Is there necessarily certificate hijacking when SSL certificates are not trusted?

Not necessarily, there are many reasons why SSL certificates are not trusted, not necessarily "certificate hijacking".

Common browser prompts that SSL certificates are not trusted for several reasons:

Cause 1: The SSL certificate expires

SSL certificates have an effective date, and the maximum validity period of an SSL certificate is 2 years, so be sure to pay attention to the expiration time of the SSL certificate.

Reason 2: The SSL certificate comes from an untrusted CA organization

The CA is the issuing authority for the certificate. Certificates can be issued by anyone, we can issue certificates to our own **, and we can also give our own certificates to others to install. This kind of certificate does not cost at all, you only need to have a certain understanding of the certificate, but this kind of certificate is not trusted by other clients by default, usually the client will prompt "the certificate is from an untrusted CA organization".

Cause.

3. The client does not support the SNI protocol

This usually happens in Windows XP systems, and Android versions and below, most of the reasons are because these systems are so old that the number of people who use them is very small, and it is not recommended for everyone. Most of these older systems do not support the SNI (Server Name Indication) protocol, but the current mainstream operating systems support this protocol, so you don't have to worry too much.

Cause 4: The SSL certificate installation is incomplete

The application and installation of SSL certificate are generally error-prone for first-time operators, and you can seek professional help.

This is also the case when we encounter individuals using homemade certificates. If you're particularly familiar with this, you won't worry, and even if this kind of prompt appears, you'll be browsing. If you encounter a large-scale public trading platform such as online banking, ** payment or some corporate nature, this situation occurs, then you must be vigilant.

There is a special case here that is 12306, but we should treat it on a special basis.

If you encounter certificate distrust, you should terminate the browsing in time to avoid being deceived because the certificate is hijacked. Because once there is abnormal behavior on the network, the certificate will not be trusted, and the browser will also make appropriate reminders. As an individual user, once you can't tell what is wrong, you must stop visiting this page in time.

Moreover, under normal circumstances, we will not often encounter the situation of personal **self-made certificates, and even if there is, we must be vigilant.

No. The main reasons why SSL certificates are not trusted by browsers are as follows:

The SSL certificate expires.

The SSL certificate for the specified domain name is not installed.

The time of the computer is incorrect, and it needs to be changed to Beijing time.

An untrusted SSL certificate is used.

The SSL certificate root certificate is incomplete and requires a technician to reinstall it.

The wrong SSL certificate is installed.

A self-signed SSL certificate is used.

Solution: Reinstall the SSL certificate after approval according to the above situation, or let GWORG reissue the certificate.

When visiting some pages that contain https classes, it will always prompt "This connection is not trusted".

Reason: 1: It may be due to the cache, and all caches are cleared (not very likely);

3: Advanced under the browser options - encryption, tick SSL and TLS (there is a possibility);

The SSL certificate issued by the CA organization is trusted by the browser, and it is necessary to choose the CA organization with global certification, which supports many browsers, such as the SSL certificate of WoSign CA basically supports all browsers. There is also a free SSL certificate application.

Here you are using a self-built SSL certificate, this kind of certificate is generally called a self-signed SSL certificate, which is completely free, but if you install this kind of SSL certificate, it will always show that the certificate is not trusted, and the prompt of insecure connection will always be displayed. In fact, self-signed SSL certificates have many drawbacks, and it is generally not recommended to install and use them

1. Self-signed SSL certificates come with security risks.

At present, almost all self-signed certificates are 1024-bit keys, and self-signed root certificates are also 1024-bit. The 1024-bit RSA asymmetric cipher spike key pair is no longer secure. Like Microsoft, Brada has required that all 1024-bit root certificates be removed from the list of Windows Trusted Root Certification Authorities; Google Chrome issues security warnings about self-signed SSL certificates, which can affect traffic.

2. Self-signed documents are most vulnerable to the attack of SSL intermediaries.

The self-signed certificate is a certificate that will not be trusted by the browser, and when the user accesses the self-signed certificate, the browser will warn the user that the certificate is not trusted, and you need to manually confirm whether the certificate is trusted. All the ** that use the self-signed certificate clearly tells the user that this is the case, and the user must click on the trust and continue browsing! This creates an opportunity for man-in-the-middle attacks.

3. Self-signed SSL certificates are easy to be counterfeited and forged.

The so-called self-signed SSL certificate is created by yourself, and in the same way, others can create an identical ** with you, which will steal your **information, and in serious cases, the browser will directly block you**.

4. Super long validity period, super easy to crack.

Self-signed SSL certificates are valid for as long as a few years or as long as decades, and you can issue them for as many years as you want. An SSL certificate issued by a trusted CA will not be valid for more than 2 years, because the longer it is, the more likely it is to be cracked by hackers. So the extra long validity period is one of its drawbacks.

Finally, it can be seen that there are still many disadvantages of self-signed SSL certificates, so it is better to choose a paid SSL certificate for better protection. If it is an important online banking system, e-commerce system, etc., it is best to use a paid enterprise-level ov SSL certificate or an enhanced EV SSL certificate, and do not use an insecure self-signed SSL certificate for the sake of cheapness.

The SSL certificate issued by GWORG is trusted by the browser.

SSL certificate is issued by a trusted CA, at present, there are only about 5 institutions in the world that have reached 99% of the failure rate, these CA institutions are determined because of early historical reasons, and they have been entered into the trusted directory of the operation system at the earliest, even if the CA is established now, it can not avoid historical problems, so the credible SSL certificate must have a pre-trusted SSL certificate CA issuing body.

