Security certificates and what they mean
Yesterday I received an email from a student who was in this class last semester, and they had a question regarding a security-certificate warning that popped up as they carried out a mobile retail transaction on their cel-phone. The screenshot of it is below, and they were understandably concerned:
When you visit a website that allows for you to carry out transactions, including getting your personal and/or credit card information, they will have an associated security certificate that is issued by a trusted third party. The most popular of these issuing authorities is VeriSign, now part of Symantec, and the certificate indicates that the website is legitimate, secure, and your data will be safe.
When a site is protected in this way, there will be a logo on the site indicating this, and it can’t be faked. Clicking on it will bring up the certificate and security information as it pertains to the site, so if the image is simply copy and pasted nothing will happen when you click on it and you’ll know it’s faked. As an example, I have included a screenshot of the Norton Secure logo at the bottom of the main site she was trying to access, and the window that appears when clicking on it.
However, there can be problems with these certificates which will result in warnings like these. The problem can be that the server simply isn’t configured correctly, or the certificate has expired and needs to be renewed, or in her case I suspected that the certificate was issued for the main site and not the mobile one she was accessing. Her data would still be secure, but the certificate wasn’t issued for the mobile site specifically.
It doesn’t mean it’s necessarily a huge problem, it could be nothing more than a renewal issue. If the site has been used before and there hasn’t been any problem you’re probably OK. However, and as I advised her, you should always check your accounts just to be sure; you can make a decision to go ahead but with the knowledge that there is a small chance it’s a legit warning.
Here is my reply to her inquiry, included to give you some further info. We’ll talk more about all of this when we discuss security. In the meantime, be vigilant, and if you’re uncertain don’t take any chances.
No, I think you're fine. This can occasionally be caused by someone trying to do something bad, but not often. The most common reason for seeing a warning like this is that the site's security certificate has expired. Not a big deal, they just need to renew it. In your case, however, I notice in your screenshot that you are browsing a mobile site (as indicated by the 'm.' instead of 'www' in the URL) using your mobile phone, and it is prefaced by https://, and that is most likely where the problem lies. You see, the security certificate was probably issued for their full site, not their mobile site, and you are accessing that mobile site securely using https, and that is my guess as to what is causing the browser to give that warning. If you did it with http: instead it probably wouldn't give you that warning. It might, but I suspect it wouldn't. I believe you can also go into settings in your phone, then to security, and there may be an option along the lines of 'Use Secure Credentials.' I don't recall the specifics, but if you keep having that certificate problem then you might want to try that setting. You'll still want to keep an eye on your account, of course, but ultimately I suspect the certificate is being confused by the combination of the mobile browser and site against the https.