Protect: Protection from untrusted certificates

Within the Protect integrated security system, Yandex Browser checks website certificates. The Yandex Browser beta version warns you if the website can't provide secure data encryption because of problems with the certificate.

  1. Why websites need a certificate
  2. What makes an untrusted certificate dangerous
  3. Blocked websites with untrusted certificates
  4. Possible reasons for blocking sites
  5. If the certificate author is unknown
  6. If the certificate is installed by the program
  7. Report a phishing site

Why websites need a certificate

Your personal data and payment information should be protected when you send them to a website. Websites use the HTTPS protocol for secure connection. It activates an asymmetric encryption algorithm, where data is encrypted with a public key and decrypted with a private key. For each session, Yandex Browser regenerates the private key and transmits it to the website in addition to taking precautionary measures to prevent theft.

However, if you end up on a phishing website, it might get the private key and then decrypt your data. To protect against phishing, websites use digital certificates issued by special certification authorities. The certificate guarantees that the keys belong to the website owner.

What makes an untrusted certificate dangerous

You may end up on a phishing website, or your data will not get the necessary protection on the original website (for example, if the website's certificate has expired). As a result, hackers can:

  • Intercept or replace your personal data and read your correspondence.
  • Get your payment data (card number, cardholder's name, expiry date and CVV2) and use it to steal money from your account.

Blocked websites with untrusted certificates

If a site can't guarantee safe encryption due to problems with the site's certificate, the site page won't open and you'll see  in the SmartBox and a warning that a safe connection could not be established. In this case you can decide to either not visit the site, or to add the certificate to your list of trusted ones.

Attention. Do this if you are absolutely sure that the certificate is trustworthy. Otherwise, hackers could get access to your personal data and online payments.

Possible reasons for blocking sites

Note. If you cannot establish a secure connection to Yandex services due to the ERR_CERT_AUTHORITY_INVALID or ERR_CERT_DATE_INVALID error, it means the certificate is missing from the operating system. Update Windows or import the certificates manually. To learn more, see ERR_CERT_AUTHORITY_INVALID Error and ERR_CERT_DATE_INVALID Error.

Yandex Browser blocks websites that have the following certificate problems:

The certificate authority is unknown

You will see a message that Yandex was “ Unable to establish a secure connection. Hackers may try to steal your data (such as passwords, messages or your bank card number)”.

For more information, see the section If the certificate authority is unknown.

The certificate was installed by a special program

You will see a message that “You tried to go to example.com, but their certificate is not trusted. The certificate was issued by a certificate center that Yandex is not familiar with; however, your OS considers it to be trustworthy...” .

For more information, see If the certificate was installed by a program.

Incorrect site address

You will see a message “Could not confirm that the server is example.com. The security certificate applies to example1.com. This server could be incorrectly configured or someone is trying to intercept your data”.

This means that the security certificate saved on the server is not for the site that you opened. It's likely that you ended up on a phishing site. If this is the case, hackers can intercept your data.

Self-signed certificate

You will see a message “ Could not confirm that the server is example.com. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data”.

This means that the site gave itself a certificate. This is malware, or hackers can intercept your data. To learn more, see Self-signed certificate.

Untrusted root certificate

You will see a message “ Could not confirm that the server is example.com. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data”.

This means that the center that signed the certificate is not trustworthy and can't guarantee that the site is authentic. This is malware, or hackers can intercept your data. To learn more about root certificates, see Root certificate.

The certificate has expired

You will see a message “ Could not confirm that the server is example.com. Its security certificate expired <...> days ago. This server could be incorrectly configured or someone is trying to intercept your data. Please make sure that <current time> is set on your computer If it’s incorrect, change it and update the page” .

If the certificate is expired, the data that is sent will not be encrypted, so attackers can intercept it.

Certificate has been revoked

You will see a message that “Usually site example.com encrypts your data. However, this time it sent a suspicious response to a query from Yandex Browser. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection before any data was exchanged. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while”.

This means that the site's certificate was compromised and revoked. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

Outdated encryption

You will see a message that “You are trying to contact the server for example.com, but its certificate was signed using an unreliable algorithm (SHA-1, etc.). This means that the security credentials and the server itself may be fake. You could be dealing with hackers”.

If the server uses an outdated and unreliable encryption algorithm, hackers can intercept your data. There is a significant chance that you ended up on a phishing site.

Ciphers are not supported

You will see a message that “The website example.com sent an incorrect response”.

This means that Yandex Browser can't establish an HTTPS connection because the website uses ciphers not supported by Yandex Browser. In this case, the data that is sent will not be encrypted, so attackers can intercept it.

The certificate key does not match the pinned key

You will see a message that “Usually site example.com encrypts your data. However, this time it sent a suspicious response to a query from Yandex Browser. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection before any data was exchanged. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while”.

This means that the root certificate key doesn't match the website key. Hackers may try to replace the root certificate. Then they can intercept your data. To learn more about pinning (linking) a key, see HTTP Public Key Pinning.

Data could not be encrypted over HSTS

You will see a message that “Usually site example.com encrypts your data. However, this time it sent a suspicious response to a query from Yandex Browser. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex Browser broke the connection before any data was exchanged. Cannot go to example.com, because it uses the HSTS protocol. This could have been caused by a network error or an attack on the site. It will probably be up again after a while”.

This means Yandex Browser could not enable encryption and broke off the connection. The server where the website is located normally uses encryption, since the HSTS protocol is enabled on it. Lack of encryption may be a sign of a hacker attack. In this case, hackers or malware can intercept your data.

If the certificate author is unknown

In this case, the certificate was installed by the network administrator or a random person. You will see a warning:

You can either choose not to visit the website, or add the certificate to the trusted list by clicking Details in the window, and then Make an exception for this site. The certificate will stay on the trusted list for 30 days, and then you will have to make an exception again.

Attention. Click Make an exception for this website only if you’re sure the certificate is trustworthy. Otherwise hackers may get access to your personal data.

If you aren't sure of the certificate's trustworthiness, but you want to visit the site, take the following security measures:

  • For home computers. Update your antivirus and scan your computer for malware. If your antivirus discovers and deletes a certificate that was installed by hackers, you will no longer see a warning in Yandex Browser. If your antivirus didn't delete a suspicious certificate, you can delete it manually.
    Attention. Be careful: if the certificate was installed by a legitimate program (rather than malware), deleting it may cause the system to malfunction.
  • For work computers. Contact your system administrator to delete a suspicious certificate. They will delete any certificates they didn't install. If the certificate was installed by the administrator, you can click Go to website. But remember that after this, the administrator will be able to view your personal information and electronic payments.

If the certificate is installed by the program

Antiviruses, ad blockers, site monitoring, and other programs may replace the website's certificate with their own ones. In order to decode traffic, they generate their own root certificate and install it in the operating system, marking it as trustworthy.

However, a certificate installed by a special program cannot be considered trustworthy, because it does not belong to a trusted certification center. This results in the following threats:

  • Your data may become available to unknown persons — special program developers.
  • The certificate may have been installed by malware pretending to be a special program. Browsers do not have the ability to verify the authenticity of such certificates.

Yandex Browser warns you about the following problems:

To visit a site:

  1. Find out what program replaced the certificate. This information can be found by clicking the corresponding link on the warning page.
  2. Decide if you are prepared to trust the certificate issuer with your personal information:
    • If you are, click Go to website.
    • If you aren't sure, disable HTTPS connection verification in the program. You can use the instructions for the following programs:
      Attention. If you disable HTTPS checks, it doesn't mean you're unprotected. Yandex Browser runs its own security checks on your downloading files, blocks malicious pages and banners, and uses advanced protection for bank and payment system pages.

      If Yandex Browser keeps warning you about a suspicious certificate even after disabling HTTPS checks, and you don't need the program that installed the certificate, try temporarily closing that program.