In order to make ** credible, be sure to choose an SSL certificate issued by an authoritative digital certificate authority (CA), such as Geotrust, Comodo, DigiCert, etc. These are internationally authoritative and well-known CA institutions, and the SSL certificates issued by them are not only safe and reliable, but also rich in types, which can meet the security needs of different users. Random concessions.

The steps to resolve this issue are as follows:

1. First open the chrome browser and click the settings option in the upper right corner to enter the page.

2. Then click on the Settings option.

3. In the pop-up page, the HTTPS SSL management certificate is absolutely unacceptable.

4. Then click on the Import option.

5. Click on the file in the installation directory.

6. Select the default storage method as a storage posture to store personally.

7. Finally, the certificate import is successful, so that the problem is solved.

An untrusted SSL certificate can occur in the following cases:

1. The SSL certificate expires.

2. SSL certificate is not a legitimate letter.

Issued by a full-time CA agency.

3. The SSL certificate has been cancelled.

4. The SSL certificate is registered in the CT directory.

5. The trusted SSL certificate is not installed.

6. The SSL certificate of the corresponding domain name is not installed.

7. A private certificate is used.

8. **Suspected of serious credit problems, being blacklisted by CA institutions (less probable) 9. The root certificate of CA institutions is not installed, and the root certificate is expired and invalid, and a new certificate needs to be used.

1. Current computer system.

The time is not right, all https security certificates have a date and expiration date, and the computer system time outside the validity time period of the certificate may cause the browser to prompt **https security certificate has expired or has not yet taken effect.

2. The HTTPS security certificate of ** has indeed expired;

3. The site refers to other external links that have deployed https security certificates, and if the certificate of this external link expires, it will also prompt corresponding errors;

4. Use a self-signed HTTPS certificate;

5. Use an HTTPS certificate with poor versatility;

6. The HTTPS certificate is not deployed correctly;

Reasons why the https certificate is not trusted

1. If the self-signed https certificate is in trouble.

Appear"The HTTPS certificate is not trusted"It may be that a self-signed certificate is used. The self-signed certificate is a self-generated HTTPS certificate, which has not been reviewed and issued by a legitimate third-party CA organization, and can be generated by anyone (including phishing**), which is easy to be counterfeited and forged, and is vulnerable to man-in-the-middle attacks, which has a large security risk"The HTTPS certificate is not trusted"。

2. The compatibility of HTTPS certificates is not good enough.

Not all HTTPS certificates issued by CAs are globally available and support all browsers. If the CA does not pass the international WebTrust certification, then the HTTPS certificate issued by it is not trusted by many browsers, such as Internet Explorer. **When applying to purchase an HTTPS certificate, be sure to choose a CA that has passed the international WebTrust certification.

At present, among the domestic CAs, WoSign CA has obtained international and domestic double certification, and the HTTPS certificate issued by WoSign is globally credible and supports all browsers.

3. The HTTPS certificate is not deployed correctly.

If the https certificate of ** is not deployed correctly, there will be some risk warnings when accessing, such as the call of http resources in the https page, and some versions of the browser will prompt that the page is insecure. In this case, you only need to change these http call resources to https calls.

4. The browser specifies an untrusted https certificate.

Some certificate authorities have been listed by browsers for some reason"Blacklist", publicly announcing that it will no longer trust the HTTPS certificates it issued. So when you access the ** that deploys these certificates, some browsers such as Google and Firefox will prompt you"The HTTPS certificate is not trusted"。

How to Solve the Problem of Untrusted HTTPS Certificates

1. Use a globally trusted HTTPS certificate.

**Purchasing and using a globally trusted HTTPS certificate that supports all browsers will greatly improve the situation, such as the HTTPS certificate issued by WoSign CA, which is globally trusted and used at home and abroad, and supports all browsers. **With WoSign SSL certificate, there will be no browser prompt"The HTTPS certificate is not trusted"Issue.

2. Deploy the HTTPS certificate correctly.

Proper deployment of certificates in accordance with the Certificate Authority's HTTPS Certificate Deployment Guide can greatly avoid various problems, such as ensuring that ** elements (plug-ins, css files, **, etc.) are called HTTPS to avoid browser prompts"This page is not secure"Risk Warning. (Reference: How to Deploy SSL Certificates More Securely).

**https certificates are not trusted, in addition to being self-signed SSL certificates (which are not secure), and for this reason: the certificate authority is not a trusted authority by the browser. If the certificate authority has some qualification requirements, the GDCA is good and can be trusted.

The SSL certificate is not installed, or the certificate is not valid, has expired, is incorrectly configured, or is not compatible with the brand you purchased.

Regardless of whether you have purchased in SSL Shield before, you can contact SSL Shield customer service to help you renew if there is time left before, the remaining time after renewal will be added to the new certificate, you can also re-purchase other CA brand certificates, nine brands are recommended to renew for 2 years at a time, which is more convenient, ** and more favorable.

Reasons why the https certificate is not trusted1. If the self-signed https certificate is in trouble.

2. The compatibility of HTTPS certificates is not good enough.

3. The HTTPS certificate is not deployed correctly.

4. The browser specifies an untrusted https certificate.

Resolve the https certificate untrusted method1. Use a globally trusted HTTPS certificate.

2. Deploy the HTTPS certificate correctly.

Resources.