How websites deal with expired certificates

When life gives you lemons, make lemonade.

Unfortunately, the verification process for our SSL certificate (read more here) has been delayed and on Sunday morning our certificate expired. This will be fixed soon, but meanwhile let’s use this teachable moment to see what happens when your web browser encounters a site it thinks might be a security threat.

I tried to log in to ICS mail with several common web browsers. Here’s what I saw:


Apple’s Safari presents a very simple error message:


Simple choices: show the certificate to see what the problem is, “Cancel” to get away from the site or “Continue” to proceed to the website. For our purposes, this is easy – click Continue to go to the site (since we know it and know it’s safe). But it really doesn’t inform much or tell you what the problem is.

Internet Explorer

Microsoft’s Internet Explorer is very similar to Safari with its simple message:


So, Microsoft recommends you don’t continue, but it gives you the option to proceed. It doesn’t tell you much, although there is a “more information” link to get more details.


Google’s Chrome browser is a little prettier, but still with only basic information:


Nice visuals: a red lock with an X, and the red crossed-out https in the URL bar show that there is a problem with the security. The only obvious option is to click “Back to safety” and avoid what might be a dangerous site. You have to click “Advanced” to see more details:


Here you see that the certificate expired. There’s another warning, and a link to proceed indicating that it’s unsafe.


Mozilla’s Firefox has a more thorough warning system. This may be off-putting to you at first, but it really gives you the most information and the clearest instructions about what the problem is. First, you get a general warning:


A warning saying there’s something wrong, with only one button, “Get me out of here!” If you click “Technical Details” (the orange triangle indicates that there is information below the heading, but it’s collapsed), you see this:


The technical details are that the security certificate expired. If you understand what the problem is, you can get more information if you expand “I understand the risks.”


Here, Firefox gives you the chance to “Add Exception” if you know what’s going on. This tells Firefox to trust the site despite the problem. When you click here, you get more information and a chance to allow Firefox to take you into the site:


Again, here it shows you the problem with the security certificate and lets you confirm that you know what you’re doing.

What to do?

So when you see these kinds of error messages, what should you do? You need to follow the saying that I use all the time:

Think before you click!

Don’t just blindly click on buttons. Don’t panic. Think to yourself, “what is this website? Do I know it? Can I trust it? What exactly is the problem? Do I understand what it is?” Read the information the web browser gives you and try to understand it.

The world is not a simple place. When you go to a shop, do you pull your wallet out? Do you give the merchant your credit card? It all depends. Is this a place you can trust or not? What information gives you the idea you can trust it? Have you been there before? Does it look like a legitimate business? What makes it look that way? Do the people there seem trustworthy?

Similarly, the internet is not a simple place. If you proceed blindly, without thinking and paying attention, you may get ripped off.

In the present case, you know the ICS website. You trust the school. You might hesitate because you don’t know why our security certificate has expired. Maybe criminals have taken over the site, trying to get your information. Perhaps you should check it out and ask someone. (If you’ve read this far, I hope that you realize that this is a problem we’re aware of and are working on it!)

Note: if you add an exception or proceed to this site, it DOES NOT mean that your information is sent in the clear. The site is still using the secure HTTPS protocol to connect, which encrypts your data. The only problem is the validity of the security certificate has expired. Consider a driving license: if yours expires, do you stop being able to drive a car? No, but it’s not verified. This is a problem for us at ICS, but it is not an indication of compromised security.

I apologize to everyone for the inconvenience, but I’m almost glad that we’ve had this type of “teachable moment.” I hope that you pay a little attention to the warning messages you get from your computer and web browser and act a little more thoughtfully on the internet.


Get every new post delivered to your Inbox

Join other followers: