Oh fer Chrissake - Certificate Error?

It’s Microsoft fer chrissake! I go to login in to Live.com to get my hotmail…I log in just fine, then instead of a handoff to the email site, I get a Certificate Error and warned that if I proceed the computer will blow up.

This thing worked yesterday, how does a Microsoft site get a certificate error? And is there anything I can do about it?

I get these now and then, but never for Hotmail (yet). I don’t understand it, but when i get these, I usualy go to another site, then back, and it works. If that doesn’t, try closing your browser and starting again to see if you can get to Hotmail.

Of course, as a last resort, try rebooting.

Somebody will probably come up with better suggestions.

Wait…

You’re telling me that there are *bugs *in Microsoft software?

I need some time to sort this out…

Sigh.

Double sigh. Here’s the deal.

A big problem with Internet security is making sure that whom you’re talking to is whom you think you’re talking to. This is generally accomplished through public key cryptography: if somebody sends you something that’s signed with his private key, you can be reasonable sure it came from him and nobody else. But that raises the question: how do you get the public key to verify the signature? The other party could just tell you their public key, but if they’re an impostor that won’t help.

The solution is to enlist a trusted third party (Verisign and Thawte are examples) and ship their public keys with the Internet browser or operating system. So let’s say that Acme Co. wants to be able to communicate securely with visitors to their website, and they want those visitors to have assurance that they’re talking to the real Acme Co. They go to Verisign and prove their identity, Verisign takes their public key (or generates a public/private keypair themselves and gives the private key to Acme), attaches a bunch of other data to it, and signs the whole shebang with their own private key. The resulting piece of data is called a “certificate”. Now, when people visit acme.com, Acme’s web server sends along the certificate to them. The browser can verify Verisign’s signature and can have confidence that the public key contained in the certificate really belongs to Acme… or, at least, that Verisign asserts that it does. Once that verification happens and the browser uses Acme’s public key to negotiate a symmetric session key, the browser displays a cute little lock icon or some other indication that the connection is authenticated and secured.

Certificate errors can happen for a number of reasons. There is certainly a way in your web browser to get details about the error, but here are some common ones:

  1. Expiration. Certificates have expiration dates, and a certificate past its date will cause the browser to complain. Ostensibly this is because an aging certificate has been subject to attack for a longer period and is therefore less secure. In reality, the purpose is to ensure a continuing revenue stream to the certifying authorities. If I get a cert warning and this is the cause, I usually choose to ignore it, as long as the expiration was recent.

  2. Improper domain. One of the extra pieces of data in the certificate is an indicator of what the certificate is intended to prove. If you really want Verisign to assert that you are Acme Corp., you need to present a fairly large amount of proof, and pay a fairly hefty fee. A much cheaper and easier option is to get a certificate that asserts that you are the owner of www.acme.com. This doesn’t protect your visitors against domain squatters who happened to seize acme.com before you got to it, but as long as the visitor is reasonably sure that acme.com is owned by Acme Corp, this type of certificate protects against what’s called “DNS poisoning” in which the computer is fooled into thinking that www.acme.com refers to the attacker’s machine, not Acme’s own web server. All well and good, but it’s fairly common for holders of certificates asserting ownership of www.acme.com to forget and put some pages on, say, login.acme.com or foobar.acme.com, either of which will cause the browser to complain that a certificate for www.acme.com is not valid for the domain.

  3. Real attack. Of course, you may be the victim of a spoofing attack, and the browser may be giving you a quite legitimate warning that your visit to hotmail.com is really going to an attacker’s machine.

This is in general a simplification of the process, and there are other potential causes as well. Whatever the cause, rebooting is unlikely to help. And if it’s because of a screwup on MSFT’s part (far more likely than a real attack), it’s not really a “bug in Microsoft software”, it’s a misconfiguration on the part of Microsoft’s webmasters.

What is the error exactly? This may be a real attack. I have never seen MS let certs expire before.

Here’s what I get, apart from the big red shield logo:

"There is a problem with this website’s security certificate.

The security certificate presented by this website has expired or is not yet valid.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information
If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the ‘www’ to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see “Certificate Errors” in Internet Explorer Help."

What else can I tell you? I installed CCleaner yesterday, I have Windows Defender, I have AdAware, I have Norton Internet Security…

This is very frequently the cause of certificate errors. It happens when webmasters forget to renew their expiring certificates.

None of these things is particularly helpful or relevant to this error. If the certificate indicates that the site you’re accessing is an impostor, no software will prevent it from harvesting your login credentials if you supply them.

Does the “more information” link display the certificate itself? If so, look at it. Look at the validity dates and see how out-of-whack they are. If not, quit using IE and get a good browser, like Google Chrome :wink:

Having said that: it is almost certainly safe to disregard the warning and proceed. An expired certificate would not help an attacker to impersonate a site. As long as the certificate really is for Hotmail and really is signed by a trusted authority, the expiration should have negligible impact on security.

And…

This is what Google Chrome said about it:
“The site’s security certificate has expired!
You attempted to reach msnia.login.live.com, but the server presented an expired certificate. No information is available to indicate whether that certificate has been compromised since its expiration. This means Google Chrome cannot guarantee that you are communicating with msnia.login.live.com and not an attacker. You should not proceed.”

Is there anything I could have done on my end that would have caused this? I’m pretty sure MSN has a current certificate, or someone is getting fired right about now.

Yeah. Check your system clock and make sure it’s set to the right date.

Not necessarily. It happens more often than you may think.

What’s the exact URL you’re trying to visit? When I go to msnia.login.live.com, it presents me with a certificate that doesn’t expire until July 19. It’s even one of those newfangled (and expensive) Extended Validation (EV) certificates.

Good call. I went to the URL and it was valid. Changed my clock to July 24 and the browser said it’d expired (on July 19).

I’d bet this is it…

Heroes, the lot of you!

I was checking the calendar to figure something about my new job…and I must have accidentally told my computer that we were on July 24th now. :smack: I reset it, and MSN is back to normal.

Thanks, Dopers! :slight_smile:

Man, my first instinct after reading the OP was to tell you that your system clock (and date) was probably wrong. But I see other Dopers have beat me to it.