From time to time when searching the Internet, your browser will stop you with an ominous warning: “This connection is untrusted.”
I encountered this issue most recently when going to getcocoon.com, a privacy company I recently wrote about that boosts Internet protection by, in effect, letting you browse the Internet through their servers. The warning message on Firefox said it had let its security certificate expire two days before.
I have also sometimes noticed the warnings at krebsonsecurity.com, a site operated by investigative journalist Brian Krebs, who has done excellent work in analyzing the recent credit card breaches at Target and elsewhere.
So what gives, are these warnings accurately telling us that such sites are somehow infected or dangerous to visit? Most of the time no and, it turns out, the issue is fairly complex.
To boost security, companies buy SSL (Secure Sockets Layer) certificates, which provide an encrypted and authenticated connection between your browser and the website, barring others from monitoring the traffic. The opening “http” of an Internet address becomes “https,” indicating a secure connection.
“Encryption makes it difficult for eavesdroppers to listen; authentication guarantees that the website you are visiting is actually hosted by the domain displayed in the browser’s address bar, and not some man-in-the-middle bad guy who published a clone of bankofamerica.com,” with the fake site containing a zero rather than “o” in its address, says Eric Jung, founder of FoxyProxy, a proxy and VPN service, .
Companies pay as little as $9 a year for SSL certificates at NameCheap, although other kinds of proxies cost much more and there are far greater related costs. For example, companies need to pay for additional computing power required for improved security and there are various levels of security certificates.
Usually the untrusted connection message (which on Internet Explorer reads: “there is a problem with this website’s security certification”) comes from innocent error, according to Peter Eckersley, technology projects director for the Electronic Frontier Foundation. Two thirds of the time “it is a bureaucratic error that had no security dimension whatsoever: a certificate expired, was issued only for ‘www.example.com’ but you tried to go to ‘example.com’ without the ‘www.’, or the Certificate Authority that issued it was demanding more money from someone,” he said.
Only in rare cases does the browser warning indicate true danger. “One percent of the time, you see a certificate error because you are under attack for real,” he said. “Somebody is actually trying to read your email, collect your search terms, or inject malware onto your computer. Unfortunately, humans have been trained by the other 99 percent of cases to always click past the warning.”
Eckersley says a better system should replace SSL certificates: “We don’t think it’s reasonable to expect most humans to spend hours learning the bureaucracy and mathematics of how the SSL certificate system works, so we think it’s probably best if that system is put out of its misery and replaced with something that just works.”
Until then, what should one do when the browser warns you to avoid the website?
Eric Jung of FoxyProxy says the safest thing to do is to close the browser tab. But in reality it is tempting to forgo every last precaution. What he actually typically does is look whether the website is financially important such as a bank or investment firm or something sensitive that uses his email, address book or calendar. If so, he closes the browser. If not, he proceeds– with some precautions. “I will rarely — if ever — type any real data into a form displayed by the site… username, password, name, hotel room number — all these things I will falsify,” he says.
“This does not guard against all attacks–for example, site-specific cookies could still be stolen by accepting this warning, which would permit Bad Guy to be my imposter–but I accept the risks knowingly and with caution.”
And as for getcocoon.com and Kresonesecurity.com, both turn out to be cases when it was indeed fine to visit the sites despite the incidents of past warnings. For Cocoon, an administrative snafu delayed the renewal of their certificate for a few days – the site is now back to normal, the CEO says. Brian Krebs says his visitors sometimes see the warning purely for technical reasons. “The issue with my site is that a handful of the images and ads on my site are not served over https for several different reasons, and so you will get an error that says there’s a security problem,” he said.