Annoying 'security certificate' messages

Discussion in 'Internet Explorer' started by AB, Jan 23, 2012.

  1. AB

    AB Guest

    I'm running IE 8 under WindowsXP. Lately I've been getting a lot of
    warnings about security certificates on sites I KNOW are secure. It's
    gotten to the point where I'm ready to ditch IE for another browser if
    this unwanted interference can't be stopped. Changing the settings in
    Tools --> Internet Options --> Security doesn't make any differnce.

    Any suggestions for gettign rid of this nuisance are much

    AB, Jan 23, 2012
    1. Advertisements

  2. AB

    Mayayana Guest

    | Changing the settings in
    | Tools --> Internet Options --> Security doesn't make any differnce.

    ?? I'm running IE6, but I have those settings under
    Content -> Certificates -> Advanced and under
    the Advanced tab, where there's an option to disable
    warning about invalid certificates.

    By all means, drop IE. It's not safe and the settings are
    completely unusable. But certificate issues are not the
    fault of IE. A surprising number of sites don't bother to
    update their certificates. (And certificates themselves are
    not safe, anyway. There have been numerous cases of
    people posing as others to buy certificates illegally.)
    Mayayana, Jan 23, 2012
    1. Advertisements

  3. AB

    AB Guest

    Thanks for the response. I did find some security settings where you
    indicated. I removed all the checks, closed IE, restarted the
    computer, but still getting these messages/screens.

    What other browser would you recommend?
    AB, Jan 23, 2012
  4. AB

    Don Varnau Guest

    Visit Windows Update (from IE> Tools) and check for updates. Under Optional
    Updates, if there are any Root Certificates updates available, install them.

    Hope this helps,
    Don Varnau, Jan 23, 2012
  5. AB

    AB Guest

    There's no such option under tools.

    AB, Jan 23, 2012
  6. AB

    VanguardLH Guest

    Depends on what the message said which you didn't show here. Did you
    click on the lock icon to the rightside of the address bar and look at
    the properties of their certificate?

    If the problem is the CA (certificate authority) listed by the cert
    cannot be reached to verify the cert then you don't know if that cert
    has expired or been revoked (which can be done by the cert owner or by
    the CA). Sometimes I've seen old certs (that were purchased for a long
    usage time; i.e., expiration is years away) but the CA has changed the
    path to their CRL (cert revocation list) so the web browser, ANY web
    browser, is told the wrong path to get the CRL (which is like a
    bad-checks list showing certs no longer valid or revoked). Since the
    web browser can't find the CRL using that path, the cert cannot be
    verified (that it is NOT is the blacklist) as still valid.

    When you look at the properties of the certificate, look at its "CRL
    distribution points" property. That shows what path was recorded in the
    cert to have your web browser find the CRL to make sure that cert hasn't
    already expired or been revoked. Switching web browsers won't help
    because all of them will use the encoded path in the cert to find the
    CRL to validate the cert.

    The CRL method is the old method of validating certificates. It is a
    blacklist of expired and revoked certs. It is akin to sales clerks that
    have to look through a list of bad checks to see if a presented check is
    okay to accept. It also means having to retrieve the entire blacklist
    and search through it. It also places more stress on the CA server to
    provide validation for all connections to that domain. See OCSP (online
    certificate status protocol) is the newer method (see but not
    employed by all CA's or web browsers. This reduces bandwidth needed to
    transfer entire CRLs but places more stress on the server to do the
    lookup and send back status. In the wiki article on OCSP, note it says
    "Internet Explorer starting with version 7 on Windows Vista (not XP)
    supports OCSP checking". Well you have IE8 which is the latest you can
    install on Windows XP (IE9 refuses to install) and it will support OCSP
    but the crypto support in Windows XP does have the functionality to work
    with IE7+ to do OCSP. OCSP was established long after Windows XP was
    released. While RFC 2560 was technically ratified in 1999 and Windows
    XP was released in 2001, it typically takes 4-6 years before RFCs get
    implemented in an OS or in apps. Internet Explorer 7 was released in
    2006 (after OCSP was ratified) but still Windows XP's release was too
    close to OCSP's ratification to have the support needed in it so Windows
    7 could use OCSP.

    I've also seen boobs as web designers that use a cert for one domain but
    then use that cert in a different domain. Both domains are owned by the
    same registrant but they are DIFFERENT domains and a cert validates
    against the domain to which it was registered. You never bothered to
    give an example site where you run into the cert validate problem.

    Also, SSL relies on timestamping in the handshaking process to ensure
    there was no interception between sending tokens and getting a response.
    I don't know what is the timeout but the server expects a response from
    the client within a very short time. If your client (host) time is way
    off then SSL handshakes will fail. You need to get your computer and OS
    clocks within a minute, or two, of the atomic time so make sure you have
    the correct time and are using a time sync utility (the one in Windows
    sucks because the MS NTP servers are overly busy so they may not
    respond, are not necessarily the shortest path regarding delay between
    your host and the NTP server, only work on logon so if you stay logged
    on then there is no sync, and a random interval is used between time
    syncs that could be days or weeks apart). Get a decent time sync
    utility to make sure your time is accurate so SSL will work.

