Anyone else getting an insecure security certificate if visiting Youtube using Chrome right now? In the browser’s URL bar the “https://” has a red line and warning sign through it saying “This page is insecure (broken HTTPS)”, the problem being:
What does this mean? Is this an issue my end or Google’s end? I’m not getting this warning using Mozilla Firefox.
Hmm, I’m getting it for Google now, so it’s probably me.
Am running full malware and antivirus scan, just in case. Could also be something with my Internet Service Provider.
EDIT: Actually, since Google owns Youtube it could still be an issue with them.
Probably your end. Chrome will update the certificates ( or occasionally it’s a glitch in the operating system ) and all will be well.
The whole system is kinda dumb anyway: I can understand needing some way to protect one from malicious actors, but this is so uncertain, one just ploughs through the warnings regardless.
I’ve not seen this particular warning in the Chrome URL bar before, so it’s a bit odd that it’s internet giants Google and Youtube that I’m first experiencing it with. What is a security certificate anyway? There are different security certificates for different browsers (since I’m not getting this issue using Firefox)?
I think there is only one certificate per site, per issuer *, for all browsers. However browser-makers have to update a/ for the browser as a whole b/ send out that new update to each browser ( on every computer ) through whichever update mechanism they choose.
EG: your application may update through the browser downloading the new updates or through operating system updates, either silently or by you selecting such updates.
And renew it every year. Google in the past has forgotten to renew for some sites ( they have 1000s, meaning a dedicated department is needed to keep track of all this ) — which leads to warnings — or forgotten to renew the domain. One can generally only book ( paid in advance ) a domain name to a maximum of 10 years.
Thanks for the info. Hopefully it will sort itself out.
A SSL certificate establishes a trust relationship (via some complex mathematics) between a client (your web browser) and the server delivering the data.
A certificate is issued by an Certificate Authority (CA), and includes the DNS name of the website. The Certificate Authority is responsible for verifying that the certificate is issued to the correct website administrator.
The website administrator generates a private key - a suitable complex unique number. They use this key to generate a Certificate Signing Request. The CA uses the CSR to build the certificate, and signs it with a number generated from the key and the CA private key.
When you connect to a secure website, the server gives you it’s certificate which contains the website name. Your browser looks at that certificate, finds the issuer (CA), and verifies that the certificate signature was calculated from the Root Certificate of the issuer CA. Sometimes there are intermediate certificates in the chain, but the math is the same - the signature of the website certificate has to correlate with the issuer Root certificate.
Once your browser is happy that the certificate is correct, the browser uses the certificate to encrypt some data to allow the establishment of an encrypted tunnel to pass data through. The server uses the private key to verify the validity of this exchange.
Without this process, you have no verification that your communication is with the site you expect.
Older certificates used the SHA-1 algorithm to generate the cryptographic signature. This has been proven to be weak, and so certificates have been moving to the SHA256 algorithm. Recent browser releases have disabled SHA-1 support, and many sites with SHA-1 only certificates will fail as browsers upgrade.
My recommendation would be to uninstall Chrome, and reinstall the latest version, and retest. I suspect that your certificate store does not contain a SHA256 intermediate certificate for Google’s Root CA. The website still presents both SHA-1 and SHA-256 certificates, but your Chrome cannot verify the SHA-256 certificate via an intermediate, so it uses the SHA-1 cert, but pops up a warning.
It would worry me, but I care about certificates, because I work in that space.
It’s back to normal today - Google and Youtube are showing secure security certificates again.
I’m still not sure why the first time I’ve seen this issue has been with probably the two biggest internet websites, rather than some small, not well-maintained website.
On that note, it would be kinda difficult for a bad person to either hijack those two particular sites, or to duplicate them in their entirety to redirect you to their false perfect copies.