Ignore SSL/TSL warnings at your own peril

Every once in a while, a warning will pop up that says something like:

The site does not have a security certificate that is trusted!

or

The site has an expired security certificate!

with the options to proceed to the site or back away. Many (most?) of us simply click through to the site, assuming this was caused by an administrative problem, which will not impact us.  After all, we’ve been doing it forever and nothing bad has happened, right?

Unfortunately, this can be a bad decision, with ramifications that you might not understand for quite a while.

What does the message mean?

Before discussing why this can be a problem, let me give you some background on why you’re seeing the message.

When you attempt to connect with a secure site (that is a “https://” site using SSL/TSL security protocols), there are a number of actions that occur under the covers to insure that (a) the site is the authentic site and (b) the resulting link is properly encrypted. The primary action is to deliver to the web-browser on your device, a copy of the site’s security certificate. This certificate has several crucial bits of data, including site ownership information, the expiration date, a public key used for the encryption process and a digital signature that validates that the certificate is valid.  These certificates are generated and managed by a small number of trusted certificate authorities, who issue the certificates to the owners of the sites. Note: Anyone can generate certificates and do for perfectly legitimate reasons.  However, these certificates would be not be trusted in the same way as certificates generated by certificate authorities.

When your browser acquires one, it validates the certificate and if it finds a problem with the certificate (or if the certificate isn’t delivered), your browser will put up a message similar to this Chrome browser version:

chrome-beta-ssl-2

The safest action for you to take is to back away from the site (or in this case, press “Back to Safety”).

What can go wrong?

The main concern is that you’ve connected to a site pretending to be the site you are attempting to connect with. This is the man in the middle attack.  Somehow, a rouge site has inserted itself between your browser and the legitimate site and is masquerading as the legit site. Since it doesn’t have the ability to present the trusted certificate, it presents a non-trusted certificate that was generated by the owner of the rouge site. This certificate does have a workable public key, so that you can still have an encrypted conversation, but it will be with the illegitimate site.

Most likely, the rouge site will sit between you and the legit site, so that from your perspective, there is nothing weird going on. However, the rouge site can pick off your login credentials, reroute data to others and attempt to install malware on your machine.

Are there legitimate reasons for the messages?

Certificate Expiration

The most common reason is the expiration the certificate. You should see a note that indicates that the certificate has expired rather than it’s invalid. Alternatively, it might indicate there is no certificate. Regardless, a legitimate secure site has an obligation to maintain a valid and authentic certificate. To see even an out of date one is fishy.

The best way to handle this is to back away, then either wait a couple hours and try again or contact the site owner (by phone) to alert them to the problem. Most of the time, this problem goes away pretty quickly since it was caused by an administrative glitch.

Certificate problems from network attached devices.

Certificates are also presented by some network attached devices, like printers or network storage.  These certificates are bundled with the firmware on the device. As the firmware version ages, the certificate can expire, causing this message. The best practice in this case is to upgrade the firmware, which will refresh the certificate. To do that, go to the support pages on the device manufacturer’s website.

On my home network, which is secure, I will ignore the warning until I can upgrade the firmware. However, I’d strongly recommend not clicking through invalid certificates on corporate, hotel or other public networks.  Again, you could be setting yourself up for a man in the middle attack.

In summary, when one of these messages pops up, pay heed to it. The reason that you’re using SSL/TSL authentication is to safeguard your communication. Clicking through one of these warnings undermines these safeguards, significantly reducing the value of the secure connection.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: