SSL (Secure Socket Layers) certificates tell your site’s visitors that you are whom you say you are and creates an encrypted connection between your domain (anexampledomain.com) and the visitor. If your domain doesn’t supply a valid certificate, the browser throws up a wall that warns the user that the site isn’t trusted. Many things may happen that tell the browser to issue the warning, but the most common reason is due to an expired SSL certificate.
In this article, we talk about some of the reasons your site might trigger a browser warning, things you can do to prevent warnings, and how to receive notifications quickly when your site generates an SSL related error.
The high cost of SSL certificate browser warnings
If you’re not using HTTPS, you’re losing visitors due to browser privacy warnings and reduced search engine rankings. At the heart of HTTPS connections is the SSL/TLS certificate used to guarantee you’re your site is secure. If your certificate is configured incorrectly or expired, your site triggers browser warnings (like the one below) that bring your site’s traffic grinding to a stop.
We’ve all seen browser security warnings. Something goes wrong with a site’s SSL certificate that triggers the browser to block the site and caution the user. The browser publishers designed the warnings to encourage users not to ignore them. In fact, Google put extensive research into reducing the number of superfluous warnings and producing warning messages in Chrome that people don’t ignore.
Prior to the study, Google observed that only 30 percent of Chrome users heeded security warnings. Therefore, 70 percent of users put themselves at risk by clicking past the browser’s security alert. Google’s study approached the problem from several directions, and, in the end, Google found two primary ways to improve user responsiveness.
- Reduced the number of browser warnings. The study found that half of the security warnings were due to network or client-side configuration problems that had nothing to do with the certificate. Google built in automatic processes in the Chrome browser to evaluate and eliminate many of these warnings. Fewer warnings mean people take them more seriously when they do appear.
- Google also tested and designed warning messages to manipulate user actions in the desired direction and made it more difficult for users to ignore the warning.
The study and changes in Chrome flipped the data. After Google implemented the changes, 68 percent of Chrome users receiving an SSL related warning reversed their course.
What do the changes in Chrome mean for your business?
The changes in Chrome mean that 68 percent of users head straight to the competition when they encounter an SSL related warning. Let’s say your site receives 500,000 users a day. An expired certificate may cost you 350,000 users in a 24-hour period. If your users only saw the error for two hours, you’ve lost over 40 thousand users on average during those two hours. That’s a lot of potential conversions lost.
SSL certificate warnings won’t happen on my site
Sure they will. At some point, a flaw in your planning will allow a certificate to fail; it happens all the time to even the biggest sites. For example, Microsoft Teams’ certificate expired a few months ago. Microsoft notified users on Twitter.
We’ve determined that an authentication certificate has expired causing, users to have issues using the service. We’re developing a fix to apply a new certificate to the service which will remediate impact. Further updates can be found under TM202916 in the admin center.
— Microsoft 365 Status (@MSFT365Status) February 3, 2020
SSL certificate issues cause problems for businesses everywhere. However, you can mitigate SSL certificate related problems with a proactive approach to SSL certificate maintenance. First, let’s review some common SSL certificate errors.
6 causes of SSL certificate related errors
Google’s article, Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors, details the findings of a several month study to find out the common reasons for SSL certificate warnings. The following is an overview of the issues they found. For detailed descriptions, please see the article.
- Expired certificates otherwise known as server date errors. A certificate has an effective date range with a start and end date. If the current date falls outside the date range, the browser issues an invalid certificate warning.
- Server name-mismatch error. If none of the hostnames listed on the certificate match the hostname provided by the client, a certificate error occurs. The mismatches typically occur from subdomain mismatches. For example, if the certificate lists mydomain.com but not www.domain.com, users that use the former receive a warning due to the mismatch error. Also, in the case of wildcard certificates, sub.subdomain.mydomain.com causes a name-mismatch error because the hostname doesn’t match the wildcard *.mydomain.com. Wildcard certificates can only support one level of subdomains. You can often prevent server name-mismatch errors by using Subject Alternate Name (SAN) SSL certificates, where you can list all of the possible hostnames from which your site redirects.
- Invalid certificate authority. The issuing authority vouches that the domain is valid, and the client can trust the connection. The client checks to see if the authority is on the client’s list of trusted sources, and if so, the client accepts the certificate. If the provider isn’t on the trusted authority list, the client issues a warning to the user.
- Server insufficient-intermediates errors. A root authority authorizes intermediate services to guarantee certificates, and the chain of intermediate services need to have certificates leading back to the guaranteeing root authority. If an error occurs in the chain of intermediate certificates to the root, the client doesn’t trust the certificate.
