Sometimes a website can’t be accessed and the browser shows a “not secure” warning. In fact, this warning is displayed when the website’s certificate isn’t recognized. This could be because it has expired or doesn’t exist, is self-signed, from an unrecognized authority or doesn’t contain the website identity. Below are some explanations for the various situations.
The site doesn’t have a certificate
These days, browsers consider that all websites must be secured with a TLS certificate. There are several free options for obtaining valid TLS certificates, such as Let’s encrypt. It’s best to avoid communicating information on unsecured websites as your data can easily be intercepted.
The certificate is expired or revoked
As a certificate is a digital identity card, it has a validity period and can be revoked for various reasons. If this is the case, browsers block access to the website to protect the user. If the certificate is expired or revoked, the website is no longer secured. It’s possible, but not advisable, to bypass the browser warning.
The certificate is self-signed
Only Certificate Authorities (CA) are authorized to provide certificates. A self-signed certificate is signed by its own creator rather than a CA. This type of certificate must only be used during technical testing or to generate CA certificates. Browsers block websites with self-signed certificates as they are not certified by a trusted authority and there is nothing to prove that the website is secure.
The certificate doesn’t contain the website identity
A website’s identity is (in part) its domain name, or FQDN (Fully Qualified Domain Name). As an example, to access Digitalberry’s website, you need to go to the URL https://www.digitalberry.fr/. Its FQDN is www.digitalberry.fr, the string between // and the first /. Browsers are designed to reject connection to any website with a certificate that doesn’t contain the FQDN used in the address bar. This is because, in other words, Bob is going around with an ID card with the name Alice on it. Do you think you can trust him?
The Authority isn’t recognized
All browsers embed the self-signed certificates of trusted authorities, enabling them to validate or reject a certificate. Of course, a website with a certificate approved by an authority not listed in the browser will not be accepted. As an example, if a tourist from the state of Abkhazia arrives in France with his Abkhazian passport, he will be sent back home as France doesn’t recognize this state. However, authorities can be added to browsers if an organization has its own Certificate Authority.