What does the “Not private connection” warning really mean?

By: Eve Zelickson

Chances are that at some point in your travels on the internet, you’ve come across a warning saying something like “Your connection is not private. Attackers might try to steal your information. The page usually gives you the option to continue on the website anyway. But should you?

Why was I redirected to this page?

Today, we conduct more activities online than ever before: paying bills, buying groceries, and communicating with doctors, to name a few. With more of these websites requesting personal information, we rely on the security practices of our web browser to ensure the security of our data.

Each time you visit a website, your web browser (for example, Chrome, Safari, or Firefox) first checks for the existence of one of two digital certificates: a Transport Layer Security (TLS) or Secure Sockets Layer certificate. (SSL). These indicate two important things. First, they confirm the identity of the website, claiming that the website is who it claims to be. Second, they verify that the information on the website – and any data you share with it – will be secure and encrypted. Encryption ensures that the information you share, whether it’s a credit card number or home address, will not be intelligible if intercepted.

You can find out if a website has a valid certificate by clicking on the little padlock to the left of the URL or by searching for “HTTPS” – not “HTTP” – at the start of the website link. Using HTTPS indicates that the website is using a secure certificate to move information across the web.

In 2014, Google announced that it would use the existence of a certificate as a quality factor in its search results, placing more secure sites higher in those results. Then, in 2018, the company announced that its Chrome browser would report any websites without a properly configured certificate (TLS or SSL) and display the “Not private connection” window to warn users. Other browsers have adopted similar measures.

Therefore, while browsing the web, you may receive variations of this message when trying to visit certain websites.

Will my information really be stolen if I continue on the website anyway?

May be. The Non-Private Connection window can be triggered by a certificate that is misconfigured, only recently expired, or is missing entirely.

Visiting websites that lack proper encryption can expose you to a number of cyber threats.

Your information could be intercepted as it travels the Internet in what security experts call a “man-in-the-middle” attack. Bill Budington, a senior technologist with the Electronic Frontier Foundation (EFF), said it most often happens when someone hijacks your Wi-Fi connection, tricking your device into thinking the hacking software is the point of failure. access to which your device must connect. This process allows the attacker to access your internet traffic and any data you provide to a website.

“Whether it’s a nation-state tricking its citizens into believing it’s google.com or a hacker tricking a coffee shop customer into disclosing the domains the customer browses, the result is the same,” Budington said. “That means a compromise of sensitive data that was never entrusted to that untrusted party, and the ability to impersonate the target or retrieve a history of communications in the sites they visited.”

This is especially dangerous when visiting e-commerce websites, where customers routinely enter sensitive information such as their address and credit card number. Once intercepted, this information can facilitate identity theft, which reached an all-time high in 2021. A white hat hacker conducted his own experiment to see how easy it is to intercept unencrypted information online . Although its software does not collect actual user information, it connected to 49 devices in a single afternoon at the mall.

Visiting unencrypted websites also makes you vulnerable to ransomware attacks, which can occur when a user visits an infected website and malicious software is secretly downloaded onto the person’s device. The malware allows attackers to hold users’ files hostage until they pay a ransom.

Finally, ignoring the warning and continuing on the site exposes you to phishing attacks, where attackers pose as a trusted website to trick users into sharing financial or other sensitive information. In this case, the Connection not private message is triggered because the website certificate is not authentic. If a user types in their bank’s URL and sees this message, something has gone wrong because the bank’s website would likely have a working certificate.

What should I do when I encounter a warning like this?

As a first step, security expert and Harvard faculty associate Bruce Schneier recommends making sure you’re trying to connect to the correct URL. After that, Schneier says it usually comes down to judgment.

For example, if you click on a link in an email from a sender you don’t know and receive the alert, you should not proceed. But if you type a well-known URL correctly, you can probably proceed, he said, because it’s probably “just a mistake.” According to Schneier, there are many benign reasons that would trigger the alert, such as a recently expired certificate or a mismatch between the entered URL and the name associated with the certificate.

There are ways to determine what triggered the warning. The message is often accompanied by an error code, which you can look up. For example, the error NET::ERR_CERT_COMMON_NAME_INVALID usually means that the name on the certificate does not match the URL entered.

Another common reason for the window to appear is if you are browsing the public internet in places like the library or an airport. Public Wi-Fi is more susceptible to man-in-the-middle attacks from people on your local network. It is therefore more important to use HTTPS when you are on public Wi-Fi, as it will help protect you against attacks from people nearby.

If you want to make sure that the error is not due to chance, you can try restarting your computer, clearing your cache, or switching to a private Wi-Fi connection to see if the error persists.

It may be, but you are still determined to visit the site. If you’re browsing Chrome or Firefox, you can usually select “Advanced” from the error window, then click the link to go to the website. Again, be careful when entering personal information, from passwords to addresses, as it will not be protected on these websites.

And Schneier warns that even if a verified certificate confirms that a website is encrypted, it can still be malicious in other ways if the website owners have bad intentions.

This article originally appeared on The Markup and has been republished under Creative Commons Attribution-NonCommercial-NoDerivatives Licence.

Comments are closed.