Annoying 'security certificate' messages

I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
warnings about security certificates on sites I KNOW are secure. It's
gotten to the point where I'm ready to ditch IE for another browser if
this unwanted interference can't be stopped. Changing the settings in
Tools --> Internet Options --> Security doesn't make any differnce.

Any suggestions for gettign rid of this nuisance are much
appreciated!

Cheers,
AB

| Changing the settings in
| Tools --> Internet Options --> Security doesn't make any differnce.
|

?? I'm running IE6, but I have those settings under
Content -> Certificates -> Advanced and under
the Advanced tab, where there's an option to disable
warning about invalid certificates.

By all means, drop IE. It's not safe and the settings are
completely unusable. But certificate issues are not the
fault of IE. A surprising number of sites don't bother to
update their certificates. (And certificates themselves are
not safe, anyway. There have been numerous cases of
people posing as others to buy certificates illegally.)

Thanks for the response. I did find some security settings where you
indicated. I removed all the checks, closed IE, restarted the
computer, but still getting these messages/screens.

What other browser would you recommend?


On Mon, 23 Jan 2012 11:05:26 -0500, "Mayayana"
<> wrote:

>
>| Changing the settings in
>| Tools --> Internet Options --> Security doesn't make any differnce.
>|
>
>?? I'm running IE6, but I have those settings under
>Content -> Certificates -> Advanced and under
>the Advanced tab, where there's an option to disable
>warning about invalid certificates.
>
> By all means, drop IE. It's not safe and the settings are
>completely unusable. But certificate issues are not the
>fault of IE. A surprising number of sites don't bother to
>update their certificates. (And certificates themselves are
>not safe, anyway. There have been numerous cases of
>people posing as others to buy certificates illegally.)
>

Visit Windows Update (from IE> Tools) and check for updates. Under Optional
Updates, if there are any Root Certificates updates available, install them.

Hope this helps,
Don

"AB" <ab[at]pipeline.com> wrote in message
news:...
> I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
> warnings about security certificates on sites I KNOW are secure. It's
> gotten to the point where I'm ready to ditch IE for another browser if
> this unwanted interference can't be stopped. Changing the settings in
> Tools --> Internet Options --> Security doesn't make any difference.
>
> Cheers,
> AB

There's no such option under tools.

On Mon, 23 Jan 2012 11:29:54 -0600, "Don Varnau" <>
wrote:

>Visit Windows Update (from IE> Tools) and check for updates. Under Optional
>Updates, if there are any Root Certificates updates available, install them.
>
>Hope this helps,
>Don
>
>"AB" <ab[at]pipeline.com> wrote in message
>news:.. .
>> I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
>> warnings about security certificates on sites I KNOW are secure. It's
>> gotten to the point where I'm ready to ditch IE for another browser if
>> this unwanted interference can't be stopped. Changing the settings in
>> Tools --> Internet Options --> Security doesn't make any difference.
>>
>> Cheers,
>> AB

AB wrote:

> I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
> warnings about security certificates on sites I KNOW are secure. It's
> gotten to the point where I'm ready to ditch IE for another browser if
> this unwanted interference can't be stopped. Changing the settings in
> Tools --> Internet Options --> Security doesn't make any differnce.
>
> Any suggestions for gettign rid of this nuisance are much
> appreciated!

Depends on what the message said which you didn't show here. Did you
click on the lock icon to the rightside of the address bar and look at
the properties of their certificate?

If the problem is the CA (certificate authority) listed by the cert
cannot be reached to verify the cert then you don't know if that cert
has expired or been revoked (which can be done by the cert owner or by
the CA). Sometimes I've seen old certs (that were purchased for a long
usage time; i.e., expiration is years away) but the CA has changed the
path to their CRL (cert revocation list) so the web browser, ANY web
browser, is told the wrong path to get the CRL (which is like a
bad-checks list showing certs no longer valid or revoked). Since the
web browser can't find the CRL using that path, the cert cannot be
verified (that it is NOT is the blacklist) as still valid.

When you look at the properties of the certificate, look at its "CRL
distribution points" property. That shows what path was recorded in the
cert to have your web browser find the CRL to make sure that cert hasn't
already expired or been revoked. Switching web browsers won't help
because all of them will use the encoded path in the cert to find the
CRL to validate the cert.

