Protect: protection from untrusted certificates

With the Protect system, Yandex Browser checks website certificates. The browser will warn you if the website cannot provide secure encryption of your data due to problems with the certificate.

  1. Why websites need a certificate
  2. What makes an untrusted certificate dangerous
  3. Block websites with untrusted certificates
  4. Possible reasons for blocking sites
  5. If the certificate author is unknown
  6. If the certificate is installed by the program

Why websites need a certificate

Your personal data and payment information should be protected when you send them to a website. Websites use the HTTPS protocol for secure connection. The protocol activates an asymmetric encryption algorithm, where data is encrypted with a public key and decrypted with a private key. For each session, the browser regenerates the private key and transmits it to the website in addition to taking precautionary measures to prevent theft.

However, if you end up on a phishing website, it might get the private key and then decrypt your data. To protect against phishing, websites use digital certificates issued by special certification authorities. The certificate guarantees that the encryption keys actually belong to the website owner.

What makes an untrusted certificate dangerous

You may end up on a phishing website, or your data will not get the necessary protection on the original website (for example, if the website's certificate has expired). As a result, hackers can:

  • Intercept or replace your personal data and read your correspondence.
  • Get your payment data (card number, holder's name, expiry date and CVV2) and use it to steal money from your account.

Block websites with untrusted certificates

If the site can't guarantee safe encryption due to problems with the site's certificate, then you'll see on the right side of the SmartBox along with a warning that a safe connection could not be made. In this case you can decide to either not visit the site, or add the certificate to your list of trusted ones.

Внимание. Only do this if you are completely sure that the certificate is legitimate. Otherwise, hackers can get access to your personal data and electronic payments!

Possible reasons for blocking sites

Yandex Browser blocks websites that have the following problems with certificates:

The certificate authority is unknown

You will see a message that Yandex was « Unable to establish a secure connection. Hackers may try to steal your data (such as passwords, messages or your bank card number)».

For more information, see the section If the certificate authority is unknown.

The certificate was installed by a special program

You will see a message that «You tried to go to example.com, but their certificate is not trusted. The certificate was issued by a certificate center that Yandex is not familiar with; however, your OS considers it to be trustworthy...» .

For more information, see If the certificate was installed by a program.

Incorrect site address

You will see a message « Could not confirm that the server is example.com. The security certificate applies to example1.com. This server could be incorrectly configured or someone is trying to intercept your data».

This means that the security certificate saved on the server is not for the site that you opened. It's likely that you ended up on a phishing site. If this is the case, hackers can intercept your data.

Self-signed certificate

You will see a message « Could not confirm that the server is example.com. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data».

This means that the site gave itself a certificate. In this case, malicious software or hackers can intercept your data. To find out more, see Self-signed certificate.

Untrusted root certificate

You will see a message « Could not confirm that the server is example.com. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data».

This means that the center that signed the certificate is not trustworthy and can't guarantee that the site is authentic. Malware or hackers can intercept your data. For more on root certificates, see the article Root Certificate.

The certificate has expired

You will see a message « Could not confirm that the server is example.com. Its security certificate expired <...> days ago. This server could be incorrectly configured or someone is trying to intercept your data. Please make sure that <current time> is set on your computer If it’s incorrect, change it and update the page» .

If the certificate is expired, the data that is sent will not be encrypted, so attackers can intercept it.

Certificate has been revoked

You will see a message that «Usually site example.com encrypts your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection just in case before any data was passed. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while».

This means that the site's certificate was compromised and revoked. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

Outdated encryption

You will see a message that «You are trying to contact the server for example.com, but its certificate was signed using an unreliable algorithm (SHA-1, etc.). This means that the security credentials and the server itself may be fake. You could be dealing with hackers».

If the server uses an outdated and unreliable encryption algorithm, hackers can intercept your data. Additionally, there is a significant chance that you ended up on a phishing site.

Ciphers are not supported

You will see a message that «The website example.com sent an incorrect response».

This means that the browser can't establish an HTTPS connection because the website uses ciphers not supported by the browser. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

The certificate key does not match the pinned key

You will see a message that «Usually site example.com encrypts your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection just in case before any data was passed. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while».

This means that the root certificate key doesn't match the website key. Hackers may try to replace the root certificate. Then they can intercept your data. To find out more about pinning (linking) a key, see HTTP Public Key Pinning.

Data can not be encrypted over HSTS

You will see a message that «Usually site example.com encrypts your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection just in case before any data was passed. Cannot go to example.com, because it uses the HSTS protocol. This could have been caused by a network error or an attack on the site. It will probably be up again after a while».

This means that the browser could not enable encryption and broke off the connection. The server where the website is located normally uses encryption, since the HSTS protocol is enabled on it. Lack of encryption may be a sign of a hacker attack. In this case, hackers or malware can intercept your data.

If the certificate author is unknown

In this case, the certificate might have been installed by the network administrator or a random person. You will see the following warning:

You can either choose not to visit the website, or add the certificate to the trusted list by clicking Details in the window, and then Make an exception for this site. The certificate will be on the trusted list for 30 days, and then you will have to make an exception for it again.

Внимание. Click Make an exception for this website only if you’re sure the certificate is trustworthy. Otherwise hackers can get access to your personal data.

If you aren't sure of the certificate's trustworthiness, but you want to visit the site, take the following security measures:

  • For home computers. Update your antivirus and scan your computer for malware. If your antivirus discovers and deletes a certificate that was installed by hackers, you will no longer see a warning in your browser. If your antivirus doesn't delete a suspicious certificate, you can delete it yourself using your operating system.
    Внимание. Be careful; if the certificate was installed by a legitimate program (rather than malware), then deleting it may adversely affect your system.
  • For work computers. Contact your system administrator to delete a suspicious certificate. They will delete any certificates they didn't install. If the certificate was installed by your administrator, you can click Trust this certificate. But remember that after this, the administrator will be able to view your personal information and electronic payments.

If the certificate is installed by the program

Antiviruses, ad blockers, site-monitoring programs, and others can substitute their own certificates for those of the website. In order to decode traffic, they generate their own root certificate and install it in the operating system, marking it as trustworthy.

However, a certificate installed by a special program cannot be considered trustworthy, because it does not belong to a trusted certification center. The following are potential dangers:

  • Your data may become available to unknown persons, i.e., special program developers.
  • The certificate may have been installed by malware pretending to be a special program. Modern browsers are not able to verify the authenticity of certificates installed by special programs.

Yandex Browser warns you about these problems:

To visit a site:

  1. Find out what program replaced the certificate. This information can be found by clicking the corresponding link on the warning page.
  2. Decide if you are prepared to trust the certificate issuer with your personal information:
    • If you are sure, click Trust this certificate.
    • If you aren't sure, disable HTTPS connection verification in the program. You can use the instructions for the following programs:
      Внимание. If you disable HTTPS checks, it doesn't mean you're unprotected. Yandex Browser runs its own security checks on your downloading files, blocks malicious pages and banners, and uses advanced protection for bank and payment system pages.

      If the browser continues to warn you about a suspicious certificate even after disabling HTTPS checks, and you don't need the program that installed the certificate, try temporarily closing that program.