Helping people with computers... one answer at a time.
A slash through the padlock, the https, or the https appearing in red all mean one thing: something's wrong. Exactly what's wrong can vary.
Sometimes when I'm on a secure website (https in the URL), I notice that the https has a slash through it, seemingly meaning the site is NOT secure. Is this true? And if so, why is it happening?
•
Https, for secure http, is used instead of http to do two things: confirm the identity of the site you're connecting to and keep your communications with that site secure by encrypting it all.
If something is wrong, the browser will often display a warning, but in some cases, it will do nothing more than turn the https indicator red or put a line through it.
Unfortunately, "something is wrong" can mean many things, ranging from a serious security issue to a benign oversight by the website's owner.
•
Your browse should warn you
In most cases when you first connect to a website that has an https problem, your browser should warn you. In the case above, there are two problems that Internet Explorer is telling me about the site I'm visiting:
-
The security certificate presented by this website was not issued by a trusted certificate authority. Https uses trusted authorities validated by the so-called "root certificates" to issue encrypted credentials (a certificate) to websites to validate their identity. In this case, while a certificate is in place, it has not been issued by a trusted authority and thus, it could have been created by anyone.
Bottom line: This site may say it is the site you're going to, but it's very possible that it's lying.
-
The security certificate presented by this website was issued for a different website's address. The certificate also includes the name of the site you're going to. For example, if you're attempting to visit https://paypal.com, the certificate there will confirm that it is, indeed, the real paypal.com.
This error indicates that the certificate does not match the domain. Once again, you may not be visiting the actual site you think you are.
IE's error message sums it up nicely:
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
The address bar continues to warn...
Continuing through to the site regardless of the warning, IE's address bar continues to indicate that there's a problem:
The address bar is given a red background and the red security icon is present.
Similarly Google Chrome turns the https red and draws a line through it:
Clicking on the broken padlock in Chrome displays information about the secure connection and its problems:
Clicking on IE's red security shield in the address bar or the highlighted domain name in FireFox's address bar will also display additional information.
What should you do?
Unless you know for a fact that the error is benign, cancel the operation and do not visit the site, especially if it's your bank or other financial institution or a site that deals with your personal and private information.
It could be a trap.
Contact the institution some other way to clarify the error and make sure that your system is free of malware and otherwise secure.
Occasionally ,it's benign
I do want to be clear: unless you're a system administrator of some sort, you should never see a certificate error. That's why I said above that if you're the least bit unsure, stop.
However...
The most common cause for certificate errors is actually benign.
Certificates expire, and sometimes, the websites forget to update their certificates in time.
I know, because I've done it ... or rather, forgotten to do it.
Thus, if you can examine the message associated with a certificate error, and you can determine that the only problem is that the certificate has expired, and expired recently (typically, these cases are fixed within 24 hours), then it may be OK to proceed.
On the other hand, it's also safe to simply wait a day.
Article C5165 - April 4, 2012 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
April 6, 2012 8:51 AM
could there be other reasons? I know for a fact that our certificate on a site is good and will not expire for at least 2 more years. and when I am on the site (in Chrome) certain pages have the red line going through the https. Could placing links to outside websites cause this problem? I have been trying to diagnose the problem for a few days. Glad I received this article in my e-mail today! :-)
06-Apr-2012
April 6, 2012 10:02 PM
Follow-up to first comment... since IE often asks whether a user wants to display only secure contnot, how can a user who responds that they are willing to allow both secure and nonsecure content tell which is secure and which is not?
08-Apr-2012
April 10, 2012 11:44 AM
Leo's discussion shows a sample "bad" website. But he blurred the URL. Is there a "valid bad" website that one can visit just to see what other browsers do or do not do when they encounter an invalid certificate?