Ever since Firefox 3 came out last summer, it’s been warning users of unsigned, self-signed and invalid secure web pages. Firefox 3.5′s warning gets even more confusing for non-technical users. Safari, Chrome and even Internet Explorer also display similar warnings.
If you’ve ever wondered the following questions: What exactly does this warning mean? Why is it important? Why should you care? Why is your browser even bothering you about this? – This article is for you:
All about “Trusted Identification”:
First of all, we’re all taught about making sure websites are encrypted before entering in any sensitive data. We do this by:
- Looking for the “https” in the address bar.
- Finding the locked padlock somewhere on the screen. (Upper right for Safari, Lower right for Firefox.)
Within the last few major revisions to Firefox, Mozilla began coloring the address bar either Green or Blue to indicate a secure page or not. Clicking on this area will show some information whether this site is safe or not:
That is what happens during a normal, trusted encryption session. In an abnormal session, Firefox give you this warning:
Safari will also give you this warning:
Why is this abnormal?
What is abnormal vs normal is how encryption works. See, anyone can create an encrypted connection and it’s pretty easy if you have the technical knowledge.
What makes this secure is the other half of encryption – trust and identity. Basically, since anyone can create their own encryption – how do you know if it’s legitimate or some guy in his basement?
Well, you submit your information and pay some money and Certificate Authorities like Verisign or Thawte will vouch for you. Browsers are pre-programmed to trust Verisign, Thawte or other international Certificate Authorites. That way, when Verisign says this certificate is from your bank, it is from your bank.
When the certificate doesn’t come from a trusted Certificate Authority (CA), your browser sees this as a red flag and throws a warning. The warning could be any of the following:
- Self-Signed (Home-Made) Certificate.
- Duplicate Certificate.
- Invalid Certificate Authority.
- Domain Name mismatch.
Self-Signed Certificate: This is common if you’re at work, dealing with internal equipment. You want a secure connection to set up your printers, but it’s not important enough to justify paying a CA to verify it. Home servers also will trigger this error quite often.
Duplicate Certificate: When, instead of creating individual self-signed certificates or importing in a trusted certificate, you copy a pre-created self-signed certificate into another piece of equipment. Firefox will see that this certificate has been registered to something else and throw this error.
Invalid Certificate Authority: When you go to a site, receive the certificate to begin your session and it’s not signed by an authority your browser knows about. This is a big red flag because the authority may not be legitimate.
Domain Name Mismatch: Another big red flag. This is when someone takes a legitimate certificate and tries to pass it off as their own. For example, a phishing site would issue Ebay’s legitimate certificate from their phishing site e.bay.com. Your browser sees that ebay.com and e.bay.com are not the same and it throws this error.
What should you do?
Well, in the case of Self-Signed and other invalid certificates, you need to consider the source. Basically, are you trying to sign in to your PayPal account or set up a printer?
If you’re trying to do any sort of confidential, financial or other legitimate transaction, any sort of warning means trouble.
If you’re working with equipment, your own servers, or trying to connect to a friend’s server, this warning is merely annoying.
When you see the Untrusted Connection warning, it’s important to:
1. Stop and read it.
2. Consider the source.
3. Ask someone in IT if it’s related to your workplace.
4. Cancel (or “Get me out of here!”), then revisit the site by typing it out (not clicking a link).
Only allow the exception if you are absolutely 100% sure that this is a safe site.
Personally, I’d only allow an exception only under two conditions:
1. It’s a piece of equipment I’m working on.
2. It’s a home (or work) server that I’ve set up or someone I know has.