- Client errors. Issues on the client may cause a certificate to fail, such as incorrect client clocks and anti-virus software proxy problems.
- Network issues due to captive portals and missing TLS proxy roots can trigger browser warnings.
Avoiding SSL certificate warnings
We’ve included in the six reasons above four server errors you can control and two errors you cannot control (numbers 5 and 6). Although the browser may help mitigate some errors such as name-mismatch (when possible), preventing the other errors require your diligent attention.
Stop untrusted warnings due to expired SSL certificates
Staff changes and responsibilities shift communication channels can breakdown. Therefore, as a certificate’s expiration draws near, renewal emails go out, but to whom? With staff turnover, the reminders may go to an unmonitored account, go to someone that is no longer responsible for them, or you miss the reminders sent to an always full and often neglected department email address such as support@yourdomain.com or webmaster@yourdomain.com.
Uptrends’ SSL Certificate Monitoring sends you alerts about upcoming certificate expiration. You tell Uptrends how many days in advance you would like a warning, and Uptrends lets you know. Use your Alert definitions to set up reminders going to your phone, email, use an integration to apps such as Slack or PagerDuty, or use webhooks.
A word about multi-year expiration dates
You can purchase SSL certificates that have expiration dates two, three, even four years into the future, but don’t do it. Although multi-year expiration dates make your life easier since you renew your certificates less often, browsers may not accept them as valid for much longer. Apple’s Safari browser is the first to enforce a one year limit on expiration dates (learn more). Starting on September 1, 2020, Safari will no longer accept certificates that expire more than 398 days out from the current date. So, your three-year certificate may still have 900 days to go before expiration, but, unless the certificate was issued before 9/1/2020, Safari will display privacy warnings to the user.
You may think you don’t need to worry about Safari, but Google isn’t far behind with the same restriction in Chrome. Google has been pushing for the one-year limitation on certificate expiration for a while (Mozilla too), so you can expect announcements to come from other browsers soon. The certificate authorities have introduced subscription plans that automatically renew your certificate every year for a set period allowing you to save on your certificates. However, you will still want to set up reminders for the certificate subscription expiration, and you will want to make sure they have a current credit card number before each automatic renewal.
Misconfigured certificate settings and hackers
The issuer of a certificate controls what you can and can’t do when setting up your certificate(s) and if you can make changes to your settings after the fact. Either way, once you’ve set up your regular or wildcard SSL certificate, and it is working, there shouldn’t be any reason that it should stop working short of an out of range date error. If the certificate values change, either someone has inadvertently made changes, or a file has become corrupt.
Using Uptrends’ SSL Certificate Monitoring, you can perform content matches on the individual certificate values, and if the values change, your alert settings will let you know about the changes. You can check multiple fields or only one (site administrators commonly monitor fingerprints and serial numbers). Uptrends lets you monitor the following values:
- Common name: the site’s domain name, e.g., mydomain.com or *.mydomain.com for a wildcard certificate
- Organization: e.g., My Organization L.L.C.
- Organizational Unit: e.g., Marketing
- Serial number: The unique identifier assigned to the certificate, e.g., 1E:DB:AF:6D:D5:1E:35:71:02:00:00:00:00:5F:98:BB
- Fingerprint/thumbprint: A unique identifier computed from the certificate (the fingerprint is not part of the certificate but generated from it).
- Issued by common name: e.g., DigiCert SHA2 High Assurance Server CA
- Issued by Organization: e.g., DigiCert Inc
- Issued by organizational unit: e.g., digicert.com
If the values change, you may find a reasonable explanation, but the changes may be due to a spoofed or compromised certificate.
Takeaway
- It’s easy to forget an SSL certificate expiration date, especially when you manage several certificates.
- Expiration reminders from the certificate providers may go to unwatched or dead inboxes due to changes in personnel.
- An expired certificate triggers a browser warning for users.
- Approximately 70 percent of users will not push past a browser security warning.
- Checking certificate values such as the fingerprint can help you identify hacked or spoofed certificates.
- Uptrends’ SSL Certificate Monitoring can store all your certificate information in one centralized location for easy management.
- Uptrends can notify you about upcoming expiration dates to help you avoid expired certificates.
- New browser-imposed rules going into effect later this year that limit certificate expiration dates to one-year maximums.
Uptrends’ SSL Certificate Monitors are fast and easy to set up. All you need is some basic information and an Uptrends account. If you don’t have an Uptrends account, we can set you up with a no-hassle 30-day free trial.