Welcome to WebmasterWorld Guest from 54.146.211.105

Forum Moderators: phranque

Message Too Old, No Replies

Website Security Certificate Errors

     
10:49 am on Dec 15, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts: 23263
votes: 359


"There is a problem with this website's security certificate."

We've all seen them at some time, and when I do, I back out from the site where such an error exists.
Is that still the best advice?

On a well known site, is it just sloppy management that causes such an error, or is the site really a risk?

[edited by: engine at 4:26 pm (utc) on Dec 15, 2010]

11:20 am on Dec 15, 2010 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:June 15, 2001
posts:7583
votes: 11


I think the site is a risk because of the reason you have given... "sloppy management that causes such an error" it always makes me think, if they are sloppy with a cert, are they sloppy with security in general.

Mack.
3:15 pm on Dec 15, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2904
votes: 7


I have seen it happen with high profile sites. It often happens if the secure part of the site is moved to another (sub)domain without the webmaster thinking twice or testing it. Sometimes it is because the certificate expired, or the website owner installed a home-signed certificate, instead of one from an authority.

Given how easy the installation of certifcates is (most certificate issuers provide step by step instructions for installing them) and how cheap they are; not buying, installing and testing a proper certificate for a site is a big red flag IMO.
11:17 am on Dec 16, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23263
votes: 359


Amazingly, this latest certificate error is an ISP.
11:51 am on Dec 16, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2904
votes: 7


That is nothing. Even Google has certificate errors on their ccTLD domains. For example on [google.ru...] which serves the Russian Federation.
3:17 pm on Dec 20, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5071
votes: 12


Yeah, I've seen security cert errors on my linux distribution.

Most of the security cert errors are bogus anyway, as is most of that entire industry. No reason why we shouldn't self-issue certificates for most situations but we don't. Why? Oh yea, browsers will give you a security cert. error.
5:30 pm on Dec 20, 2010 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:23263
votes: 359


I'm slightly confused (easily done) by what you're saying. Is it imortant or serious? In this instance of the ISP, it's meant to be an account area with https logon.
6:21 pm on Dec 20, 2010 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2904
votes: 7


I think I understand wheel's comment.

Certificates are used for two different things. One is encrypting the data stream to make it impossible to be read by a third party. The other use is to ensure that the website or site-owner is who it/he pretends to be.

In the first situation self-issued certificates work just as good as certificates issued by an authority. In the second situation you need a trusted authority which checks the validity of the submitted website or owner information.

Most certificate errors in browsers come from an authentication matching problem. Either the root authority mentioned in the certificate chain is not recognized by the computer, or the domain the certificate is served from is not in the domain list of the certificate itself. In both cases the authentication of the certificate fails, but the encryption of the data stream is still working.

Many sites only need data stream encryption, not a validation of the website or owner. That is where a self-issued certificate should be allowed.
10:51 pm on Dec 28, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5071
votes: 12


I'm slightly confused (easily done) by what you're saying. Is it imortant or serious? In this instance of the ISP, it's meant to be an account area with https logon.

As Lammert notes, encryption still works fine no matter what your browser is complaining about.

I've never seen a certificate error that mattered, i.e. one where I didn't just ignore the error. The encryption matters, not the 'who owns the site'. It's the 'who owns the site' part that is such a load or nonsense.