Https, which stands for secure http, is used instead of http to do two things: confirm the identity of the site you’re connecting to, and keep your communications with that site secure by encrypting it all.
If something is wrong, the browser will often display a warning, but in some cases it will do nothing more than turn the https indicator red, or put a line through it.
Unfortunately, “something is wrong” can mean many things, ranging from a serious security issue to a benign oversight by the website’s owner.
Become a Patron of Ask Leo! and go ad-free!
Your browser should warn you
In most cases, when you first connect to a website that has an https problem, your browser should warn you.
The security certificate presented by this website was issued for a different website’s address.
The security certificate includes the name of the site you’re going to. For example, if you’re attempting to visit https://paypal.com, the certificate there will confirm that it is, indeed, the real paypal.com. This error indicates that the certificate does not match the domain. You may not be visiting the actual site you think you are.
IE’s error message actually sums it up quite nicely:
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
The address bar continues to warn…
Continuing through to the site regardless of the warning, IE’s address bar continues to indicate that there’s a problem.
The address bar is given a red background and the red security icon is present, along with the words “certificate error”.
Similarly, Google Chrome turns the https red and draws a line through it.
Clicking on the broken padlock in Chrome displays information about the secure connection and its problems.
Clicking on IE’s red security shield in the address bar, or the highlighted domain name in FireFox’s address bar, will also display additional information.
What should you do?
Unless you know for a fact that the error is benign, cancel the operation and do not visit the site, especially if it’s a financial institution or a site that deals with your personal and private information.
It could be a trap.
Contact the institution some other way to clarify the error, and make sure your system is free of malware and otherwise secure.
Often, it’s benign
I do want to be clear: unless you’re a system administrator of some sort, you should never see a certificate error. That’s why I said above that if you’re the least bit unsure, stop.
The most common causes for certificate errors are actually quite benign.
First, check your computer’s clock and timezone setting, particularly if you see this error on multiple https sites. The certificate-validation system relies on your computer’s concept of time being relatively correct. If it’s not – say you have the wrong timezone selected, the wrong year, or just the wrong time – then certificate errors are one possible side effect.
Second, if you feel so inclined, look at the more detailed information for the certificate, and check the expiration date. Certificates expire, and sometimes the websites forget to update their certificates in time. I know, because I’ve done it … or rather, forgotten to do it.
Thus, if you can examine the message associated with a certificate error, and you can determine that the only problem is that the certificate has expired, and expired recently (typically, these cases are fixed within 24 hours), then it may be OK to proceed: encryption may still be operative.
On the other hand, it’s also safe to simply wait a day.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!