The CRL method is the old method of validating certificates. It is a
blacklist of expired and revoked certs. It is akin to sales clerks that
have to look through a list of bad checks to see if a presented check is
okay to accept. It also means having to retrieve the entire blacklist
and search through it. It also places more stress on the CA server to
provide validation for all connections to that domain. See
http://en.wikipedia.org/wiki/Certifi...evocation_list. OCSP (online
certificate status protocol) is the newer method (see
http://en.wikipedia.org/wiki/Online_...tatus_Protocol) but not
employed by all CA's or web browsers. This reduces bandwidth needed to
transfer entire CRLs but places more stress on the server to do the
lookup and send back status. In the wiki article on OCSP, note it says
"Internet Explorer starting with version 7 on Windows Vista (not XP)
supports OCSP checking". Well you have IE8 which is the latest you can
install on Windows XP (IE9 refuses to install) and it will support OCSP
but the crypto support in Windows XP does have the functionality to work
with IE7+ to do OCSP. OCSP was established long after Windows XP was
released. While RFC 2560 was technically ratified in 1999 and Windows
XP was released in 2001, it typically takes 4-6 years before RFCs get
implemented in an OS or in apps. Internet Explorer 7 was released in
2006 (after OCSP was ratified) but still Windows XP's release was too
close to OCSP's ratification to have the support needed in it so Windows
7 could use OCSP.

I've also seen boobs as web designers that use a cert for one domain but
then use that cert in a different domain. Both domains are owned by the
same registrant but they are DIFFERENT domains and a cert validates
against the domain to which it was registered. You never bothered to
give an example site where you run into the cert validate problem.

Also, SSL relies on timestamping in the handshaking process to ensure
there was no interception between sending tokens and getting a response.
I don't know what is the timeout but the server expects a response from
the client within a very short time. If your client (host) time is way
off then SSL handshakes will fail. You need to get your computer and OS
clocks within a minute, or two, of the atomic time so make sure you have
the correct time and are using a time sync utility (the one in Windows
sucks because the MS NTP servers are overly busy so they may not
respond, are not necessarily the shortest path regarding delay between
your host and the NTP server, only work on logon so if you stay logged
on then there is no sync, and a random interval is used between time
syncs that could be days or weeks apart). Get a decent time sync
utility to make sure your time is accurate so SSL will work.

Make sure your time is accurate. It is required for SSL to work.

| What other browser would you recommend?
|
It's hard to recommend anything wholeheartedly.

* Opera is good, but it's finicky about page display,
and when I've used it it's tried to contact a server
at xml.opera.com without asking. The Opera people
are also intercepting "navigations" on phones running
Opera, and running them through opera-mini.com
as a proxy server, so I'm not inclined to trust them.

* Chrome is Google spyware.

* Safari doesn't seem to get very good reviews. I've
never actually tried it.

I've been using the Mozilla browsers, for lack of
another alternative. By Mozilla browser I mean any
browser based on the open source Mozilla code.
Since it's open source, people are free to use the
basic code and make any changes they like.
There are 3 Mozilla browsers I've used:

* Firefox: Good, but they're getting almost all of their
funding from Google, and it shows. Firefox is becoming
increasingly bloated and commercial. I'm running the
latest 3.6 update and probably won't update further.
(The versioning has become increasingly absurd. They're
up to 9 or 10 or some such at this point, with new versions
every few weeks. The Firefox people seem to be steering
toward a cliff, for no apparent reason that I can see.)

* Palemoon: My current favorite. It's basically a slightly
trimmed-down version of Firefox.

* K-Meleon: The browser I'd like to use, but it doesn't
get updated often enough. It's a bit too unpolished. But
it's much cleaner and lighter than Firefox. Very fast.
No nonsense.

For me security and privacy are important. I rule out
IE on security grounds and Chrome on privacy grounds.
The Mozilla browsers all have reasonably good, simple
settings, along with very extensive, fine-grained control
for those who want to go to the trouble. In general, I
personally think they're the lesser of the evils. Especially
the non-Firefox Mozilla browsers.

Unfortunately, no one at this point is just making a
browser "for the people", to browse the Internet. There
are grubby hands everywhere trying to get hold of
people's browsing activities because whoever knows
what you're doing online can either show you targetted
ads or sell you to someone who will show you targetted
ads.

Thanks for the suggestions. Guess I'll just start with one and move
on to another if not satisfied. I did hear of someone (a hard to
please person) liking Safari, so maybe I'll go with that. I also
wouldn't touch Chrome, for the reason you stated.

Thanks again for the help.

AB

On Mon, 23 Jan 2012 14:54:41 -0500, "Mayayana"
<> wrote:

>| What other browser would you recommend?
>|
> It's hard to recommend anything wholeheartedly.
>
>* Opera is good, but it's finicky about page display,
>and when I've used it it's tried to contact a server
>at xml.opera.com without asking. The Opera people
>are also intercepting "navigations" on phones running
>Opera, and running them through opera-mini.com
>as a proxy server, so I'm not inclined to trust them.
>
> * Chrome is Google spyware.
>
>* Safari doesn't seem to get very good reviews. I've
>never actually tried it.
>
> I've been using the Mozilla browsers, for lack of
>another alternative. By Mozilla browser I mean any
>browser based on the open source Mozilla code.
>Since it's open source, people are free to use the
>basic code and make any changes they like.
>There are 3 Mozilla browsers I've used:
>
>* Firefox: Good, but they're getting almost all of their
>funding from Google, and it shows. Firefox is becoming
>increasingly bloated and commercial. I'm running the
>latest 3.6 update and probably won't update further.
>(The versioning has become increasingly absurd. They're
>up to 9 or 10 or some such at this point, with new versions
>every few weeks. The Firefox people seem to be steering
>toward a cliff, for no apparent reason that I can see.)
>
>* Palemoon: My current favorite. It's basically a slightly
>trimmed-down version of Firefox.
>
>* K-Meleon: The browser I'd like to use, but it doesn't
>get updated often enough. It's a bit too unpolished. But
>it's much cleaner and lighter than Firefox. Very fast.
>No nonsense.
>
> For me security and privacy are important. I rule out
>IE on security grounds and Chrome on privacy grounds.
>The Mozilla browsers all have reasonably good, simple
>settings, along with very extensive, fine-grained control
>for those who want to go to the trouble. In general, I
>personally think they're the lesser of the evils. Especially
>the non-Firefox Mozilla browsers.
>
> Unfortunately, no one at this point is just making a
>browser "for the people", to browse the Internet. There
>are grubby hands everywhere trying to get hold of
>people's browsing activities because whoever knows
>what you're doing online can either show you targetted
>ads or sell you to someone who will show you targetted
>ads.
>

Wow - quite a posting! Appreoiate all the information imparted. That
said, some sites that I'm getting the interference on are Twitter and
a couple of finacial sites that I KNOW are safe. My time & date are
fine so that's not the cause.

It's such an annoyance that I just want to eliminate this function
rather than correcting it. I have good protection on the computer so
not concerned about 'expired' certificates. Is there a way to
disable this function?


On Mon, 23 Jan 2012 13:15:02 -0600, VanguardLH <> wrote:

>AB wrote:
>
>> I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
>> warnings about security certificates on sites I KNOW are secure. It's
>> gotten to the point where I'm ready to ditch IE for another browser if
>> this unwanted interference can't be stopped. Changing the settings in
>> Tools --> Internet Options --> Security doesn't make any differnce.
>>
>> Any suggestions for gettign rid of this nuisance are much
>> appreciated!
>
>Depends on what the message said which you didn't show here. Did you
>click on the lock icon to the rightside of the address bar and look at
>the properties of their certificate?
>
>If the problem is the CA (certificate authority) listed by the cert
>cannot be reached to verify the cert then you don't know if that cert
>has expired or been revoked (which can be done by the cert owner or by
>the CA). Sometimes I've seen old certs (that were purchased for a long
>usage time; i.e., expiration is years away) but the CA has changed the
>path to their CRL (cert revocation list) so the web browser, ANY web
>browser, is told the wrong path to get the CRL (which is like a
>bad-checks list showing certs no longer valid or revoked). Since the
>web browser can't find the CRL using that path, the cert cannot be
>verified (that it is NOT is the blacklist) as still valid.
>
>When you look at the properties of the certificate, look at its "CRL
>distribution points" property. That shows what path was recorded in the
>cert to have your web browser find the CRL to make sure that cert hasn't
>already expired or been revoked. Switching web browsers won't help
>because all of them will use the encoded path in the cert to find the
>CRL to validate the cert.
>
>The CRL method is the old method of validating certificates. It is a
>blacklist of expired and revoked certs. It is akin to sales clerks that
>have to look through a list of bad checks to see if a presented check is
>okay to accept. It also means having to retrieve the entire blacklist
>and search through it. It also places more stress on the CA server to
>provide validation for all connections to that domain. See
>http://en.wikipedia.org/wiki/Certifi...evocation_list. OCSP (online
>certificate status protocol) is the newer method (see
>http://en.wikipedia.org/wiki/Online_...tatus_Protocol) but not
>employed by all CA's or web browsers. This reduces bandwidth needed to
>transfer entire CRLs but places more stress on the server to do the
>lookup and send back status. In the wiki article on OCSP, note it says
>"Internet Explorer starting with version 7 on Windows Vista (not XP)
>supports OCSP checking". Well you have IE8 which is the latest you can
>install on Windows XP (IE9 refuses to install) and it will support OCSP
>but the crypto support in Windows XP does have the functionality to work
>with IE7+ to do OCSP. OCSP was established long after Windows XP was
>released. While RFC 2560 was technically ratified in 1999 and Windows
>XP was released in 2001, it typically takes 4-6 years before RFCs get
>implemented in an OS or in apps. Internet Explorer 7 was released in
>2006 (after OCSP was ratified) but still Windows XP's release was too
>close to OCSP's ratification to have the support needed in it so Windows
>7 could use OCSP.
>
>I've also seen boobs as web designers that use a cert for one domain but
>then use that cert in a different domain. Both domains are owned by the
>same registrant but they are DIFFERENT domains and a cert validates
>against the domain to which it was registered. You never bothered to
>give an example site where you run into the cert validate problem.
>
>Also, SSL relies on timestamping in the handshaking process to ensure
>there was no interception between sending tokens and getting a response.
>I don't know what is the timeout but the server expects a response from
>the client within a very short time. If your client (host) time is way
>off then SSL handshakes will fail. You need to get your computer and OS
>clocks within a minute, or two, of the atomic time so make sure you have
>the correct time and are using a time sync utility (the one in Windows
>sucks because the MS NTP servers are overly busy so they may not
>respond, are not necessarily the shortest path regarding delay between
>your host and the NTP server, only work on logon so if you stay logged
>on then there is no sync, and a random interval is used between time
>syncs that could be days or weeks apart). Get a decent time sync
>utility to make sure your time is accurate so SSL will work.
>
>Make sure your time is accurate. It is required for SSL to work.

AB wrote:

> Wow - quite a posting! Appreoiate all the information imparted. That
> said, some sites that I'm getting the interference on are Twitter and
> a couple of finacial sites that I KNOW are safe. My time & date are
> fine so that's not the cause.
>
> It's such an annoyance that I just want to eliminate this function
> rather than correcting it. I have good protection on the computer so
> not concerned about 'expired' certificates. Is there a way to
> disable this function?

Certificates and SSL are not to protect your computer. They protect the
data transfer (if SSL is used) or validate that some trusted 3rd party
authority is telling you that you visited the site that you thought you
visited (else you can't be sure you got to where you thought). Your
financial sites wouldn't be safe to visit unless you had them prove they
were who you thought they were.

You can disable cert checking in the Advanced options of IE. Just be
aware that you then can't guarantee (or have a high trust) that the site
you visit is really your financial institution. DNS poisoning (either
at the server or in your host's cache) or DNS changers (malware that
changes the DNS server that your host will use in its TCP/IP config)
could lead you to some phish site that looks like your bank and you'll
even see their URL in the address bar of your web browser, but the phish
site won't have your bank's cert to prove the site is your bank.

You could try to see if using a different web browser makes a
difference. The others may support OCSP and provide their own crypt
libs for Windows XP so OSCP gets supported there. That would eliminate
the traffic bottleneck at the CRL servers if that's the problem but
would only help if the CA also implements OCSP. You could ask over in
the Firefox newsgroup and Chrome forums if those support OCSP not only
in their web browser but when it is also ran on Windows XP.