Protect: protection from untrusted certificates

With the Protect system, Yandex.Browser checks website certificates. The browser will warn you if the website cannot provide secure encryption of your data due to problems with the certificate.

  1. Why you need a site certificate
  2. Why an untrusted certificate is dangerous
  3. Block websites with untrusted certificates
  4. Possible reasons for blocking sites
  5. If the certificate author is unknown
  6. If the certificate is installed by the program

Why you need a site certificate

Your personal or payment data should be protected when you send it to a website. Websites use the HTTPS protocol for secure connection. The protocol activates an asymmetric encryption algorithm, where data is encrypted with a public key and decrypted with a private key. For each session, the browser regenerates the private key and transmits it to the website with precautionary measures to prevent theft.

However, if you end up on a phishing website, it might get the private key and then decrypt your data. To protect against phishing, websites use digital certificates issued by special certification authorities. The certificate guarantees that the encryption keys actually belong to the website owner.

Why an untrusted certificate is dangerous

You may end up on a phishing website, or your data will not be protected well on the original website (for example, if the website's certificate has expired). As a result, hackers can:

  • Intercept or replace your personal data and read your correspondence.
  • Get your payment data (card number, holder's name, expiry date and CVV2) and use it to steal money from your account.

Block websites with untrusted certificates

If you can't guarantee safe encryption due to problems with the site's certificate, then you'll see appear on the right side of the SmartBox along with a warning that a safe connection could not be made. In this case you can decide to either not visit the site, or enter the certificate in your list of trusted ones.

Attention. Only do this if you are completely sure that the certificate is legitimate. Otherwise, hackers can get access to your personal data and electronic payments!

Possible reasons for blocking sites

Yandex Browser blocks websites that have the following problems with certificates:

The certificate author is unknown

You will get the message: “Unable to establish a secure connection. Hackers may try to steal your data (for example, passwords, messages or your bank card)”.

For more information see the If the certificate author is unknown section.

The certificate was installed by a special program

You will get the message: “You tried to go to example.com, but their certificate is not trusted. The certificate was issued by a certificate center that Yandex is not familiar with; however, your OS considers it to be trustworthy...”.

For more information, see If the certificate was installed by the program.

Incorrect site address

You will get the message: “This server could not prove that it is example.com. The security certificate applies to example1.com. This may be caused by a misconfiguration or an attacker intercepting your connection”.

This means that the security certificate saved on the server is not for the site that you opened. It's likely that you ended up on a phishing site. If that's the case, hackers can intercept your data.

Self-signed certificate

You will get the message: “This server could not prove that it is example.com. Its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection”.

This means that the site gave itself a certificate. In this case, malicious software or hackers can intercept your data. To find out more, see Self-signed certificate.

Untrusted root certificate

You will get the message: “This server could not prove that it is example.com. Its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection”.

This means that the center that signed the certificate is not trustworthy and can't guarantee that the site is authentic. Malware or hackers can intercept your data. For more on root certificates, see the article Root Certificate.

The certificate has expired

You will get the message: “This server could not prove that it is example.com. Its security certificate expired <...> days ago. This may be caused by a misconfiguration or an attacker intercepting your connection. Your computer's clock is currently set to <current time>. Does that look right? If not, you should correct your system's clock and then refresh this page”.

If the certificate has expired, your data will not be encrypted, so attackers can intercept it.

Certificate has been revoked

You will get the message: “Example.com normally uses encryption to protect your information. However, when Yandex Browser tried to connect, the website sent back a suspicious response. It is possible that another site is pretending to be example.com or that the Wi-Fi connection was interrupted. Your information is still secure, since Yandex Browser stopped the connection before any data exchange took place. You cannot visit example.com right now because this certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later. It will probably be up again after a while”.

This means that the site's certificate was compromised and revoked. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

Outdated encryption

You will get a message that: “You attempted to reach example.com, but the server presented a certificate signed using a weak signature algorithm (SHA-1, etc.). This means that the security credentials the server presented could have been forged. You could be dealing with hackers”.

