Question about Security Certificate Notices

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
When I try to sign into certain sites using passwords, I get a window
with the following message:

"There is a problem with this website's security certificate.
The security certificate presented by this website has expired or is
not yet valid.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."

When I click for "more information", I am told: '

"If you arrived at this page by clicking a link, check the website
address in the address bar to be sure that it is the address you were
When going to a website with an address such as ,
try adding the 'www' to the address, .
If you choose to ignore this error and continue, do not enter private
information into the website."

What does this mean? And, what can I about it to fix it?

Thanks in advance.

Re: Question about Security Certificate Notices

Quoted text here. Click to load it

That indicates that either the web site has screwed up (its
certificate has expired), or the clock on your computer is set
wrongly and the certificate has a time that looks to be in the
future relative to your computer time.

Quoted text here. Click to load it

You need to look at the hostname on the certificate, to see if
correct, and the time (start and ending time for the certificate

Quoted text here. Click to load it

If it is your problem, then either you are going to the wrong site
or your computer clock is set wrongly.  If the problem is neither
of those, then it is the web site administrator's problem to fix.

If this is a banking site or similar, be very cautious.  Best not to
enter any account name/id/password until you understand the problem.

Re: Question about Security Certificate Notices

Johnny Boy wrote:
Quoted text here. Click to load it

It normally means that the web site's management are incompetent or miserly.

To fix it, use a web site that is competently managed.

When you obtain a browser, it contains a list of (loosely) organisations
that the browser vendor trusts to be able to validate the authenticity
of web sites (the "root cerficates").  When you access a secure web
site, that site sends you some data (a "certificate"), that has been
verified by one of the trusted organisations, and marked as such in a
tamper resistant way.

The web site owners have a secret piece of data.  The certificate
contains a piece of data that depends on that secret, but cannot,
realistically, be used to find the secret.  The encryption keys for the
session are created by a process that involves your browser using the
information in the certificate, and the web site using the secret from
which it was derived.  If they don't have the secret that corresponds to
the certificate, you will not get matching encryption keys and the data
in both directions will be gibberish.

The trusted organisation sets time limits during which they offer you
some (rather limited) guarantees, that the secret being used by the web
site belongs to the organisation that purports to operate the web site.
  These time limits are encoded into the certificate, and there is a
tamper detection mechanism.

The organisations would probably argue that you need the time limits

1) it is possible to find out the secret from a certificate, given
enough time;

2) someone may discover a flaw in the way certificates are produced
which might make that time rather short;

3) the longer the secret is in use, the more chance that it is
accidentally or maliciously revealed.

However a large element of the reason may really be that it ensures that
people keep paying to update the time limits.

Once a certificate is compromised, anyone who can intercept your
connection to the web site can pretend to be that web site; they may
even really your input to the real web site.

The certificate also contains the web site address and the real world
identity of its owner.  The browser will check the site address.  If you
know one of them with certainty, you should check that against the
certificate/address bar.  If you know neither, you may well have an
encrypted connection to a fraudster, however valid the certificate is!

Site Timeline