No Surveillance State Month, Part 9: Don’t Trust Bad Certificates

Have you ever been browsing the Internet and seen a screen like this:

Bad Cert

…or this:

Bad Cert

This is your browser telling you that it can’t be sure of who’s on the other end of your data transaction. SSL (the encryption technology used whenever you type in a URL that starts with https://) ensures that your data is transmitted securely between two endpoints. But what if the endpoint that you think is, say, Facebook, is really just someone pretending to be Facebook? We call this a “man-in-the-middle attack,” and it’s the most significant threat to the security of your data in transit across the Internet.

Certificates are what make sure that the endpoint is who you think it is. A certificate is a key set that is assigned to (e.g.) a Web server by a certificate authority (CA) — a company that is trusted to assign certificates only to the authorized owner of a domain name. Your computer comes pre-programmed (by your OS vendor or Web browser vendor) with a list of valid CAs, and using digital signatures, your computer can verify that the certificate a Web server presents to you was signed by a valid CA.

If all this is confusing, no worries: the tl;dr version of this is: If you see a screen like the one above, your computer wasn’t able to confirm that the endpoint is valid because it didn’t present a valid certificate. You should understand that if you tell your computer to proceed anyway, your information may be going to a hacker (whether or not that hacker has a badge). If the site you’re trying to access is a bank, your e-mail account, or pretty much anywhere else that asks for a password, financial information, or anything else you might want private, don’t proceed and contact the owner of the Web site.


This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

7 thoughts on “No Surveillance State Month, Part 9: Don’t Trust Bad Certificates

Add yours

  1. A decent example of an exception is the browser applet version of Minecraft. Since its release as a stand-alone game, the security certificates related to the applet have not been updated and have expired. This means you get these warnings if you try to play Minecraft in your web browser (it will go bonkers) and not in its normal launcher (which is not encrypted at all, by the way.)

    That said, Minecraft/Mojang normal website security certificates have been kept up to date, so your account information (the stuff related to purchase payments) is relatively safe. Despite the game’s notorious reputation for not being secure with your in-game activities and the myriads of trolls and griefers wanting to make your simulated heaven into a simulated hell by means other than the legitimate nether portals, Mojang has never been affected by a breach that compromised sensitive account details, unlike some major companies (especially Twitter and Yahoo.) This does mean that if you get security warnings from minecraft.net without trying to play the game in your browser, it is almost certainly a real man-in-the-middle attack. It’s better to download the stand-alone launcher to avoid the warnings that don’t indicate a real attack, so that if you do get warnings, you know they are real.

    In general, do not download any applications (stuff that ends with .exe, .com, .dll, .jnlp, .jar are examples, and these extensions inside compressed folder files like .zip, .tgz, .rar, .tar, etc.) if the site doesn’t have an HTTPS version, or the HTTPS version generates warnings. If you’re HTTPS to the download link without any warnings, you can be pretty sure you’re not downloading from a pretender dressed up as the website you’re visiting.

    1. There are four reasons why a certificate may be reported as invalid: expired, revoked, not trusted, and incorrect name. Of the four, expired is the least concerning, and that’s what you’re getting with Minecraft. But, a game is far different from the sensitivity of your bank account or your e-mail account (which can be used to get access to your other accounts).

      1. Certainly true, which is why the website certificates are more important than the applet certificates.

        The third paragraph of my unusually large comment is to protect against someone getting in the middle of a software download that you want and replacing it with malware. Once malware is running on your system, your computer is an open book, and keyloggers, webcams and microphones could be used as well. In that way, a “game” could easily get everything else. An ounce of prevention is worth a metric crap-tonne of cure when it comes to malware (trust me on that one!)

  2. Interestingly, the governments own websites OFTEN have this problem. AKO (army’s email service) always has this problem. I used to work for the State of Utah, and had to click through these warnings to get to where I had to go to do my work.

  3. Thanks for this advice — McAfee recently popped up with a warning for an article about Obama’s surveillance state on the website of an organization I generally trust. The warning didn’t come up for any other pages on the site. In the past I would have clicked on it because I trust the organization, but because of your post here I decided I didn’t need to read the article. It’s an organization that, among other things, supports writers and journalists who are persecuted by their governments for their writing, and elsewhere on their site are a couple blurbs about how they have been actively opposing FISA for some time. The McAfee warning seems telling, given the site’s content and political stance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: