Mikey S

I am running XP, which is fully patched - including root certificates. The
date and time on my PC is correct. And I KEEP getting this error:

"There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a
trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."

Now, I'm fed up to here with websites saying it's a problem with the page
I'm trying to access - if it's Hotmail, my bank, etc, then it's plainly a
problem with my PC. But what? Everything works fine on my other computer - a
laptop - which is running Vista. Help is very much appreciated, because this
is driving me nuts!

Mike

VanguardLH

"Mikey S" wrote in message news:XL2dnTJzGq-3tq3aRVnyhQA@bt.com...
> I am running XP, which is fully patched - including root
> certificates. The date and time on my PC is correct. And I KEEP
> getting this error:
>
> "There is a problem with this website's security certificate.
>
> The security certificate presented by this website was not issued by
> a
> trusted certificate authority.
>
> Security certificate problems may indicate an attempt to fool you or
> intercept any data you send to the server."
>
> Now, I'm fed up to here with websites saying it's a problem with the
> page I'm trying to access - if it's Hotmail, my bank, etc, then it's
> plainly a problem with my PC. But what? Everything works fine on my
> other computer - a laptop - which is running Vista. Help is very
> much appreciated, because this is driving me nuts!


It means that the publisher (the certificate authority, or CA) for the
certificate is not currently in your list of trusted CAs (run
certmgr.msc to find out). The prompt is asking if YOU want to trust
that CA.

I had a discussion in another group about the trustworthiness of SSL
certs. Turns out that anyone can become a CA and then proliferate
their own self-signed certs. Spoof sites that use SSL to lure the
user into a false sense of security will operate their own CA. So you
get the alert that the CA isn't in your trusted list, you think you
are visiting the real site, trying to get any real info regarding a CA
to determine whether you want to to trust them or not can be futile,
and so the user says to trust the CA. SSL is based on 3rd party
trusted CAs. Unfortunately, the user has little info to determine if
they want to trust a newly discovered CA, and there is no
international foundation that regulates who can be a [public or root]
CA. Some paranoid types will erase the trusted CA list (i.e., get rid
of all their certs) and then choose on a per-cert basis if they want
to trust the CA that published that cert. Not only do they not want a
list that was pre-existing and foisted upon them by Microsoft which
included them in the Windows install, they might have bosses,
malcontents, or malware that wandered into to their computer to
install a surreptitious cert (which means the user won't get the
untrusted alert when they get a cert from that CA). Sure, if the cert
were signed by Verisign then you've very probably have heard of
Verisign and will choose to trust that CA (assuming that "Verisign" in
the publisher name in the cert was actually Verisign). But how are
you going to verify the trustworthiness of an unknown CA? If you got
a cert where the CA was "C&W HK", "SIA", "Secure-A", or some other
entity that you have never heard of before, just what do you use to
investigate these CAs to warrant your new trust with them?

You, as the user seeing this prompt, have to choose if you want to
trust the CA and add them to your trusted CA list. If not, you will
get that prompt everytime you receive a cert issued by that CA.

Alternatively, you could reduce security settings for certs by going
into Internet Options -> Advanced, Security group, but I forget which
option it is (probably one of the "revocation" options). However,
that means you won't ever see this alert when you are proffered a cert
published by a non-trusted CA.

Mikey S

Errrm... thank you, but unfortunately it's not really much help. Every time
I go to a secure site, Explorer helpfully informs me that it has blocked
that website from displaying content with security certificate errors. Like
Hotmail. Or my bank. I *know* these sites are trustworthy, and it works on
my laptop, so I *know* the fault's with my PC. I don't get the option as to
whether I trust a website or not. Reducing security settings doesn't seem to
have done much good either. Like I say, my PC is completely up to date,
right time and date, everything. For what it's worth, I've got Kaspersky
anti-virus installed and Google desktop - and they're pretty much the only
vaguely out of the ordinary things I do have installed on a pretty simple
setup. What on earth's wrong?

M

"VanguardLH" <VanguardLH@mail.invalid> wrote in message
news:OC$2b%23KIIHA.4296@TK2MSFTNGP04.phx.gbl...
> "Mikey S" wrote in message news:XL2dnTJzGq-3tq3aRVnyhQA@bt.com...
>> I am running XP, which is fully patched - including root certificates.
>> The date and time on my PC is correct. And I KEEP getting this error:
>>
>> "There is a problem with this website's security certificate.
>>
>> The security certificate presented by this website was not issued by a
>> trusted certificate authority.
>>
>> Security certificate problems may indicate an attempt to fool you or
>> intercept any data you send to the server."
>>
>> Now, I'm fed up to here with websites saying it's a problem with the page
>> I'm trying to access - if it's Hotmail, my bank, etc, then it's plainly a
>> problem with my PC. But what? Everything works fine on my other
>> computer - a laptop - which is running Vista. Help is very much
>> appreciated, because this is driving me nuts!
>
>
> It means that the publisher (the certificate authority, or CA) for the
> certificate is not currently in your list of trusted CAs (run certmgr.msc
> to find out). The prompt is asking if YOU want to trust that CA.
>
> I had a discussion in another group about the trustworthiness of SSL
> certs. Turns out that anyone can become a CA and then proliferate their
> own self-signed certs. Spoof sites that use SSL to lure the user into a
> false sense of security will operate their own CA. So you get the alert
> that the CA isn't in your trusted list, you think you are visiting the
> real site, trying to get any real info regarding a CA to determine whether
> you want to to trust them or not can be futile, and so the user says to
> trust the CA. SSL is based on 3rd party trusted CAs. Unfortunately, the
> user has little info to determine if they want to trust a newly discovered
> CA, and there is no international foundation that regulates who can be a
> [public or root] CA. Some paranoid types will erase the trusted CA list
> (i.e., get rid of all their certs) and then choose on a per-cert basis if
> they want to trust the CA that published that cert. Not only do they not
> want a list that was pre-existing and foisted upon them by Microsoft which
> included them in the Windows install, they might have bosses, malcontents,
> or malware that wandered into to their computer to install a surreptitious
> cert (which means the user won't get the untrusted alert when they get a
> cert from that CA). Sure, if the cert were signed by Verisign then you've
> very probably have heard of Verisign and will choose to trust that CA
> (assuming that "Verisign" in the publisher name in the cert was actually
> Verisign). But how are you going to verify the trustworthiness of an
> unknown CA? If you got a cert where the CA was "C&W HK", "SIA",
> "Secure-A", or some other entity that you have never heard of before, just
> what do you use to investigate these CAs to warrant your new trust with
> them?
>
> You, as the user seeing this prompt, have to choose if you want to trust
> the CA and add them to your trusted CA list. If not, you will get that
> prompt everytime you receive a cert issued by that CA.
>
> Alternatively, you could reduce security settings for certs by going into
> Internet Options -> Advanced, Security group, but I forget which option it
> is (probably one of the "revocation" options). However, that means you
> won't ever see this alert when you are proffered a cert published by a
> non-trusted CA.
>

VanguardLH

"Mikey S" wrote in message news:6MednYiRKKe6Y63aRVnyiQA@bt.com...
>
> "VanguardLH" wrote ...
>>
>> "Mikey S" wrote in message news:XL2dnTJzGq-3tq3aRVnyhQA@bt.com...
>>>
>>> I am running XP, which is fully patched - including root
>>> certificates. The date and time on my PC is correct. And I KEEP
>>> getting this error:
>>>
>>> "There is a problem with this website's security certificate.
>>>
>>> The security certificate presented by this website was not issued
>>> by a
>>> trusted certificate authority.
>>
>> It means that the publisher (the certificate authority, or CA) for
>> the certificate is not currently in your list of trusted CAs (run
>> certmgr.msc to find out). The prompt is asking if YOU want to
>> trust that CA.
>>
>> You, as the user seeing this prompt, have to choose if you want to
>> trust the CA and add them to your trusted CA list. If not, you
>> will get that prompt everytime you receive a cert issued by that
>> CA.
>>
>> Alternatively, you could reduce security settings for certs by
>> going into Internet Options -> Advanced, Security group, but I
>> forget which option it is (probably one of the "revocation"
>> options). However, that means you won't ever see this alert when
>> you are proffered a cert published by a non-trusted CA.
>
> Errrm... thank you, but unfortunately it's not really much help.
> Every time I go to a secure site, Explorer helpfully informs me that
> it has blocked that website from displaying content with security
> certificate errors. Like Hotmail. Or my bank. I *know* these sites
> are trustworthy, and it works on my laptop, so I *know* the fault's
> with my PC. I don't get the option as to whether I trust a website
> or not. Reducing security settings doesn't seem to have done much
> good either. Like I say, my PC is completely up to date, right time
> and date, everything. For what it's worth, I've got Kaspersky
> anti-virus installed and Google desktop - and they're pretty much
> the only vaguely out of the ordinary things I do have installed on a
> pretty simple setup. What on earth's wrong?
>

First you said the error was:

The security certificate presented by this website was not issued by a
trusted certificate authority.

Now you are saying the [paraphrased] error is:

blocked website from displaying content with security certificate
errors

Have you tried disabling your software firewall or configuring it to
allow all connections? I wouldn't touch Google Desktop with your
10-foot pole so I have no experience in how it can screw over a host.

Have you tried rebooting into Windows' Safe Mode (with networking) and
testing HTTPS under that operating mode?

Have you tried enabling the "allow mixed content" option in the
Internet security zone? This decides if web pages can display content
from both secure and non-secure servers (there can be mixed content
within the same page).

What URL are you actually using to connect to the sites? While "www"
is optional for non-secure sites (because they should be defaulting to
a host named "www" when connecting with the HTTP protocol although
some sites don't do this automatic fallover), it is NOT optional for
HTTPS sites. The cert was issued to a specified host on a domain.
www.somesite.com would work because the SSL cert has that listed in it
for the validated host on that domain, but somesite.com won't work.

You could use Microsoft's application compatibility toolkit
(http://msdn2.microsoft.com/en-us/library/Bb250493.aspx) to find out
why it blocked content. It logs into the Event Viewer. I haven't use
it so cannot guide you in how to analyze what it logs.

You never mentioned WHICH version of Internet Explorer is having the
SSL cert problem. If IE7, you could try using Microsoft's User Agent
String Utility
(http://www.microsoft.com/downloads/d...DisplayLang=en)
which will report IE7 as version IE6 to the web site. Some sites
don't properly check for browser versions and there have been some
differences noted in how sites render under IE6 versus how they render
under IE7. See if you can lie to them that you are using IE6 rather
than IE7.

You could try putting the site into the Trusted Sites security zone.
For Hotmail, as an example, try putting *.microsoft.com,
*.passport.com, and *.hotmail.com in the trusted sites list.

In Internet Options -> Content, Certificates, delete any expired
certificates. You'd think they would automatically disappear (get
deleted) but that doesn't happen. For example, when I look under the
Trusted Root Certification Authorities list, I found 2 from Verisign
that expired back in 1999 and 2004.

Is the "Cryptographic Services" NT service configured for automatic
start and is already started? Is the "HTTP SSL" NT service configured
for manual start (by an application wanting to use it) rather than
being disabled? Is the "Protected Storage" NT service configured for
automatic start and is currently started?

Mikey S

Let's take these one by one...

"VanguardLH" <VanguardLH@mail.invalid> wrote in message
news:%23$w40DQIIHA.4880@TK2MSFTNGP03.phx.gbl...
> "Mikey S" wrote in message news:6MednYiRKKe6Y63aRVnyiQA@bt.com...
>>
>> "VanguardLH" wrote ...
>>>
>>> "Mikey S" wrote in message news:XL2dnTJzGq-3tq3aRVnyhQA@bt.com...
>>>>
>>>> I am running XP, which is fully patched - including root certificates.
>>>> The date and time on my PC is correct. And I KEEP getting this error:
>>>>
>>>> "There is a problem with this website's security certificate.
>>>>
>>>> The security certificate presented by this website was not issued by a
>>>> trusted certificate authority.
>>>
>>> It means that the publisher (the certificate authority, or CA) for the
>>> certificate is not currently in your list of trusted CAs (run
>>> certmgr.msc to find out). The prompt is asking if YOU want to trust
>>> that CA.
>>>
>>> You, as the user seeing this prompt, have to choose if you want to trust
>>> the CA and add them to your trusted CA list. If not, you will get that
>>> prompt everytime you receive a cert issued by that CA.
>>>
>>> Alternatively, you could reduce security settings for certs by going
>>> into Internet Options -> Advanced, Security group, but I forget which
>>> option it is (probably one of the "revocation" options). However, that
>>> means you won't ever see this alert when you are proffered a cert
>>> published by a non-trusted CA.
>>
>> Errrm... thank you, but unfortunately it's not really much help. Every
>> time I go to a secure site, Explorer helpfully informs me that it has
>> blocked that website from displaying content with security certificate
>> errors. Like Hotmail. Or my bank. I *know* these sites are trustworthy,
>> and it works on my laptop, so I *know* the fault's with my PC. I don't
>> get the option as to whether I trust a website or not. Reducing security
>> settings doesn't seem to have done much good either. Like I say, my PC is
>> completely up to date, right time and date, everything. For what it's
>> worth, I've got Kaspersky anti-virus installed and Google desktop - and
>> they're pretty much the only vaguely out of the ordinary things I do have
>> installed on a pretty simple setup. What on earth's wrong?
>>
>
> First you said the error was:
>
> The security certificate presented by this website was not issued by a
> trusted certificate authority.
>
> Now you are saying the [paraphrased] error is:
>
> blocked website from displaying content with security certificate errors

I'm getting both.

>
> Have you tried disabling your software firewall or configuring it to allow
> all connections? I wouldn't touch Google Desktop with your 10-foot pole
> so I have no experience in how it can screw over a host.

The only firewall I have is the one that came with Windows XP. Same setup on
Vista - but that's working fine. I turned the firewall off anyway to see
what'd happen - same error. I closed Google desktop. Same error.

>
> Have you tried rebooting into Windows' Safe Mode (with networking) and
> testing HTTPS under that operating mode?

No idea what that means, unfortunately. I can't believe this problem needs
this level of knowledge to rectify.

>
> Have you tried enabling the "allow mixed content" option in the Internet
> security zone? This decides if web pages can display content from both
> secure and non-secure servers (there can be mixed content within the same
> page).

Yes, I have. Doesn't make any difference.

>
> What URL are you actually using to connect to the sites? While "www" is
> optional for non-secure sites (because they should be defaulting to a host
> named "www" when connecting with the HTTP protocol although some sites
> don't do this automatic fallover), it is NOT optional for HTTPS sites.
> The cert was issued to a specified host on a domain. www.somesite.com
> would work because the SSL cert has that listed in it for the validated
> host on that domain, but somesite.com won't work.

I'm using exactly the same URLs as I use on my Laptop, which has IE7 and
Vista installed. No problem on my laptop; the problem persists on my desktop
PC with XP installed.

>
> You could use Microsoft's application compatibility toolkit
> (http://msdn2.microsoft.com/en-us/library/Bb250493.aspx) to find out why
> it blocked content. It logs into the Event Viewer. I haven't use it so
> cannot guide you in how to analyze what it logs.

I have no idea what I should be doing with this programme, unfortunately.
The Internet Explorer Compatibility Tool reports Security Problem 12055 when
I try to log in to Intelligent Finance Online - i.e. a certificate error.
But I already knew that!

>
> You never mentioned WHICH version of Internet Explorer is having the SSL
> cert problem. If IE7, you could try using Microsoft's User Agent String
> Utility
> (http://www.microsoft.com/downloads/d...DisplayLang=en)
> which will report IE7 as version IE6 to the web site. Some sites don't
> properly check for browser versions and there have been some differences
> noted in how sites render under IE6 versus how they render under IE7. See
> if you can lie to them that you are using IE6 rather than IE7.

I'm using IE7. The User Agent String Utility hasn't made any difference.

>
> You could try putting the site into the Trusted Sites security zone. For
> Hotmail, as an example, try putting *.microsoft.com, *.passport.com, and
> *.hotmail.com in the trusted sites list.

Doesn't make any difference. The sites are still blocked with certificate
errors.

>
> In Internet Options -> Content, Certificates, delete any expired
> certificates. You'd think they would automatically disappear (get
> deleted) but that doesn't happen. For example, when I look under the
> Trusted Root Certification Authorities list, I found 2 from Verisign that
> expired back in 1999 and 2004.

I did have some out of date certificates, and I've deleted them all. I still
have the same problem.

>
> Is the "Cryptographic Services" NT service configured for automatic start
> and is already started? Is the "HTTP SSL" NT service configured for
> manual start (by an application wanting to use it) rather than being
> disabled? Is the "Protected Storage" NT service configured for automatic
> start and is currently started?

I have no idea what any of that means! I'm really grateful for your help,
but I'm just stumped frustrated and annoyed at a really crappy piece of
software. What on earth am I supposed to do?!

M

SSL HELP

Please see
http://www.microsoft.com/communities...6a4&sloc=en-us

Need more options to try.

suztbaum

I have been getting a certificate problem with a site that I access through
Vista windows for work. Go Daddy has grabbed onto it an will not let me
access it. I too have been told it is my laptop, the IT department at work,
etc. No help and even after 3 1/2 hours on line with Microsoft for 60.00
dollars they still have not repaired this. Any suggestions on how I get
around this? Job in jeopardy due to inability to access.

"Mikey S" wrote:

> I am running XP, which is fully patched - including root certificates. The
> date and time on my PC is correct. And I KEEP getting this error:
>
> "There is a problem with this website's security certificate.
>
> The security certificate presented by this website was not issued by a
> trusted certificate authority.
>
> Security certificate problems may indicate an attempt to fool you or
> intercept any data you send to the server."
>
> Now, I'm fed up to here with websites saying it's a problem with the page
> I'm trying to access - if it's Hotmail, my bank, etc, then it's plainly a
> problem with my PC. But what? Everything works fine on my other computer - a
> laptop - which is running Vista. Help is very much appreciated, because this
> is driving me nuts!
>
> Mike
>
>
>

PA Bear [MS MVP]

What site? What has the site owner had to say about this?
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

suztbaum wrote:
> I have been getting a certificate problem with a site that I access
> through
> Vista windows for work. Go Daddy has grabbed onto it an will not let me
> access it. I too have been told it is my laptop, the IT department at
> work,
> etc. No help and even after 3 1/2 hours on line with Microsoft for 60.00
> dollars they still have not repaired this. Any suggestions on how I get
> around this? Job in jeopardy due to inability to access.
>
> "Mikey S" wrote:
>
>> I am running XP, which is fully patched - including root certificates.
>> The
>> date and time on my PC is correct. And I KEEP getting this error:
>>
>> "There is a problem with this website's security certificate.
>>
>> The security certificate presented by this website was not issued by a
>> trusted certificate authority.
>>
>> Security certificate problems may indicate an attempt to fool you or
>> intercept any data you send to the server."
>>
>> Now, I'm fed up to here with websites saying it's a problem with the page
>> I'm trying to access - if it's Hotmail, my bank, etc, then it's plainly a
>> problem with my PC. But what? Everything works fine on my other
>> computer -
>> a laptop - which is running Vista. Help is very much appreciated, because
>> this is driving me nuts!
>>
>> Mike