Computer Gurus: What Does This Message Mean?

What can you tell me about when or why one’s browser returns the following message after entering a “https” URL that I know is valid and secure?

“Certificate error: There is a problem with this website’s security certificate.
The security certificate presented by this website was issued for a different website’s address.
The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.”

Does it mean the browser thinks this website is bad for my PC? Or, does the server I am trying to connect thinks I am suspicious? Or, is something somewhere not clicking and/or failing to make a “handshake”, so this message comes up as the best description of the problem, Or, possibly a mix of the above?

Thanks in advance for explaining.

I run into that error with PCI-DSS compliance. Take a look at the actual certificate (click the lock near the URL and find the certificate, open/read it). It sounds like the website listed on the certificate isn’t the same as the URL you typed in.
My WAG is that the certificate is in the name of the company that’s hosting the website and your browser is giving you a warning about it.

You could try clearing your cookies for that site and see if it makes a difference. Otherwise, if you’re totally OK, you should be able to push past it.

A security certificate is issued by a trusted certificate authority to the web site owner. (VeriSign ruled that space for a while but now there are others.) It it proof that the web site owner is who they claim to be. It allows the web site to provide a secure page, which is recognizable by the s on https on the URL. The certificate provides the keys necessary for your browser to be able to send encrypted data to the site, and decrypt data that the site sends back.

These certificates have expiration dates and must be periodically renewed.

Your browser is warning you that the certificate presented on the web site you are connecting to is improper and could be a sign of an attempt at deception. Or it could be that some administrative bozo forget to send a check for the certificate renewal.

In either case you should be cautious when this happens on a site that you are not familiar with, and think twice about transmitting private data (e.g., username and password).

What operating system and browser? If a site is *really *dicey Chrome will give you a big red “Don’t go there” screen, which isn’t related to the cert but rather Google’s knowledge of suspicious/malware sites.

There is a chain of valid certificate issuers. Browsers such as IE - actually, deep in Windows itself, and Mac, etc. etc. - there is a list of valid certificate-issuing authorities. Only certificates issued by these authorities will certify as valid. To get a valid certificate for your website or other server (i.e. mail server) you need to buy it from one of these authorities, and provide some decent documentation to prove you own the website name. So if I am the registered owner of “mycrazywebsite.com” domain, I can apply for a certificate that proves it. I then install that certificate in my website.

Most websites now use HTTPS not HTTP. the “S” stands for “secure” meaning he website will encrypt data to and form the site. It does this by handshaking with the other end, and providing a certificate which allows both ends to communicate encrypted so nobody eavesdropping on the data going by can figure out the contents. This is particularly important for commerce websites - banks, online stores, etc.- or any website who asks you to send them a password to get on. Commercial websites want you to have confidence that you are dealing with the correct people, not some spoofing site. Buried in the certificate is the name of the website it is meant for.

However, if you are just running an amateur site, catvideosbyJane.com, or it’s an company internal website like contosomail.com, you probably don’t need to spend $100 or so a year to buy a commercial certificate jus to assure visitors you are who you say you are. The web author can generate a “self-signed” certificate and use that for secure taffic. All the warning means is that “whoa! This isn’t certified by one of the official certificate issuers to be correct. You have to take the website’s word for it, nobody has vetted the name.” If you are sure this is where you meant to go - then it is OK.

Note the assorted issues arising from the name buried in the certificate:

The security certificate presented by this website was issued for a different website’s address. It is not unusual for one website to simply redirect you to another website, something like if you go to Acura.com maybe it redirects you to Honda.com (it doesn’t, but this is an example of a redirect could be legit). It could also be that a legit site has been hacked and redirected you to another site to rip you off. just check that the address in the bar represents where you wanted to go.

The security certificate presented by this website was not issued by a trusted certificate authority. as I discuss above the certificate is not paid for, it is self-signed. This maybe because the site was not worth the cost of a certificate. be wary of commercial sites that deal with a greater public, and yet do not have a signed certificate.

Certificate expired. Once in a while the webmaster will forget to renew the certificate.

So it’s just a warning to be wary. Ask yourself why a site should have a certificate error. if it’s a commercial site, be sure you are on, for example, wellsfargo.com not wellfrago.com

Good advice, to be sure, but I believe that if I own wellfrago.com I can get a cert for wellfrago.com.

I’ve seen a number of cases where the issue is an overly picky name comparison, i.e. something like it says the certificate was issued for ABC.COM, while the webpage is WWW.ABC.COM. So overall it becomes similar to the TSA getting suspicious because your birth certificate says your first name is Maxwell, so why does your drivers license say it is Max?

Wellsfargo figures prominently in some phishing mail I’ve gotten.

And wellfrago.com redirects to Fidelity Investments.
But wellsfrago.com redirects to wellsfargo.com.

Interesting. According to whois, wellsfrago.com is registered by Wells Fargo & Company. But wellfrago.com is registered by “Fundacion Privacy Services LTD” in Panama City, Panama.

More likely this. They layoff the person who did renewals, and get surprised when the renewals don’t get done.
My daughter used to work for a foreign airline, which had a massive layoff. Their website was hosted in the US, and it turns out you need to get special certification in this case. (Nothing to do with the certificates mentioned here.) They lost that knowledge thanks to the layoff, and their site went dark for two crucial travel weeks.
Though it doesn’t hurt to be careful.

My last three employers in a row - established companies with recognized brand names in their industry - all failed to renew their damn security certificate. One corporation hadn’t renewed it in so many years, it was something of an inside joke among the tech support.

It’s usually an understaffed I.T. dept that either lost the sole employee who handled the matter, as mentioned above, or that simply has no incentive or directive to renew it. If “nobody” knows why that weird error message that a few customers complain about occasionally comes from, then who’s gonna fix it?

actually the dope had to renew its cert a while back because whoever in charge before didn’t do it ….

it was one of the first things tuba had to do when she took over…