With so much of our daily lives now conducted via the internet, from paying bills to accessing medical services, online banking and shopping, if you can’t trust your browser to take you to the right site, what do you do?
And what do you do when it is the right site but the browser thinks otherwise?
It’s all to do with certificates and identification.
In Firefox, security is taken very seriously. Any web address that starts with https has an encrypted link based on the presentation of a ‘certificate’ to identify itself. Which is fine as long as Firefox determines that the site you’re visiting is actually the site that it claims to be. If there is a problem with the certificate – as I have with one of my client sites – you will see the ‘This Connection Is Untrusted’ alert page.
The alert doesn’t necessarily mean that the certificate is fraudulent or broken – it just means that Firefox isn’t able to verify the identity of the website, and rightly advises you to proceed with care. Several problems can cause Firefox to reject an https certificate.
I’m Not a Certificate, Get Me Out of Here
If you don’t have the nerve or the know-how to deal with the alert, the safest thing to do is to click the ‘Get me out of here!’ button. If you can read the tea leaves in the Technical Details section, you might be able to make a judgement call or take action in respect of incorrect identification. The ‘I understand the risks’ option declares you are willing to risk a connection that could be vulnerable to eavesdropping (I’ve never dropped any eaves, have you?).
If you can, check in with the owners of the website; they may not know there’s a problem. If, like my client, there’s an ongoing issue with a certain certificate, it may be perfectly safe to continue.
Some common errors are:
- Certificate will not be valid until (date). Somebody deployed a certificate early – it’s not valid yet.
- (site name) uses an invalid security certificate. The certificate will not be valid until (date). (Error code: sec_error_expired_issuer_certificate). Also a date issue – probably yours. If your computer clock has the wrong date – the date given in the error message in the past – your system needs setting correctly.
- The certificate expired on (date). Somebody forgot to renew the certificate.
- (site name) uses an invalid security certificate. The certificate expired on (date). (Error code: sec_error_expired_certificate). Also expired.
- Certificate is only valid for (site name), (site name) uses an invalid security certificate. The certificate is only valid for (site name). (Error code: ssl_error_bad_cert_domain). This is potentially the bad one; the identification sent to you by the site is actually for another site. It’s also possible the certificate is for a different part of the same site or domain. For example, https://example.com, and https://www.example.com are different addresses. The certificate for one does not authenticate the other.
- (site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer). Some anti-virus software will trigger this message if you have enabled SSL scanning – ESET or BitDefender go off on this one. Try to disable this option.
- (site name) uses an invalid security certificate. The certificate is not trusted because it is self-signed. (Error code: sec_error_untrusted_issuer). Self-signed certificates may make a secure connection but prove nothing of the actual identity of the site owner.
- (site name) uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer). This one you can do something about.
Firefox can sometimes trash authentication files in user profile folders. A certificate that was valid suddenly becomes unrecognised, but nothing changed. It’s possible the file cert8.db in your profile folder may have become corrupted. You can close Firefox and delete this file.
Into the rabbit warren we go:
- Open your profile folder by going to the top of the Firefox window, click on the Firefox button, choose the ‘Help’ menu and then ‘Troubleshooting Information’.
- In ‘Application Basics’, select ‘Show Folder’ to open a new window listing your profile files.
- At the top of the Firefox window, click on the Firefox button and select ‘Exit’ to close the browser. The profile window remains open.
- Click on the file named ‘cert8.db’.
- Press ‘Delete’.
- Restart Firefox.
A new cert8.db will be created when you restart Firefox. This is normal.
I Understand the Risks
You can bypass the warning if you’re confident both of the identity of the website and of the integrity of your connection. You can add the site as a security exception and carry on using it.
- On the warning page, click ‘I Understand the Risks’.
- Click ‘Add Exception’… The ‘Add Security Exception’ dialog will appear.
- Read the text describing the problems with this site.
- Click ‘Confirm Security Exception’ if you want to trust the site.
However, few legitimate public sites will run for long with an invalid certificate; nor should you. RC
More information at: http://support.mozilla.org/en-US/kb/connection-untrusted-error-message