Safe Browsing with a SSL Certificate Error
There’s no doubt that you’ve run into this issue at some point while browsing online. You were happily navigating to one of your favorite sites when all of a sudden you run into an SSL certificate error. Depending on your browser it will look something like this:
So, what do you do? Do you proceed at your own peril? Should you not visit the site? Are there other options? Is this your website? So many questions. Hopefully, by understanding the causes of this issue, you can take a deliberate course of action that will allow you to safely browse the web and secure your website.
What causes this error?
It’s all about security. Secure websites rely on valid SSL certificates in order to encrypt traffic exchanged between your browser and the website you are interacting with. Sometimes a given website’s certificate has expired or is self-signed. If either of these situations exist, you will get a warning screen in your browser telling you that “Your connection is not private.” Although annoying, this message is a good thing, as it is trying to protect you from doing something bad.
This is my website — How do I fix it?
Multiple reasons why your website’s SSL certificate might be considered invalid by a browser:
Your SSL certificate has expired: Your SSL certificate is only valid for the main domain and not the subdomains, you purchased it from an untrusted certificate authority, or you are using a self-signed SSL certificate.
To remedy this, you have two basic solutions:
1) Acquire a new certificate. Buying a new certificate from a trusted authority will address virtually all your issues. Commonly, website owners don’t keep track of SSL certificate expiry and when the certificate expires users see a warning in their browsers. When buying a new certificate, you can also specify the domains, sub-domains, etc.
2) If the system is using a self-signed certificate and it’s internal you may be able to live with it. If your certificate is self-signed and on an internal system that has other mitigating controls (i.e. access is limited to certain internal staff, etc.) you can continue to use the self-signed certificate and accept the risks and warnings in your browser.
I’m a user browsing a website — What do I do?
1) Fix it: If it’s your site or your company’s site, you can fix it as outlined above (or ask your IT department to fix it.)
2) Update your browser: Is your browser is up-to-date? In some instances, an old version of a web browser may cause these and other errors.
3) Clear cache for that website: Website cookies can cause error messages to appear if the browser you’re using has an old SSL certificate for that cached website.
4) Self-Signed Certificates: If this is an internal website or interface to a device and the certificate is self-signed, you may want to proceed with caution and access the website. It may not be necessary to acquire a certificate for this device. You will want to make sure that you vet this with your IT department and understand the risks.
5) Date and Time: While most computers sync their time to the cloud, sometimes they do not. It’s something that you can quickly check and update if needed. Generally, you should have your computer sync its date and time automatically—this varies depending on the operating system, but this link should provide some help with these settings.
Additional Safe Browsing Tips
Want more safety tips for a specific browser? Check out the links to learn more:
Browse Wisely
SSL certificates are critical to providing end to end encryption for the transmission of data (sensitive or otherwise). The next time you come across an error from a web browser, make sure you pay attention and don’t just recklessly proceed to the website. Those browser errors and warnings are helpful and are designed to protect the user and their data. Follow the suggestions above and let us know if you have any questions.
Written by: Chris Zambuto | Chief Information Security Officer @CMITBostonCambridge