    Make sure your time is accurate. It is required for SSL to work.
    VanguardLH, Jan 23, 2012
  7. AB

    Mayayana Guest

    | What other browser would you recommend?
    It's hard to recommend anything wholeheartedly.

    * Opera is good, but it's finicky about page display,
    and when I've used it it's tried to contact a server
    at without asking. The Opera people
    are also intercepting "navigations" on phones running
    Opera, and running them through
    as a proxy server, so I'm not inclined to trust them.

    * Chrome is Google spyware.

    * Safari doesn't seem to get very good reviews. I've
    never actually tried it.

    I've been using the Mozilla browsers, for lack of
    another alternative. By Mozilla browser I mean any
    browser based on the open source Mozilla code.
    Since it's open source, people are free to use the
    basic code and make any changes they like.
    There are 3 Mozilla browsers I've used:

    * Firefox: Good, but they're getting almost all of their
    funding from Google, and it shows. Firefox is becoming
    increasingly bloated and commercial. I'm running the
    latest 3.6 update and probably won't update further.
    (The versioning has become increasingly absurd. They're
    up to 9 or 10 or some such at this point, with new versions
    every few weeks. The Firefox people seem to be steering
    toward a cliff, for no apparent reason that I can see.)

    * Palemoon: My current favorite. It's basically a slightly
    trimmed-down version of Firefox.

    * K-Meleon: The browser I'd like to use, but it doesn't
    get updated often enough. It's a bit too unpolished. But
    it's much cleaner and lighter than Firefox. Very fast.
    No nonsense.

    For me security and privacy are important. I rule out
    IE on security grounds and Chrome on privacy grounds.
    The Mozilla browsers all have reasonably good, simple
    settings, along with very extensive, fine-grained control
    for those who want to go to the trouble. In general, I
    personally think they're the lesser of the evils. Especially
    the non-Firefox Mozilla browsers.

    Unfortunately, no one at this point is just making a
    browser "for the people", to browse the Internet. There
    are grubby hands everywhere trying to get hold of
    people's browsing activities because whoever knows
    what you're doing online can either show you targetted
    ads or sell you to someone who will show you targetted
    Mayayana, Jan 23, 2012
  8. AB

    AB Guest

    Thanks for the suggestions. Guess I'll just start with one and move
    on to another if not satisfied. I did hear of someone (a hard to
    please person) liking Safari, so maybe I'll go with that. I also
    wouldn't touch Chrome, for the reason you stated.

    Thanks again for the help.

    AB, Jan 23, 2012
  9. AB

    AB Guest

    Wow - quite a posting! Appreoiate all the information imparted. That
    said, some sites that I'm getting the interference on are Twitter and
    a couple of finacial sites that I KNOW are safe. My time & date are
    fine so that's not the cause.

    It's such an annoyance that I just want to eliminate this function
    rather than correcting it. I have good protection on the computer so
    not concerned about 'expired' certificates. Is there a way to
    disable this function?
    AB, Jan 23, 2012
  10. AB

    VanguardLH Guest

    Certificates and SSL are not to protect your computer. They protect the
    data transfer (if SSL is used) or validate that some trusted 3rd party
    authority is telling you that you visited the site that you thought you
    visited (else you can't be sure you got to where you thought). Your
    financial sites wouldn't be safe to visit unless you had them prove they
    were who you thought they were.

    You can disable cert checking in the Advanced options of IE. Just be
    aware that you then can't guarantee (or have a high trust) that the site
    you visit is really your financial institution. DNS poisoning (either
    at the server or in your host's cache) or DNS changers (malware that
    changes the DNS server that your host will use in its TCP/IP config)
    could lead you to some phish site that looks like your bank and you'll
    even see their URL in the address bar of your web browser, but the phish
    site won't have your bank's cert to prove the site is your bank.

    You could try to see if using a different web browser makes a
    difference. The others may support OCSP and provide their own crypt
    libs for Windows XP so OSCP gets supported there. That would eliminate
    the traffic bottleneck at the CRL servers if that's the problem but
    would only help if the CA also implements OCSP. You could ask over in
    the Firefox newsgroup and Chrome forums if those support OCSP not only
    in their web browser but when it is also ran on Windows XP.
    VanguardLH, Jan 23, 2012
  11. AB

    Don Varnau Guest


    I could have worded that more clearly, but I have Windows Update under Tools
    in the IE Menu Bar in IE6, 7, 8 & 9.


    Don Varnau, Jan 24, 2012
  12. AB

    SC Tom Guest

    AB may be thinking of the Command Bar (the one with the icons) instead of the Menu Bar. On the Command Bar, Windows
    Update is under the Safety icon.
    SC Tom, Jan 24, 2012
  13. AB

    AB Guest

    Thanks SC Tom. Now I found the Command Bar and the Windows Update

    New problem: when I invoked it and was taken to the MS Windows Update
    page I got a message about needing ActiveX which I believe I have. But
    the page said it couldn't dispay properly and selections that I wanted
    I couldn't access. I followed the instructions to find ActiveX & load
    but it lead to nowhere. Didn't see any option for security
    certificates update so did a search. What I found was from 11/11 and
    only mentioned IE 7 so I didn't download.

    I appreciate all the help from you both, but I give up. Will move to
    a different browser and soon to a Mac. I'm so tired of all this MS
    control, dead end leads and wasting my time.

    AB, Jan 24, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.