What it looks like when https does its job.
This message appears when I try to access my email account.
The problem is not yours to fix; it’s a problem with the website.
You still need to be careful, though.
Let’s look at https connections and what you should do when faced with messages like this.
Become a Patron of Ask Leo! and go ad-free!
Your connection is not private
This message results when https determines there’s something wrong with the security information for the website you’re connecting to. Most typically it’s an expired security certificate, but it can also be a spoofed website attempting to fool you into handing over private information. It’s nothing you can fix, but it is something you need to watch for and understand.
The https protocol uses what are called security certificates, or just certificates, as a kind of positive identification for a website.
In many ways, it’s similar to a driver’s license.
A driver’s license has three components:
- Process: A driver’s license must be obtained from an issuing authority, like a Department of Motor Vehicles or Department of Licensing. The process includes documenting your identity as well as proving you have the skills to drive.
- ID: A driver’s license is used to prove you are who you say you are.
- Functionality: A driver’s license gives you permission to drive a particular kind of motor vehicle.
A certificate for an https website has three similar components:
- Process: A certificate must be obtained from an issuing authority. The process includes proving you own the website for which the certificate will be issued.
- ID: A certificate is used to prove that the website is the website it claims to be.
- Functionality: A certificate is used to encrypt the data visitors send to and receive from the site.
A driver’s license is typically a physical card issued after you pay a fee, provide documentation, and pass a driving test. A security certificate is a blob of encrypted data issued after you pay a fee,1 provide documentation, and pass an identity verification test.
Here’s an example of one type of error that we’re talking about, as displayed in Google Chrome (Edge, Brave, and other Chromium-based browsers are similar):
Here’s the same in Firefox:
These days, browsers make these errors look big and scary, even making it difficult to proceed if you don’t know what you’re doing. (Hint: you start by clicking on Advanced.) And yes, sometimes you do want to proceed anyway — but only if you’re certain.
You can reproduce this error by going to https://askleomedia.com.
There is something wrong with the security certificate. So far, that’s all we know. That means either:
- The site may not be the site we think it is, and we could be about to hand over sensitive information to an imposter.
- The site may not be able to handle encryption properly, meaning that the connection could be viewed by someone snooping in on the connection.
Or, it could mean nothing but an administrative oversight.
The trick is knowing which is which.
Most common by far: expired certificates
Like driver’s licenses, security certificates come with an expiration date. Typically, they’re only valid for from one to three years. If the website owner fails to renew a certificate before it expires, that’s an error, just like driving with an expired license would be.
This is perhaps the most common certificate error we see on a regular basis. It’s the error you see in the examples above.
- NET::ERR_CERT_DATE_INVALID is just a geeky error code that says “Error, the certificate date is invalid.” Chromium-based browsers generally report this.
- “It’s likely the website’s certificate is expired” is Firefox’s clearer explanation of the problem.
It’s an unfortunate oversight when it happens, but it’s usually corrected quickly. I know, because I’ve made this error myself.2 It’s typically safe to ignore the error as long as the expiration date is relatively recent.3
As a side note: this error can occur if your computer’s clock is set wrong. You’d likely see the problem on every https site you visit if this were the problem.
This one bugs me because it shows that the website owner doesn’t know how to configure their own server.
“biz.askleo.com” and “askleo.com” are two different sites, and typically require two different security certificates. Most importantly, a certificate issued for “askleo.com” will not validate “biz.askleo.com” — an error will result. Think of it as trying to use a driver’s license from someone else who happens to have the same last name as you, but a different first name — it’s not valid.
And yet I see it all the time. The website owner will try to do exactly that, and it won’t work. There are solutions, of course.4 This situation is generally benign, and you can usually safely ignore the error, but still.
As a side note, “www.” is so commonly optional that certificates issued for the base name — askleo.com, for example — also validate the “www.” version of the domain.
The wrong domain
In the askleomedia.com example I use above, the server returns a valid certificate for the correct domain; it’s just expired.
If the certificate indicates that it’s been issued for a completely different domain, that’s a different problem.
Yes, it could be a misconfiguration. There are a variety of ways that can happen. However, whenever the server responds with the wrong domain name for a secure connection, you need to pay attention. It’s like carrying your friend’s driver’s license instead of your own. Not cool.
It ain’t right, and you should walk away.
Official certificates must be purchased. Unofficial certificates — so-called “self-signed” certificates — can be generated by just about anyone with a server. They’re “self-signed” because rather than being cryptographically signed by a trusted authority, you sign it yourself. That’s sort of like making your own driver’s license out of cardboard and crayon.
This is not uncommon among server geeks such as myself, because we’re more interested in the encryption of the connection, not authentication.
So unless you’re a server geek or know that’s what you’re expecting, this type of error should be treated like the next: do not proceed.
Most of the time, https connection problems are oversights and omissions on the part of the server administrator. As I mentioned, the most common is that the administrator of the server failed to update their certificate. You might contact them and let them know.
The problem, of course, is knowing whether or not this is a simple oversight or a malicious interception. The whole point of security certificates is to detect those errors because they may indicate various forms of server compromise, or even a compromise of your own computer or internet connection. Hence the error message’s focus on privacy.
If your computer thinks it’s going to https://yourbank.com, but due to malware on your machine it’s being directed to a hacker’s computer overseas instead, https security certificate error messages will tell you, just like looking at someone’s driver’s license photo tells you whether the person you’re looking at really is who they say they are.
When in doubt, take the safe route. You should not continue. Instead, double-check that you’ve typed in the correct domain name or URL, and perhaps contact the site owner via other means to determine what’s happening.
Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.
I'll see you there!
Footnotes & References
1: There are now also free alternatives.
2: I’ve also forgotten to renew my driver’s license in the past. 🙂
3: Though finding the expiration date takes understanding how to examine the certificate. While that can be done using your web browser, it’s not something I’m covering here.
4: Either a separately purchased and issued certificate for each subdomain, or what’s called a “wildcard” certificate, which covers any and all subdomains on the parent domain. I’ve elected to use the latter with *.askleo.com.