PDA

View Full Version : Question about Security Certificate Notices



Johnny Boy
11-21-08, 01:24 PM
When I try to sign into certain sites using passwords, I get a window
with the following message:

"There is a problem with this website's security certificate.
The security certificate presented by this website has expired or is
not yet valid.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."

When I click for "more information", I am told: '

"If you arrived at this page by clicking a link, check the website
address in the address bar to be sure that it is the address you were
expecting.
When going to a website with an address such as https://example.com,
try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private
information into the website."

What does this mean? And, what can I about it to fix it?

Thanks in advance.

Neil W Rickert
11-21-08, 04:49 PM
Johnny Boy <john_vlahos@live.com> writes:

>When I try to sign into certain sites using passwords, I get a window
>with the following message:

>"There is a problem with this website's security certificate.
>The security certificate presented by this website has expired or is
>not yet valid.

That indicates that either the web site has screwed up (its
certificate has expired), or the clock on your computer is set
wrongly and the certificate has a time that looks to be in the
future relative to your computer time.

>Security certificate problems may indicate an attempt to fool you or
>intercept any data you send to the server."

>When I click for "more information", I am told: '

You need to look at the hostname on the certificate, to see if
correct, and the time (start and ending time for the certificate
validity).

>What does this mean? And, what can I about it to fix it?

If it is your problem, then either you are going to the wrong site
or your computer clock is set wrongly. If the problem is neither
of those, then it is the web site administrator's problem to fix.

If this is a banking site or similar, be very cautious. Best not to
enter any account name/id/password until you understand the problem.

David Woolley
11-21-08, 04:50 PM
Johnny Boy wrote:
>
> "There is a problem with this website's security certificate.
> The security certificate presented by this website has expired or is
> not yet valid.

> What does this mean? And, what can I about it to fix it?

It normally means that the web site's management are incompetent or miserly.

To fix it, use a web site that is competently managed.

When you obtain a browser, it contains a list of (loosely) organisations
that the browser vendor trusts to be able to validate the authenticity
of web sites (the "root cerficates"). When you access a secure web
site, that site sends you some data (a "certificate"), that has been
verified by one of the trusted organisations, and marked as such in a
tamper resistant way.

The web site owners have a secret piece of data. The certificate
contains a piece of data that depends on that secret, but cannot,
realistically, be used to find the secret. The encryption keys for the
session are created by a process that involves your browser using the
information in the certificate, and the web site using the secret from
which it was derived. If they don't have the secret that corresponds to
the certificate, you will not get matching encryption keys and the data
in both directions will be gibberish.

The trusted organisation sets time limits during which they offer you
some (rather limited) guarantees, that the secret being used by the web
site belongs to the organisation that purports to operate the web site.
These time limits are encoded into the certificate, and there is a
tamper detection mechanism.

The organisations would probably argue that you need the time limits
because:

1) it is possible to find out the secret from a certificate, given
enough time;

2) someone may discover a flaw in the way certificates are produced
which might make that time rather short;

3) the longer the secret is in use, the more chance that it is
accidentally or maliciously revealed.

However a large element of the reason may really be that it ensures that
people keep paying to update the time limits.

Once a certificate is compromised, anyone who can intercept your
connection to the web site can pretend to be that web site; they may
even really your input to the real web site.

The certificate also contains the web site address and the real world
identity of its owner. The browser will check the site address. If you
know one of them with certainty, you should check that against the
certificate/address bar. If you know neither, you may well have an
encrypted connection to a fraudster, however valid the certificate is!