What to do?

The bottom line is, it’s a problem with the website itself.  However, this doesn’t mean you shouldn’t be careful though.

To start, let’s demystifying https and certificates.

Security certificates

A security certificate, or “certificate”, is a kind of positive identification for a website as part of the https protocol.  In many ways, it’s very similar to a driver’s license.

A driver’s license has three components:

  • Process:   A driver’s license must be obtained from an issuing authority, like a department of motor vehicles or department of licensing.  The process includes documenting your identity as well as proving you have the skills                         to drive.
  • ID:  A driver’s license is used to prove you are who you say you are.
  • Functionality:  A driver’s license gives you permission to drive a motor vehicle of some sort.

 

A security certificate for an https website has three similar components:

  • Process: A certificate must be obtained from an issuing authority.  The process includes proving you own the website for which the certificate will be issued.A security certificate for an https website has three similar components:
  • ID: A certificate is used to prove that the website is the website it claims to be.
  • Functionality: A certificate is used to encrypt the data that site visitors send to and receive from the site.

A driver’s license is typically a physical card issued after you pay a fee, provide documentation, and pass a driving test.  A security certificate is a blob of encrypted data issued after you pay a fee, provide documentation, and pass an identity verification test.

Certificate Error Examples

Here is an example of one type of error that we’re talking about, as displayed in Google Chrome:

chrome cert error

Chrome, in particular, makes errors look big and scary, and even makes it difficult to proceed when you know what you’re doing. (Hint: you start by clicking on ”Advanced“)  And yes, sometimes you do want to proceed anyway – but only if you’re certain.

 

 

 

 

Here is the same error in Internet Explorer:

IE cert error

IE makes it easier to continue.

 

 

 

 

 

Most Common Problems with Certificates

Expired Certificates

Like driver’s licenses, security certificates come with an expiration date. Typically, they’re only valid for from one to three years, but can last up to ten.  If the website owner fails to renew a certificate before it expires, that’s an error, just like driving with an expired license would be.

Misconfigured Certificates

This situation is generally benign and you can usually safely ignore the error, but still.

As a side note, “www.” is so commonly optional that certificates issued for the base name – itconnexx.com, for example – also validate for the “www.” version of the domain.

Self-signed Certificates

Official certificates must be purchased.  Unofficial certificates, so called “self-signed” certificates, can be generated by just about anyone with a server.  They are “self-signed” because rather than being cryptographically signed by a trusted authority, you sign it yourself.  That’s sort of like making your own driver’s license out of cardboard and crayon.

So unless you’re a server geek or know that’s what you’re expecting, this type of error should be treated like the next: do not proceed.

The Wrong Domain

This happens when the server returns a valid certificate, but for the wrong domain.

The full error message from Chrome explains it well:

This server could not prove that it is itconnexx.com; its security certificate is from secure.ithelp.com.  This may be caused by a misconfiguration or an attacker intercepting your connection.

This could be misconfigured, but whenever the server responds with the wrong domain name for a secure connection, you need to pay attention.  This is very much like someone, intentionally or accidentally, trying to use someone else’s driver’s license.  It is not right, and you should probably stay away.

Certificate Issues Are Usually Harmless, But…

Most of the time, certificate problems are simply oversights and omissions on the part of the server administrator.

The problem, of course, is knowing whether or not this is a simple oversight or a malicious interception.  The whole point of security certificates is to detect those errors, because they may indicate various forms of server compromise, or even a compromise of your own computer or internet connection.

If your computer thinks it’s going to https://yourbank.com, but due to malware on your machine it’s being directed to a hacker’s computer overseas instead, https security certificate error messages will tell you, just like looking at someone’s driver’s license photo tell you, whether the person you’re looking at really is who they say they are.

When in doubt, take the safe route.  You should not continue; instead, double check that you’ve typed in the correct domain name or URL, and perhaps contact the site owner via other means to determine what’s happening.

ITConnexx, your trusted partner in making the world a safer place to compute.  Contact us at 800-797-0345 or info@itconnexx.com