Summary: https uses certificates to validate the site you're connecting to, as well as encrypt the data. Certificate errors are worth paying attention to.
I have a laptop that consistently has a problem when it accesses a site online each and every time I get the same message from the site I am visiting. The message is strange and I have no knowledge of how to correct the implied problem.
The message is: "There is a problem with this website's security certificate. The security certificate presented by this website has expired or is not yet valid."
This message appears when I try to access my email account.
•
The problem is most likely not yours to correct. In the case you're asking about, more often than not, it's a problem with the web site itself.
Though you still need to be careful.
Let's look at security certificates on https connections, what they mean and what you should do when faced with messages such as this.
•
Here's an example of the type of error that we're talking about, as displayed in Internet Explorer 7:
That's one you can see yourself by going to https://ask-leo.com - there is no https version of the site, but there is enough in place should I want one, that it will currently cause that error.
You'll note that specific error is different than that in the question. I'll address that shortly.
Security certificates are used as part of the https protocol for two purposes: to validate that you're actually connecting to the site you think you are, and thereafter to encrypt the data going back and forth between you and the site. It's that first purpose - validation - that these errors are concerned with.
I'm going to purposely gloss over the geeky details, but in short, when a browser attempts to connect with a remote server using the https protocol, it receives a packet of digital information that has been cryptographically "signed" by a trusted third party. Distributed with the browser (and periodically updated) are the root keys that can be used to validate that signature.
A "valid" signature means that a) the decryption of the signature worked, and b) the information accompanying the signature matches what's expected, and finally c) the signature has not expired.
Let's look at what each of those means:
-
If the signature can't be decrypted, that implies that the signature was not signed by a trusted third party. The process of getting a valid security signature requires that the web site owner contact one of a handful of certificate issuing authorities to get a certificate. If they generate one on their own (as I have with https://ask-leo.com), https can still be used for encryption, but it in no way validates that you are in fact connected to the site you think you are.
The error "The security certificate presented by this website was not issued by a trusted certificate authority." implies exactly that - no third party was used to generate an official security certificate, so the contents of the certificate cannot be trusted.
Unless you know what you're doing, it's safest at this point to least suspect the validity of the entire site and not continue..
-
Certificates are issued for the specific domain you connect to. So, for example, if you attempt to connect to https://ask-leo.com and the certificate comes back and says "I'm the certificate for server1.pugetsoundsoftware.com", that's a certificate error. It could imply that your connection attempt has been hijacked, and that you're possibly not connecting to the site you think you are.
The error "The security certificate presented by this website was issued for a different website's address." indicates that this is the case. (The equivalent error message in FireFox will further indicate exactly what site the certificate claims to be. There you'll see that an attempt to connect to https://ask-leo.com will in fact return a certificate issued to "server1.pugetsoundsoftware.com".)
This actually happens from time to time by accident. For example "example.com" and "www.example.com" are two different domains, and would require two separate certificates and it's easy to overlook that.
Valid redirection attempts can also apparently trigger this error if not handled properly. At this writing https://www.gmail.com/ has this problem. If you are not logged into GMail, attempting to connect securely to Google Mail via gmail.com will generate the error. If you click on "Continue to this website" you'll be redirected instead to the account login page on https://www.google.com/. I suspect that the wrong certificate is being presented for the initial contact. (You can avoid this path and get an always-valid secure path by going to https://mail.google.com which appears to handle the situation properly.)
Domain mismatches are almost always suspect, and the safest thing is not to continue unless you have other strong reasons to believe that the error is, itself, in error.
-
Certificates are valid only for specific periods of time and are issued with start and end dates. If the website owner installs a certificate before its start date, or neglects to renew a certificate before it expires, that too is a certificate error.
"The security certificate presented by this website has expired or is not yet valid." is the error that results when certificate is used outside of its assigned date range.
Date errors aren't as serious as the other errors above, particularly if the certificate expiration and or start date (if the browser shows you) is within a few days.
Most of the time the problems are simply oversights and omissions on the part of the server administrator. In your case, for example, I'd simply guess that the administrator of your email server has simply failed to update their certificate. You might contact them and let them know.
