Technical Tidbits™

I have had two separate support questions raised because of the Invalid Server Certificate Warning in both Internet Explorer (IE) and Firefox (FF) this week, so I thought I’d post a brief explanation about this issue.

From time-to-time, you may receive one of the following Server Certificate warnings or error message, as some call it.

The above graphic is what you will see if you are using Internet Explorer.

The above graphic is what you will see if you are using Firefox.

The above graphic is what you will see if you are using Google Chrome.

I have blurred out the clients website I was visiting to get this image.

The above graphic is what you will see if you are using Apple Safari.

I have blurred out the clients website I was visiting to get this image.

Why does this happen?

It happens because the security certificate – the code that makes the HTTP an HTTPS (or secure connection) has been self-signed and has not been issued by a certification authority such as Thawte, Verisign, and so forth.

Where does it happen?

It should only happen when you are logging into your own secure e-mail client on your web hosting site, or when you try to access your control panel on your web hosts site.

When should I NOT see this?

You should NEVER see this when you are logging into:

• Any financial site, as in your bank, trading accounts, insurance, credit card institution or other such sites.
• Any online shopping site.
• Any site where you are required to exchange confidential information such as banks, credit bureaus, stock brokerage, and so on.

Why does my web host do this?

Certificates from a certifying authority is costly especially for hosting companies. Many hosts self sign certificates to allow secure access for their customers who want security when accessing their online email or control panel for their hosting accounts.

If I log in to my e-mail or control panel anyway, am I still secure?

You are secure to the level of security that your web host offers. You need to check with them as to the level of encryption they provide.

Keep in mind that the certificate does not guarantee encryption.  If the certificate was provided by a third party provider, it only guarantees that the site and the site owner has been verified that they are, who they say they are!

Why is this such an issue?

It’s an issue because of the scammers and phishers that have become rampant on the Internet. The browser providers like Google Chrome, IE, FF, and Safari – to name a few – have included this warning to help you spot a phishing or scammer site more easily.

Can I ignore this warning?

Yes, if you know with CERTAINTY that this is the site you want to go to.

If you have clicked on a link in an email, a Twitter DM, or any other web page link and you see this message, do not proceed! Chances are good it’s a phishing or scam site.

If you have typed in the URL to your webmail or control panel account on your web host, or clicked the link from within your web hosts setup information, then you can proceed safely. In the images that follow, you will see that there is also a button in the Firefox message that will allow you to see the actual self-signed certificate to make sure you are at your web hosts server.

How can I stop this error message?

If you are getting this error message when you try to login to your web host control panel or web mail on your web host, you can add a permanent exception by accepting the self-signed certificate.

In most browsers, you can click on a button to see the actual self-signed certificate and verify it’s your web host. The following is an example of a self-signed certificate on a LunarPages server.

In Firefox, it’s a slightly different behavior.  You have to click the arrow next to the second line item to get to view the certificate or accept it.

Remember, this is normal behavior if you are signing in to your web host email or control panel and neither you, nor your web host have purchased a certificate from an issuing authority.

It is NOT normal behavior for any sites that you would do business with like shops, financial and investment institutions, and other such businesses.

I hope this helps clear up the matter of Server Certificate warnings.

Those of you who are my PC security (Introduction to PC Security) students don’t have to worry about this because in the first few lessons of the course you’ve disabled this!

However, many of you have not taken the course so I thought it was wise to post this.

Oh, and by the MAC users, this affects you too if you are using the Microsoft Remote Desktop Connection Client to connect a MAC to a windows PC.

According to Microsoft’s Security Bulletin: MS09-044:

This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

via Microsoft Security Bulletin MS09-044 – Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution 970927.

There is also known issues after installing this update, so you may want to check the bulletin for a list of those.

I’ve been teaching the Introduction to PC Security course for over 5 years and from day 1 I’ve had the students disable this service! I wonder what else you’re missing?

Get advice from a true expert, when Rob Caskey, VP of Marketing for Liquidation.com, appears live on Technical Tidbits. Learn the secrets of successful retail sales and find out how Liquidation reached the top of the game as a re-seller of major retailers’ overstock, surplus and seasonal unsold merchandise

The holidays are long gone, but do you ever wonder what happens to the seasonal merchandise that doesn’t sell?  Rob Caskey, VP of Marketing for Liquidation.com, knows.

Liquidation.com is the largest re-seller of overstock, customer returns, seasonal and other unsold merchandise. You can buy at tremendous deals from the online auction house and re-sell anywhere.

Would you like to make a few extra dollars with a flea market booth? Are you an eBay seller? Have you thought about opening a dollar store? Whether you’d like to earn extra cash selling online, or find a new career working for yourself as a retail business owner, Caskey will share the secrets to re-selling success.

Rob Caskey is VP of Marketing for Liquidation.com (a division of Liquidity Services, Inc. NASDAQ: LQDT) which is where major retailers go to sell their surplus, overstock, customer returns, seasonal and overall unsold merchandise and the online auction becomes a sourcing center for resellers from eBay to independent boutiques to dollar store merchants to anyone and everyone trying to make extra money at flea markets, yard sales, and other online/offline venues.

Wednesday, February 24, 2010 10 AM CDT
Call In Number: (718) 506-1315
Or Listen LIVE Online: Technical Tidbits on BlogTalk Radio

LIVE CHAT WILL BE OPEN AS ALWAYS!

Please note: If the show page shows the time in EST (New York) time and you are on Central Time (CDT), you have to delete your cookies. BlogTalk Radio says this is an “old” cookie problem. The show is at 10 AM in Illinois or Central Daylight Time!