By: Eve Zelickson
Chances are at some point in your internet travels you’ve stumbled on a warning that reads something like “Your connection is not private. Attackers might be trying to steal your information.” The page usually gives you an option to proceed to the website anyway. But should you?
Why did I get rerouted to this page?
Today, we conduct more activities online than ever before: paying bills, buying groceries, and interfacing with doctors, to name a few. With more of these websites requesting personal information, we rely on our web browser’s security practices to ensure that our data stays safe.
Each time you visit a website, your web browser (e.g., Chrome, Safari, or Firefox) first checks for the existence of one of two digital certificates: a Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificate. These indicate two important things. First, they confirm the identity of the website, affirming that the website is who it says it is. Second, they verify that the information on the website—and any data you share with it—will be secure and encrypted. Encryption ensures that the information you share, whether it’s a credit card number or home address, will not be intelligible if intercepted.
You can tell if a website has a valid certificate by clicking on the small padlock to the left of the URL or by looking for “HTTPS”—not “HTTP”—at the front of the website link. The use of HTTPS indicates that the website uses a secure certificate to move information across the web.
In 2014, Google announced it would use the existence of a certificate as a quality factor in its search results, placing safer sites higher in those results. Then, in 2018, the company announced that its Chrome browser would flag all websites without a properly configured certificate (either TLS or SSL) and display the “Connection Not Private” window to warn users. Other browsers have adopted similar measures.
As a result, when you browse the web, you may receive variations of this message when you try to visit some websites.
Will my information really be stolen if I proceed to the website anyway?
Possibly. The Connection Not Private window could be triggered by a poorly configured certificate, one that’s only recently expired, or one that’s missing entirely.
Visiting websites that don’t have proper encryption can put you at risk for a number of cyberthreats.
Your information could be intercepted as it travels across the internet in what security experts call a “man-in-the-middle” attack. Bill Budington, a senior staff technologist at the Electronic Frontier Foundation (EFF), said this most often occurs when someone hijacks your Wi-Fi connection, tricking your device into thinking that the hacking software is the access point your device should be connecting with. This process gives the attacker access to your internet traffic and any data you provide to a website.
“Whether this means a nation-state tricking its citizens into thinking it is google.com or a hacker tricking a coffee-shop patron into divulging the domains the patron browses, the result is the same,” said Budington. “It means a compromise of sensitive data that was never entrusted to that untrusted party, and the possibility of impersonating the target or retrieving a history of communications in the sites they’ve visited.”
This is especially dangerous when visiting e-commerce websites, where customers routinely enter sensitive information like their address and credit card number. Once intercepted, this information can facilitate identity theft, which hit a record high in 2021. One white hat hacker performed his own experiment to see how easy it is to intercept unencrypted information online. While his software did not collect actual user information, it connected with 49 devices in a single afternoon at the mall.
Visiting websites without encryption also leaves you vulnerable to ransomware attacks, which can occur when a user visits an infected website and malware is secretly downloaded to the person’s device. The malware enables attackers to hold users’ files hostage until they pay a ransom.
Lastly, ignoring the warning and continuing to the site leaves you open to phishing attacks, where attackers pose as a trusted website to lure users into sharing financial or other sensitive information. In this case, the Connection Not Private message is triggered because the certificate of the website isn’t authentic. If a user types in their bank’s URL and sees this message, something has gone awry because the bank’s website would certainly have a working certificate.
What should I do when I encounter a warning like this?
As a first step, security expert and Harvard faculty associate Bruce Schneier recommends making sure you are trying to connect to the correct URL. After that, Schneier says it usually comes down to a judgment call.
For example, if you click on a link in an email from a sender you don’t know and you get the alert, you shouldn’t proceed. But if you correctly type in a well-known URL, you are likely fine to continue, he said, because it’s probably “just an error.” According to Schneier, there are many benign reasons that would trigger the alert, such as the recent expiration of a certificate or a mismatch between the typed URL and the name associated with the certificate.
There are ways to figure out what triggered the warning. The message is often accompanied by an error code, which you can look up. For example, the error NET::ERR_CERT_COMMON_NAME_INVALID usually means that the name on the certificate does not match the URL entered.
Another common reason the window will appear is if you are browsing by public internet in places like the library or an airport. Public Wi-Fi is more susceptible to man-in-the-middle attacks from people on your local network. It is therefore more important to use HTTPS when on public Wi-Fi, as this will help protect against attacks from people in your vicinity.
If you want to make sure the error wasn’t a fluke, you can try restarting your computer, clearing your cache, or moving to a private Wi-Fi connection to see if the error persists.
Perhaps it does, but you’re determined to visit the site anyway. If you’re browsing on Chrome or Firefox, you can usually select “Advanced” in the error window and then click the link to proceed to the website. Again, be careful about entering personal information—from passwords to addresses—as it won’t be protected on these websites.
And Schneier cautions that while a verified certificate confirms that a website is encrypted, it can still be malicious in other ways if the website owners have ill intentions.
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.