Understanding HTTPS warnings and error messages
If you have visited a HTTPS site and got an error message which you do not understand, then this article is for you. Here I cover the common errors encountered while browsing HTTPS sites.
As discussed earlier, when the HTTPS connection is being established, the browser receives the certificate from the server. The following cases are possible
- The certificate is expired.
Check the system’s date, the most common cause being misconfigured date.
If your system’s date is correct, then this is a serious issue. Visiting a site with an expired certificate is like eating an expired packet of chips. (it might be good but not for sure)
- The certificate is for another domain
Check the actual domain for which the certificate is issued.
A common cause is the certificate is for www.xyz.com and the user is navigating xyz.com. Otherwise, if the certificate is for abc.com and is being used for xyz.com, then either xyz.com is affiliated with abc.com and this is just a wrong(or economic?) decision on the part of the company. If that is not the case, then leave the website immediately.
- The certificate is not verified by a trusted CA
The certificate is issued/signed by an authority that your browser does not trusts.
Equivalent to saying, you are meeting someone who has a degree from a university not recognized by the government.(for example, my institute uses HTTPS for its mail site webmail.iitk.ac.in but is not signed by one of the authorities that popular browsers trust)
The remedy is to visit the website of the certificate signer (that must be HTTPS) and confirm that the certificate is issued by it and if you trust the signee enough go ahead and add the certificate to the browser repository. It should be noted that your decision to trust the website is based on mutual trust.
- The page contains non-HTTPS components
This happens when the web developer includes non-HTTPS things(specially images and CSS) in the code usually, for optimization purposes. It is usually safe to go ahead unless it’s a banking site [it’s better to be on the safe side]. The issue is the some parts of the page that are delivered using plain HTTP can actually be tapped (and modified as well).
- No warning
Good, go ahead, you are safe.[really?]
Have you got any HTTPS warning/error messages? do post them in the comments.
2 Replies to “Understanding HTTPS warnings and error messages”
Nice article, really very helpful.
You like to write a lot on HTTPS.
I write on HTTPS since its one of the most common security technology which people use seamlessly without understanding much.