If the server uses an outdated and unreliable encryption algorithm, hackers can intercept your data. Additionally, there is a significant chance that you ended up on a phishing site.

Ciphers are not supported

You will see a message that “The website example.com sent an incorrect response”.

This means that the browser can't establish an HTTPS connection because the website uses ciphers not supported by the browser. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

The certificate key does not match the pinned key

You will get the message: “Example.com normally uses encryption to protect your information. However, when Yandex Browser tried to connect, the website sent back a suspicious response. It is possible that another site is pretending to be example.com or that the Wi-Fi connection was interrupted. Your information is still secure, since Yandex Browser stopped the connection before any data exchange took place. Cannot go to example.com, because its certificate has been revoked. Network errors and attacks are usually temporary, so this page will probably work later. It will probably be up again after a while”.

This means that the root certificate key doesn't match the website key. Hackers may try to replace the root certificate. Then they can intercept your data. To find out more about pinning (linking) a key, see HTTP Public Key Pinning.

Unable to encrypt data when using HSTS

You will get the message: “Example.com normally uses encryption to protect your information. However, when Yandex Browser tried to connect, the website sent back a suspicious response. It is possible that another site is pretending to be example.com or that the Wi-Fi connection was interrupted. Your information is still secure, since Yandex Browser stopped the connection before any data exchange took place. You cannot visit example.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later. It will probably be up again after a while”.

This means that the browser could not encrypt your data and broke off the connection. The server where the website is located normally uses encryption, since the HSTS protocol is enabled on it. If the server isn't encrypting data, it may be a sign of a hacker attack. In that case, hackers or malware can intercept your data.

If the certificate author is unknown

In this case, the certificate might have been installed by the network administrator or a random person. You will see the following warning:

You can either choose not to visit the website, or add the certificate to the list of those you trust by clicking Details in the dialog box, and then Make an exception for this site. The certificate will be in the trusted list for 30 days, and then you will have to make an exception for it again.

Attention. Click the Make an exception for this site button only if you’re sure the certificate is trustworthy. Otherwise hackers can get access to your personal information!

If you aren't sure of the certificate's trustworthiness, but you want to visit the site, take the following security measures:

  • For home computers. Update your antivirus and scan your computer for malware. If your antivirus discovers and deletes a certificate that was installed by hackers, you will no longer see a warning in your browser. If your antivirus doesn't delete a suspicious certificate, you can delete it yourself using your operating system.
    Attention. Be careful; if the certificate was installed by a legitimate program (rather than malware), then deleting it may have an adverse effect on your system.
  • For work computers. Contact your system administrator to delete a suspicious certificate. They will delete any certificates they didn't install. If the certificate was installed by your administrator, you can click Trust this certificate. But remember that after this, the administrator will be able to view your personal information and electronic payments.

If the certificate is installed by the program

Antiviruses, ad blockers, site-monitoring programs, and others can substitute their own certificates for those of the website. In order to decode traffic, they generate their own root certificate and install it in the operating system, marking it as trustworthy.

However, a certificate installed by a special program cannot be considered trustworthy, because it does not belong to a trusted certification center. The following are potential dangers:

  • Your data may become available to unknown persons, i.e., special program developers.
  • The certificate may have been installed by malware pretending to be a special program. Browsers today do not know how to verify the authenticity of certificates installed by special programs.

Yandex.Browser warns you about these problems:

To visit a site:

  1. Find out what program replaced the certificate. This information can be found by clicking the corresponding link on the warning page.
  2. Decide if you are prepared to trust the certificate preparer with your personal information:
    • If you are ready, click Trust this certificate.
    • If you aren't ready, disable the option to check HTTPS connections in the software you use. Use the instructions for your software:
      Attention. If you disable HTTPS checks, it doesn't mean you're unprotected. Yandex.Browser runs its own security checks on files you download, blocks malicious pages and banners, and uses advanced protection for bank and payment-system pages.

      If the browser continues to warn you about a suspicious certificate even after you disable the option to check HTTPS connections, and you don't need the program that installed the certificate, try temporarily closing that program.