Protection against untrusted certificates
The Mobile Yandex Browser checks site certificates. The browser will warn you if the website cannot provide secure encryption of your data due to problems with the certificate.
Why a site certificate is needed
When you send your personal or payment data to a website, it must be protected. Websites use the HTTPS protocol for secure connection. The protocol activates an asymmetric encryption algorithm, where data is encrypted with a public key and decrypted with a private key. For each session, the browser regenerates the private key and transmits it to the website with precautionary measures to prevent theft.
However, if you end up on a phishing website, it might get the private key and then decrypt your data. To protect against phishing, websites use digital certificates issued by special certification authorities. The certificate guarantees that a public key used for encryption actually belongs to the website owner.
What makes an untrusted certificate dangerous
You may end up on a phishing website, or your data will not have the required protection on the original website (for example, if the website's certificate has expired). As a result, hackers can:
- Intercept or replace your personal data, and read your correspondence.
- Get your payment data (card number, holder's name, expiry date and CVV2) and use it to steal money from your account.
Blocking websites with untrusted certificates
“Cannot establish a secure connection. Hackers may try to steal your data (for example, passwords, messages or your bank card)”.
Reasons for blocking
Yandex Browser blocks websites that have the following problems with certificates:
- Your data may become available to unknown application developers.
- The certificate may be installed by malware pretending to be the application. Browsers today do not know how to verify the authenticity of certificates installed by special applications.
The certificate can only be installed by a hacker or special software. Ad blockers and similar applications may replace website certificates with their own. If the certificate is installed by an application, you must detect it and disable the HTTPS check.
You can also decide to trust your data to this certificate, but be aware of two potential dangers:
The site certificate is issued by the site itself, rather than by a certification authority. To find out more, see Self-signed certificate. Malware or hackers can intercept your data.
The certificate key does not match the pinned website key. Hackers may try to replace the root certificate. Then they can intercept your data. To find out more about pinning (linking) a key, see HTTP Public Key Pinning.