What does "There is a problem with this website's security certificate" mean, and what should I do?

Here's an example of the type of error that we're talking about, as displayed in Internet Explorer 7:

That's one you can see yourself by going to https://ask-leo.com - there is no https version of the site, but there is enough in place should I want one, that it will currently cause that error.

You'll note that specific error is different than that in the question. I'll address that shortly.

Security certificates are used as part of the https protocol for two purposes: to validate that you're actually connecting to the site you think you are, and thereafter to encrypt the data going back and forth between you and the site. It's that first purpose - validation - that these errors are concerned with.

I'm going to purposely gloss over the geeky details, but in short, when a browser attempts to connect with a remote server using the https protocol, it receives a packet of digital information that has been cryptographically "signed" by a trusted third party. Distributed with the browser (and periodically updated) are the root keys that can be used to validate that signature.

A "valid" signature means that a) the decryption of the signature worked, and b) the information accompanying the signature matches what's expected, and finally c) the signature has not expired.

Let's look at what each of those means:

• If the signature can't be decrypted, that implies that the signature was not signed by a trusted third party. The process of getting a valid security signature requires that the web site owner contact one of a handful of certificate issuing authorities to get a certificate. If they generate one on their own (as I have with https://ask-leo.com), https can still be used for encryption, but it in no way validates that you are in fact connected to the site you think you are.

  The error "The security certificate presented by this website was not issued by a trusted certificate authority." implies exactly that - no third party was used to generate an official security certificate, so the contents of the certificate cannot be trusted.

  Unless you know what you're doing, it's safest at this point to least suspect the validity of the entire site and not continue..

• Certificates are issued for the specific domain you connect to. So, for example, if you attempt to connect to https://ask-leo.com and the certificate comes back and says "I'm the certificate for server1.pugetsoundsoftware.com", that's a certificate error. It could imply that your connection attempt has been hijacked, and that you're possibly not connecting to the site you think you are.

  The error "The security certificate presented by this website was issued for a different website's address." indicates that this is the case. (The equivalent error message in FireFox will further indicate exactly what site the certificate claims to be. There you'll see that an attempt to connect to https://ask-leo.com will in fact return a certificate issued to "server1.pugetsoundsoftware.com".)

  This actually happens from time to time by accident. For example "example.com" and "www.example.com" are two different domains, and would require two separate certificates and it's easy to overlook that.

  Valid redirection attempts can also apparently trigger this error if not handled properly. At this writing https://www.gmail.com/ has this problem. If you are not logged into GMail, attempting to connect securely to Google Mail via gmail.com will generate the error. If you click on "Continue to this website" you'll be redirected instead to the account login page on https://www.google.com/. I suspect that the wrong certificate is being presented for the initial contact. (You can avoid this path and get an always-valid secure path by going to https://mail.google.com which appears to handle the situation properly.)

  Domain mismatches are almost always suspect, and the safest thing is not to continue unless you have other strong reasons to believe that the error is, itself, in error.

• Certificates are valid only for specific periods of time and are issued with start and end dates. If the website owner installs a certificate before its start date, or neglects to renew a certificate before it expires, that too is a certificate error.

  "The security certificate presented by this website has expired or is not yet valid." is the error that results when certificate is used outside of its assigned date range.

  Date errors aren't as serious as the other errors above, particularly if the certificate expiration and or start date (if the browser shows you) is within a few days.

Most of the time the problems are simply oversights and omissions on the part of the server administrator. In your case, for example, I'd simply guess that the administrator of your email server has simply failed to update their certificate. You might contact them and let them know.

The whole point of security certificates, however, is to detect those errors because they may indicate various forms of server compromise, or even a compromise of your own computer. If your computer thinks it's going to https://yourbank.com but due to a malware infestation on your machine it's being directed to a hacker's computer overseas, https will tell you.

And, of course, when in doubt take the safe route. You should not continue, but instead double check that you've typed in the correct domain name or URL, and perhaps contact the site owner via other means to determine what's happening.