linux - Why do I have untrusted certificates for Google, Yahoo, Mozilla and others?
2014-04
jackweirdy
In the HTTPS/SSL section of chrome://chrome/settings, I see the following:
What does this mean, and is there something wrong?
I have a basic understanding of SSL/TLS - I'm not claiming to be completely familiar, but I'm fairly confident I know my way around it - but I don't understand why I have certificates installed on my machine specifically for these sites.
From my understanding, I should have the certificates for Certificate Authorities, and any site I visit and use SSL/TLS should have a certificate signed by one of these trusted CAs for me to trust the site.
My worry is that if someone has maliciously installed a certificate for these sites on my machine, they could perform a DNS spoofing attack (or a number of other attacks) to hijack my connection to my email account without me knowing, and as they've got the private counterpart to the certificate on my machine, decrypt the communication.
NB: I'm also aware that CA certificates aren't just within Chromium and are used system wide as part of libssl - they're stored in /etc/ssl/certs.
What I'd like to know is:
- Is this correct? - The big red boxes make me think no
- Is this malicious or benign?
- What can I do to resolve this problem? (If indeed it is a problem)
Thanks :)
Bob
This is a good thing. Those certificates were revoked, often because someone applied for/acquired a certificate (private key) for an entity they don't own, which can be used for impersonation. The revoked certificate list on your system basically tells your system not to trust these certificates.
Certificates are often used to identify the website, which relies on the issuer not issuing it to someone else. Those certificates in your screenshot were listed as fraudulent or untrusted because the issuer made a mistake and must tell everyone not to trust the certificate they already signed. Occasionally, the group that created the trusted list (e.g. your OS/browser developers) may manually add certificates to the untrusted list, possibly if the issuer takes too long to do so.
See for more info: Public key certificate and Revocation lists
Mikle
I have this annoying problem - every time I get into a site with a security certificate I always see a warning page that the certificate is invalid. I've grown accustomed to just setting an exception and never seeing this again (for sites I trust of course).
Today I tried browsing godaddy to buy a domain, and it started acting weird - it only shows me a text version of the site, where most of the images and the style page are missing. A screenshot of the top of the page:
Only at the end of the page does some kind of unstyled plain text dump appears. I can only come to the conclusion that the CSS file in unsigned and that Firefox doesn't show it.
My questions:
How come the Firefox thinks that all the certificated it sees are invalid (including it's own, like addons.mozilla.com)?
Why doesn't go daddy work right, and how do I fix it?
Edit: IE7 shows me a page about the certificate not being valid but than shows me the page nicely formatted.
I should maybe add that I'm a pretty security aware guy, and that I don't beleive it's a problem caused by malicious software on my computer. I tried installing a fresh copy of windows on a virtual machine and Firefox showed me the same error.
Further details: The exception text is:
www.godaddy.com uses an invalid security certificate.
The certificate is not trusted because it is self signed.
The certificate expired on 1/25/2009 7:35 PM.
(Error code: sec_error_expired_issuer_certificate)
I'm pretty sure my computer time is right (21 august 2009, unless I'm insane too, but that's a different question :))
Konrad
No No No No. Do not set exceptions, they are ment to be exceptions not the norm. If you are constantly seeing it then you are likely the victim of a man in the middle (http://en.wikipedia.org/wiki/Man-in-the-middle%5Fattack) attack.
By allowing exceptions you are completely forfeiting one of the protections afforded by the certificate - trust. Companies (ecommerce, banks etc) pay a lot of money to people like Verisign to get a certificate that they counter sign. This allows you to trust the certificate is :
a) Valid
b) Not tampered with
c) Trustable
The only time you should ever trust an unsigned certificate is a self signed one you have created yourself. ANY other kind should be treated with the greatest suspicion.
I would strongly suggest you reinstall your operating system, something is not right and if you have been infected with spyware / malware or rootkitted then the only way to reverse it is to start from a clean slate.
bethlakshmi
It would help to know what kind of invalid error is occuring. For example:
- Is it expired/not yet valid - then your computer may not be set to the correct time
- Is is not signed properly - then you're being offered a bad certificate -- quite possibly a man in the middle attack
- Is it from an untrusted CA or self-signed? Then it might be OK to add it to your trusted certificate list, if you recognize and trust the CA signing the certificate. I find self-signed certificates a little dodgy, and don't add them to my cert store, unless i know I'm looking at a known test website.
- Does the domain of the certificate match the domain presented - if not, don't trust it. If you need to use the site, call the site provider and get their help figuring out what's wrong.
I'm assuming you don't have any add-ons that do validity checks to OSCP or CRLs... that's a heavy duty security thing that most normal people don't use. If you do have a client for OCSP checking, let me know which one and what it's results say.
When I hit GoDaddy with my own firefox, I don't get an error, I do get to GoDaddy's certificate, which is signed by their CD (Go Daddy Secure Certification Authority) which my browser trusts.
If you throw up the SHA1 or MD5 hash of the certificate, I will gladly cross check with what I see here:
- click "GoDaddy.com, Inc (US)" next to the URL.
- click "More Information"
- click "View Certificate"
- take a picture of the window (On Windows this is alt-print screen) and post somewhere public and reference URL.
William Hilsum
It would help to know the specific failure of the ssl certificate, however in my experience, the most likely cause is your system time/date, as you said you had the same problem in a VM.
FYI - The reason about formatting is because if you have a certificate error in IE and accept, it renders the whole page from all sources where as in Firefox, as many sites have content from different domains, you need to accept the ssl from those sites as well.
You can do view source then look for https://whatever and type that in to the address bar and then allow it through - however do not permanently store exceptions unless you really trust the site.
8088
Is there some sort of proxy you're going through on your network? It sounds like you could be seeing cached data. My first thought was a virus/rootkit as well, but the VM test rules that out (unless the VM was running on the same machine)
The GoDaddy thing is especially odd, since I can verify that the cert is neither self signed nor expired.
