I have a laptop that consistently has a problem when it accesses a site online. Each and every time I get the same message from the site I am visiting. The message is strange and I have no knowledge of how to correct the implied problem.
The message is: “There is a problem with this website’s security certificate. The security certificate presented by this website has expired or is not yet valid.”
This message appears when I try to access my email account.
The problem is most likely not yours to correct. More often than not, it’s a problem with the website itself.
You still need to be careful, though.
Let’s look at security certificates on https connections: what they mean and what you should do when faced with messages such as this.
A security certificate, or just “certificate”, is a kind of positive identification for a website as part of the https protocol. In many ways, it’s very similar to a driver’s license.
A driver’s license has three components:
A security certificate for an https website has three similar components:
- Process: A certificate must be obtained from an issuing authority. The process includes proving you own the website for which the certificate will be issued.
- ID: A certificate is used to prove that the website is the website it claims to be.
- Functionality: A certificate is used to encrypt the data that site visitors send to and receive from the site.
A driver’s license is typically a physical card issued after you pay a fee, provide documentation, and pass a driving test. A security certificate is a blob of encrypted data issued after you pay a fee, provide documentation, and pass an identity verification test.
Here’s an example of one type of error that we’re talking about, as displayed in Google Chrome:
Chrome, in particular, makes errors look big and scary, and even makes it difficult to proceed when you know what you’re doing. (Hint: you start by clicking on”Advanced“.) And yes, sometimes you do want to proceed anyway – but only if you’re certain.
Here’s the same error in Internet Explorer:
IE makes it easier to continue.
You can reproduce this error by going to https://ask-leo.com. There is no https version of the old “ask-leo.com” (with the dash) site; however, there is enough https support in place that it will try to return something. That “something” uses an unrelated security certificate, currently the certificate for “secure.pugetsoundsoftware.com”. That’s kind of like using someone else’s driver’s license, and results in the error you see.
Most common: expired certificates
Like driver’s licenses, security certificates come with an expiration date. Typically, they’re only valid for from one to three years, but can last up to ten, I believe. If the website owner fails to renew a certificate before it expires, that’s an error, just like driving with an expired license would be.
This is perhaps the most common certificate error we see on any regular basis, and it’s probably the cause of error you’re seeing: “The security certificate presented by this website has expired or is not yet valid”. (“Not yet valid” covers the case where someone starts using a certificate before they’re supposed to. This is exceptionally rare.)
It’s an unfortunate oversight when it happens, but it’s usually corrected very quickly. I know, because I’ve made this error.1 🙂 It’s typically safe to ignore the error as long as the expiration date is relatively recent.2
This one bugs me, because it really shows that the website owner doesn’t know how to configure their own server.
“biz.askleo.com” and “askleo.com” are two different sites, and typically require two different security certificates. Most importantly, a certificate issued for “askleo.com” will not validate “biz.askleo.com” – an error will result. Think of it as trying to use a driver’s license from someone else who simply happens to have the same last name as you do – it’s not a valid.
And yet I see it all the time. The website owner will try to do exactly that, and it won’t work. There are solutions, of course3. This situation is generally benign and you can usually safely ignore the error, but still.
As a side note, “www.” is so commonly optional that certificates issued for the base name – askleo.com, for example – also validate for the “www.” version of the domain.
Official certificates must be purchased. Unofficial certificates – so called “self-signed” certificates – can be generated by just about anyone with a server. They’re “self signed” because rather than being cryptographically signed by a trusted authority, you sign it yourself. That’s sort of like making your own driver’s license out of cardboard and crayon.
This is not uncommon among server geeks such as myself, because we’re more interested in the encryption of the connection, not authentication.
So unless you’re a server geek or know that’s what you’re expecting, this type of error should be treated like the next: do not proceed.
The wrong domain
In the ask-leo.com example I used above, the server returns a valid certificate, but for the wrong domain. There is no certificate for “ask-leo.com”, but the server returns its default certificate, one I’ve installed for “secure.pugetsoundsoftware.com”.
The full error message from Chrome explains it well:
This server could not prove that it is ask-leo.com; its security certificate is from secure.pugetsoundsoftware.com. This may be caused by a misconfiguration or an attacker intercepting your connection.
Yes, it could be a misconfiguration, but whenever the server responds with the wrong domain name for a secure connection, you need to pay attention. This is very much like someone – intentionally or accidentally – trying to use someone else’s driver’s license.
It ain’t right, and you should probably walk away.
Most of the time, certificate problems are simply oversights and omissions on the part of the server administrator. In your case, for example, I’d guess that the administrator of your email server simply failed to update their certificate. You might contact them and let them know.
The problem, of course, is knowing whether or not this is a simple oversight or a malicious interception. The whole point of security certificates is to detect those errors, because they may indicate various forms of server compromise, or even a compromise of your own computer or internet connection.
If your computer thinks it’s going to https://yourbank.com, but due to malware on your machine it’s being directed to a hacker’s computer overseas instead, https security certificate error messages will tell you, just like looking at someone’s driver’s license photo tell you whether the person you’re looking at really is who they say they are.
When in doubt, take the safe route. You should not continue; instead, double check that you’ve typed in the correct domain name or URL, and perhaps contact the site owner via other means to determine what’s happening.