XenoActive.org

Internet Security And Privacy

This Connection Is Untrusted

Posted 11 Mar 2010 | 2 Comments | 2,149 views

It’s not simply an annoyance. Occasionally Firefox will encounter an issue with a website’s SSL certificate. It will present the user with a full page warning stating that This Connection is Untrusted before proceeding to the web page. At this point the user must make a decision on whether to accept the certificate problem or continue on to the potentially hazardous web page. Understanding the warning message is key. It may be an inconvenience to slow down and read the message, but it could save a lot of headaches later. Do not blindly click through the warning message and accept the certificate!

Firefox will identify the problem that it has with SSL certificate in the Technical Details section of the warning page. The most common warnings are for unrecognized certificate authorities, mismatched certificates, or expired certificates.

For an unrecognized certificate authority, Firefox will complain that the certificate is not trusted because it hasn’t been verified by a trusted authority. If the the site is a bank or well known site, heed the Firefox warning. Legitimate banks, stores, and other public sites will not ask you to do this. Do not accept this certificate.

Sometimes a company will use a self-signed SSL certificate for a beta or internal website because they are free and easily created. Self-signed certificates are good for sites that will not be accessible by the general public. The encryption strength for a self signed certificate can be just as strong as SSL certificates purchased from well known certificate authorities such as Verisign or GeoTrust; however, Firefox will generate an error because it does not recognize the signing certificate authority. If you trust the signing certificate authority, request that the certificate authority provide the CA certificate (not the key) so that you can import it into your certificate store. This will prevent having to accept each individual SSL certificate that they issue. For example, if the signing authority is the IT department at your company, then the website with the self-signed certificate is most likely safe to visit.

For a mismatched certificate, Firefox will complain that the certificate is only valid for a certain site, which is not the same as the one in the browser URL field. As an example of this, point Firefox at https://www.twitter.com/, and Firefox will complain about the mismatch. Firefox is expecting a SSL certificate for www.twitter.com, but instead is presented with a certificate for just twitter.com. This is a relatively benign example; however, some very poorly executed phishing attempts rely on the user just clicking through such a warning.

Firefox will complain about a SSL certificate if the expiration date has already passed. Just like drinking milk the day after the expiration date may not cause problems, accepting an expired certificate may not be a large security problem. It may be a sign that the website is not actively maintained and monitored. You might want to consider sending the site owner a helpful hint about the expired certificate.

While the Firefox warnings are not direct protection against web threats, they are good preventative measure if the warnings are read and a little investigation is performed. Services like McAfee SiteAdvisor and OpenDNS can be useful in determining the reputation of a particular website. When in doubt, do not visit the web site.