I've been trying to get into my Aeroplan account for the last week through my company network and in both IE and Chrome I get a security certificate error:


The site's security certificate is not trusted!
You attempted to reach www3.aeroplan.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.
You should not proceed, especially if you have never seen this warning before for this site.

Eventually I tried the proceed anyway button but that didn't work either. I'm at a field camp and don't have any other options...anyone have advice on what I can do to fix this or why it's happening?

This would happen if your computer does not have a "Trusted Root Certificate" for VeriSign (which is the biggest and the most used signing authority). I just double checked the page myself and it is indeed VeriSign.

All OSs in the last little while come with VeriSign and other known certificate authorities root certificates pre-installed. The only time you may have a problem is if the root cert expired, or the root certificate is for whatever reason no longer in your cert store, be it due to a virus, or due to IT removing stuff.

Do you get this problem on any other https sites, like banking for example? When you browse to one of these sites it should show a little lock somewhere next to the URL, you can click on the lock and view certificate information and it will tell you who the issuing authority is. If you can get to other sites signed by VeriSign, then your root certificate is probably fine and the issue is elsewhere.

At any rate, even if you choose to ignore it, the page should load, if it isn't then there is an issue with your computer (virus maybe?). It is possible you have something redirecting you elsewhere, and wherever it is redirecting you might be down and that is why it may not work even when cert warning is ignored.

Many possibilities here. Make sure you have all the latest Windows patches on your computer as Microsoft has released a patch a while ago that addressed expired root certs problem I mentioned above.

Thanks for that response. You certainly seem to know your stuff!

Banking and all other sites work for me no problem.

When I click "Proceed Anyways" it goes to a white page saying:


Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer)

Your request contacted a host which presented a certificate signed by an untrusted issuer.
This is typically caused by a Web Site presenting an incorrect or invalid certificate, but could be because of a configuration error.

For assistance, contact your network support team.

I'm guessing it's something within our network but sadly our IT guys are useless (I'm in Yemen) so it's not even worth me bothering to try and get them to sort it out.

Actually that warning is likely doing what it's supposed to. Your connection is likely being hijacked by an appliance that rewrites certificates so they can spy on your secure connections. Try from a different network.

Originally posted by googe
Actually that warning is likely doing what it's supposed to. Your connection is likely being hijacked by an appliance that rewrites certificates so they can spy on your secure connections. Try from a different network.

At this point I would also lean in that direction. Leaving out the part of being in Yemen is pretty crucial :)

Originally posted by googe
Actually that warning is likely doing what it's supposed to. Your connection is likely being hijacked by an appliance that rewrites certificates so they can spy on your secure connections. Try from a different network.

Bluecoat does that to stop people from surfing porn through HTTPS at work.

Originally posted by benyl


Bluecoat does that to stop people from surfing porn through HTTPS at work.

Yup, they also sell to Syria to hunt down and imprison dissenters coordinating online ;)

Edit: It's not just for censorship though. Any network IDS or IPS is blind to web attacks over SSL. I've done audits on corporate/government sites that successfully blocked certain browser exploits, but as soon as I drop it on an https webserver it goes right through.

It's a hard problem, particularly if you value both privacy and security. Of course the answer is going to be don't do personal shit from company assets, but it's really hard to do that in practice. I'd feel better about it if those devices dropped you to a warning page that gave you the option of proceeding but made it clear that you were being monitored.

Of course that assumes that whoever installed it knew to deploy the fake root cert to the clients, so users don't get errors like davidI is seeing.

Originally posted by googe
Actually that warning is likely doing what it's supposed to. Your connection is likely being hijacked by an appliance that rewrites certificates so they can spy on your secure connections. Try from a different network.

That doesn't sound good. So do I have to worry about my other secure connections now or are there other problems I have to worry about besides accessing the Aeroplan site (which I am able to access from a shitty dial-up network).

Any site that doesn't have https:// and the lock icon in the address bar is likely monitored, and there's no way to know.

Any site that is https:// but gives a warning is probably monitored.

Any site that is https:// and not giving a warning should be ok, unless you're on a company computer that they could have installed their fake certificate on.

If you don't want to take any chances, you can pay for a VPN service that you can use while on untrusted networks abroad.

http://torrentfreak.com/vpn-services-that-take-your-anonymity-seriously-2013-edition-130302/

You can also try the Tor browser bundle, but that's only "safe" over https also. If you connect to beyond with it for example, it's possible to intercept your beyond password. If you're doing random stuff on http over it that is fine, but don't do anything that involves logging in somewhere or entering personal info unless it's over https.

https://www.torproject.org/download/download-easy.html.en