download into a temporary directory and then quickly deletes it before it can run (I actually observed that when I was testing the trial version of one major vendor's anti-malware: I didn't buy that one.) I do know that recent Firefox versions are quite strict about preventing automated installation of plugins from third party suppliers --- on occasion I've launched Firefox and seen a dialog along the lines of "attempted background installation of plugin ABC from provider XYZ was blocked."

    Anyway, I suggest to use the work-around because I accept that it may not be feasible for agilebits to worm their installation package through every narrow gap in all the various constellations of anti-malware armor that different folks are using. In my view, if they get it working for most users running reasonably common configurations, they've done a good job.

  • lynnejohn_727
    lynnejohn_727
    Community Member

    I've been doing this type of stuff on embedded systems for a bit and I can agree with you that if ESET really is not turning off everything, then there is no way I would know this. I can point out that your pointing a finger at ESET and I'm not sure you have definitive evidence to back that up(only that your particular AV has deep hooks into the OS.) Clearly other AV software does cause FireFox to break and FireFox is definitely a bit picky.

    I would say that I from the little I know of my case I am putting my bets on FireFox or maybe some proxy thing not being happy. I would hope that your speculation of "the workaround is the solution" is wrong because that would say that someone really knows the answer and is willing to leave it this way. It could just be that there are to many configurations to get everybody working flawlessly(there is only so much time.)

    I do know understand that I can use the work around but I'm trying to be a bit more helpful to the situation and see if someone knows of possible Windows or FireFox logs that could be turned on to give at least a little light on what is going on under the hood.

  • bkh
    bkh
    Community Member

    I can point out that your pointing a finger at ESET and I'm not sure you have definitive evidence to back that up

    Well, I didn't know that you were using ESET, but you're absolutely right that I don't have evidence. That's why I said things like "I speculate" and "I suppose," both of which I do quite a bit --- old debugging techniques.

    I do know understand that I can use the work around but I'm trying to be a bit more helpful to the situation and see if someone knows of possible Windows or FireFox logs that could be turned on to give at least a little light on what is going on under the hood.

    I fully support that sentiment. Does the ESET firewall (if you are using Smart Security or Total Security) give you the ability to watch or log all the local/internal connection attempts? If not, there used to be something in the SysInternals Suite utilities that could. TDImon?

  • AlexHoffmann
    edited March 2016

    Hi @lynnejohn_727 and @bkh

    The workaround is a valid one but from our experience it points to ESET or some other security solution silently blocking the installation of the 1Password extension. Avast and Bitdefender can do the same.

    ESET has been changing their approach to their Windows security measures in recent months and I think that this is indicative of these changes.

    @lynnejohn_727 I'm going to get in touch with our contacts at ESET and I'd like to ask you to report this false positive to [ESET via email](mailto:samples@eset.com "ESET via email) or directly in the app.

    Thanks!

  • lynnejohn_727
    lynnejohn_727
    Community Member

    Hey Alex,

    If ESET has some sort of error log that would help a lot. When I get home tonight I will send in false positive to them with a description. I want to thank everyone for the help and I will get back to you on what they say.

    Thanks,
    John C.

  • AGAlumB
    AGAlumB
    1Password Alumni

    @lynnejohn_727: It doesn't sound like they are "flagging" it, but rather that the connection itself is being interfered with. I'm not familiar with ESET doing this, but many "security" vendors install self-signed certificates into browsers which break SSL and cause these connection errors (because you then no longer have a secure point-to-point connection). So in these cases, simply turning it off temporarily won't necessarily help, as the certificate is still installed. Often the simplest workaround is to download the file using another browser and then drag it to Firefox, but as you say, finding the root cause is important, since it could affect other things as well.

    A quick Google search led me to some results indicating that ESET is in fact doing what I described above, and this post in particular seems to indicate that this "feature" is called "SSL/TLS scanning", but I wasn't able to find better info in their help site. Disabling that feature or removing the "ESET SSL Filter CA" from your browser sounds like it will do the trick. Please let me know what you find!

  • lynnejohn_727
    lynnejohn_727
    Community Member

    Well it took two tries to uninstall ESET, but I was finally able to do it. Once it was uninstalled, the add-on loaded fine. So ESET was the problem and the "pause" feature of ESET does not work in this case. I currently have an ongoing trouble ticket with them so maybe they will look into it.

    @brenty: I'm going to reinstall ESET and then try your suggestion to see if it is that particular feature of ESET is causing the problem. I'll update a little later with the results. Thanks again for all the help.

  • Hi @lynnejohn_727,

    Huge thanks for trying that and letting us know the result.

    Could you please keep us informed of any progress on your ticket with ESET's team. We do have a lot of ESET customers using 1Password and it would be nice to update our guidance with them in the future based on the outcome from your ticket.

  • lynnejohn_727
    lynnejohn_727
    Community Member

    @brenty: Just got through testing your suggestion and did find the setting:

    Click the Advanced Setup(on the bottom of the ESET screen), then select Web and Email(on the left side.) Click on SSL/TLS and then un-check the "Enable SSL/TLS protocol filtering" and click ok. Should look like this:

    Once this is off you can download the add-on. When your done simply turn it back on. Special thanks to @brenty for providing the SSL/TLS clue. I'll update the ESET ticket with this new info.

    Thanks for all the help. Now back to normal password entering...

    John C.

  • That's great, thanks for letting us know. We'll update our guide to include this information. /cc @AlexHoffmann

    On behalf of Brenty, you're welcome.

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    @lynnejohn_727: Also keep in mind that having that feature enabled means your "secure" communications are being monitored. If you're okay with that, it's entirely up to you. But for example when I'm shopping on a website and sending payment information, it's important to me that the connection between myself and the site is end-to-end encrypted — not being inspected by a person in the middle. However, I am glad to see that there's a way to exclude domains from that feature, since that may be necessary to get some sites that require a secure connection to work. Cheers! :pirate:

  • lynnejohn_727
    lynnejohn_727
    Community Member

    @brenty: I have to agree with you that encryption should be end to end. I'm really surprised that in Windows an application like FireFox can have another application in the middle of their "secured" communications. Must be in the way an application is dependent on the OS for it's stack. What benefit is ESET giving me in monitoring this?

  • bkh
    bkh
    Community Member

    Must be in the way an application is dependent on the OS for it's stack.

    Plus the fact that a highly-privileged application such as ESET can install itself into your Windows certificate mechanism to give itself certificate signing authority. So it can make a bogus certificate that says "I am the real gmail" or "I am the real Bank of America" and your browser will (to some extent) believe it, which enables ESET to operate as a man-in-the-middle proxy in your TLS connection.

    Anti-malware wants to do this so that it can screen bytes coming in over the wire to look for malware that potentially could be executed before being written to disk where the traditional anti-malware scanner would see it. So you need to decide who you trust more. Would you rather trust that ESET will vet your transaction data from Bank of America without misusing it and without being subverted by the bad guys to misuse it? Or would you rather trust that Bank of America will not be broken into to deliver malware via their secure website? Unfortunately, both vulnerabilities are real.

  • Astute analysis, @bkh, thank you!

This discussion has been closed.