The whole point of security certificates, however, is to detect those errors because they may indicate various forms of server compromise, or even a compromise of your own computer. If your computer thinks it's going to https://yourbank.com but due to a malware infestation on your machine it's being directed to a hacker's computer overseas, https will tell you.
And, of course, when in doubt take the safe route. You should not continue, but instead double check that you've typed in the correct domain name or URL, and perhaps contact the site owner via other means to determine what's happening.
Related:
-
Is an https connection really all that safe? https is an important part of keeping your data safe, but it's only a part. It's important to understand what it means and what it doesn't mean.
-
How can an https web site still be nonsecure? Surprisingly, it's possible for aspects of an https site to still be nonsecure, if the site is improperly designed. And it's very difficult to tell.
Article C3581 - December 3, 2008
I have this same error message, but it's for major sites that certainly aren't having a certificate problem (like facebook and ebay). HOw can I simply turn this option off on my computer. I have searched for many answers on computer so far and have tried the following things: Changed Advanced Internet options, lowered security filters, turned off phishing filters, installed the security certificates of the websites that have the error, and added URL's to the "trusted sites" list. None of this has changed anything. And, after each change, I have closed the broswer and restarted it. nothing... Help!
07-Dec-2008
If it happens every site you go to, check your date and time on your computer. If your computer's date is off by a certain amount of time, usually I have seen 1 year. In other words if today is 12/7/08 and your computer shows 12/7/07 you will see this error, for nearly every web site you go to.
Posted by: Jeffrey at December 7, 2008 11:30 AMI get this certificate error when i connect remotely to access my Exchange mail on my own 2003 server. I can't figure out what certificate it's talking about
Posted by: Derus Berg at December 9, 2008 9:49 PMI have another question regarding security certificates. It concerns a button that I see (when I view it in MSIE6.0) on the certificate, labelled "Install Certificate". Why is this button there? I mean, clearly, the certificate works just fine without having been installed (else the web page would fail). Is there any value to installing a web certificate? Is there any case where this would be appropriate???
10-Dec-2008
hi leo ,
Posted by: sudhamol at January 6, 2009 11:34 PMi read the problem which is faced by other when the access to the desire website because i also face the same problem , now i have one double will this problem prevent to install any new software for eg , i am trying to install the new version of yahoo messanger 9 but i cant do so , can u help me out ...
I tried to get on this website i usually go on quiet regular. I sign in but it keeps saying i am having a certificate problem. I couldn't understand what it meant. Somehow i've done something with the URL. So now its coming up: The requested URL/login/was not found. How do i sort this problem? I would be grateful if you could help me because i don't have a clue? And i need to get back on this site.
Posted by: Kayren at February 28, 2009 2:04 PMI get it on a select few...and in order to help a neice with a governement website (child support) I tried to find out why she gets this same error.
I get it too and my system is totally different than hers.
But also neither of us have trouble with the site when we use anything other than IE.
To me the problem is IE related whether its something I can fix or not.
Solution: Dont use IE if you get this error.
I use both Safari & Firefox often for this reason alone.
Its also one of the top reasons (that and UAC) that I will go Linux or OSX on my next computers.
Posted by: Paul at April 12, 2009 8:39 PMmy daughter trying get on facebook and bebo, it is saying security certicate and wont let her sigh in, whats could be the problem
Posted by: sheila slater at June 24, 2009 12:41 PMPosted by: Rachel at December 6, 2008 8:12 PM
Posted by: Dwayne at September 20, 2009 2:34 PMI changed the date on my computer and WOW! that fixed the certificate problem for me. It's an old post but, Thank you Rachel.
I have that problem on our Company's webmail exchange server ("not issued by trusted authority" and "issued for a different website's address") I have talked to our IT dept. and they can not (or don't want to) change that.
I have tried adding the domain to my trusted sites and to my intranet sites, all to no avail. Surely it must be possible to bypass this for ONE site????????
I have also tried group policy editor, but did not find any suitable option.
It is really ridiculous that I have to click this link every time I need to access my work email! This needs an easy workaround by Microsoft especially for those IT workers who need to access their Intranet stuff remotely.
Posted by: Axel Grude at October 30, 2009 2:58 AM