You've probably noticed that your browser marks websites as Secure, Not Secure, or even warns you about imminent danger when you visit one. Have you ever wondered how it knows about the safety of websites like this?
Let's look at website security certificates and how your browser determines this information.
Understanding HTTP and HTPS
We looked at the differences between HTTP and HTTPS when we explained why Google Chrome was starting to mark websites as Not Secure. In summary, HTTP is an essential protocol that allows your browser to request and load information from the internet.
But because HTTP doesn't offer any security on its own, many sites use HTTPS, which encrypts the connection and provides identification information for the owner of the site through a certificate. With HTTPS, it's less likely that outsiders can snoop on the traffic between your computer and the website you're visiting.
Website Security Certificates
To maintain trust between users and websites, website owners can obtain a security certificate to show that their site is properly secured. Typically, they do this by paying a certificate authority, like GoDaddy or Norton, and following some instructions from the authority to prove their website is authentic.
Once this is done, their site has an approved certificate that it shows to visiting browsers. Meanwhile, your browser (whether Chrome, Firefox, or something else) keeps a list of trusted certificate authorities.
When you visit a website using HTTPS, your browser checks the site's certificate against its own list. If the certificate is valid and comes from an authentic provider, your browser tells you the site is secure.
When Certificates Don't Check Out
While this check often works out fine, there are times where your browser doesn't like what it sees. Let's look at some of the reasons this can happen.
Not Secure When Using HTTP
As mentioned above, Chrome (and many other browsers) now show Not Secure when you connect to a site via HTTP.
While HTTP sites aren't necessarily dangerous, you should be careful about what you enter on them. The information you enter in the website is not encrypted, meaning anyone who intercepted it could read it.
Your Connection Is Not Private
When something is wrong with a supposedly secure website's integrity, your browser will throw up a warning page that says Your connection is not private or similar. This is a more serious warning than the above, so you should pause when you see it.
Your browser will give you some information about why it's showing this warning. Some common reasons include:
- ERR_CERT_DATE_INVALID: This often appears when the certificate is out of date. Because certificates expire after a set time, websites must renew them regularly.
- ERR_CERT_AUTHORITY_INVALID: This usually happens with a self-signed certificate, meaning the website issued its own certificate instead of paying a trusted authority for one.
- ERR_CERT_REVOKED: You'll see this when a site used to have a certificate, but it was removed by the issuing authority. This often happens when the site engages in foul play.
There are other security certificate errors, but these are some of the most common. Have a look at badssl.com for example pages that illustrate these and other scenarios.
If you see one of these errors, you can click the Advanced button to show a Proceed to [site] (unsafe) link that will let you visit it anyway. Exercise caution when you do this; if the site's certificate is invalid, it's likely that the site was compromised and is no longer safe.
If you see a big red screen warning that you're about to visit a deceptive site, your browser has identified your destination as not only insecure, but actively dangerous. This often means you're about to visit a site that hosts malware or wants to phish your information.
You can click Details to open a link that lets you proceed to the page, but for your safety, you shouldn't do this.
Fixing Constant "Your Connection Is Not Private" Errors
If you see the "Your Connection Is Not Private" error on every website, something is wrong. Sometimes, this can happen because your computer's clock is wrong. On Windows 10, head to Settings > Time & Language and check the boxes to Set time automatically and Set time zone automatically so you don't have to worry about it.
Another common reason you'll see this message on every site is because you're on a public Wi-Fi network. Often, free public Wi-Fi requires you to visit a login page and agree to its terms before you use it. Because the network can't show this page when you try to visit an HTTPS website, you'll see a security error instead.
To fix this, visit an HTTP site, like example.com. You should see the Wi-Fi network's login prompt; after accepting it, you'll be able to browse normally.
Security Certificates Keep You Safer
Now you know about website security certificates and what the various messages around them mean. However, it's important to keep in mind that just because a site is marked as secure doesn't mean it's safe.
For example, a fake website designed to steal your info could use an HTTPS connection. If your browser doesn't catch it as a dangerous page, it might fool you into thinking it's the real deal. This is why you should always double-check that you're on the right website before entering sensitive information.
For more like this, read our explanation of what happens when you visit a website.