locked
Certificate error for Linksys Router using HTTPS RRS feed

  • Question

  • When I tighten up security on my Linksys WRT320N router by only allowing configuration using HTTPS, I can get to the router, but I always get a certificate error and have to select connect anyway & the red Certificate error shows in the title bar. Is there a way to get IE8 to accept the certificate? I read one guy's post that said to uncheck 802.x authentication but he was accessing his linksys router wirelessly. For security I turned wireless router configuration off. I also turned UPnP off. Will that affect the certificate problem? I also went through the screens to add the linksys certificate to my computer, but it didn't change the error. I can access the router through a direct ethernet connection, but I just keep getting the certificate error. Can I fix this, or do I just have to live with it? I haven't tried using other browsers, so see what they do, but I assume they would give similar results. Do I need to make sure I check ur uncheck use of TLS1.0 or any of those 3 similar settings?

    If I get Steve, I'd like to say thanks for your excellent help on issues in the past. I'm using Win 7 Ultimate 64-bit on my desktop system, and Win 7 Ultimate 32-bit & UBUNTU 1.04LTS concurrently on my laptop.

    Billy Cloud

    Monday, August 16, 2010 10:41 PM

All replies

  • I'm not sure it will make much difference to an answer, but it would be helpful to know what exactly it is complaining is erroneous about the certificate.  If it's that it cannot find a trusted certificate chain for the router's cert, there may be something that can be done about it.  (Basically, find the required certificates, ensure that they can be trusted, and load them into the correct certificate store.  More details once you have established that this is the problem, as it get complicated.) 
    Answering policy: see profile.
    Thursday, September 2, 2010 4:31 PM
  • I am having almost word for word the same problem..............HELP PLEASE

     

    Monday, February 28, 2011 5:51 AM
  • This is the message that comes up.......

     

     

    "There is a problem with this website's security certificate.

     
     

    The security certificate presented by this website was not issued by a trusted certificate authority.
    The security certificate presented by this website has expired or is not yet valid.
    The security certificate presented by this website was issued for a different website's address.
    <noscript id="securityCert1"></noscript>
    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

     

    We recommend that you close this webpage and do not continue to this website. "

     

     

     

    Then it gives me the option of continuing (not recomended) or closing out the browser.  When I continue, I pull up the properties and it says that Linskys has issued the certificate in 2004 for like a month, and then it expired. 

    My main concern is......Is there a securtiy risk involved??  Or is this a 'glitch' that is solved by erasing the expired cert.  As Bob explained above, I had recently switched to 'https' from 'http' and that's when the problems came up.  Is 'https' really more secure than 'http'???  Is there much of a difference?

    Thanks.

    Jonathan

    Monday, February 28, 2011 6:12 AM
  • [I had nearly finished a fairly long reply to this; I lost it with a careless click ... now I have to do it all again ... ]

    The short answer is 'maybe'.  Https is more secure and does make a difference.

    The long answer: 

    When you provide a password or other sensitive information to a website via HTTP, you send it unencrypted over the network to a web server you actually have no assurance is the one you intend to send it to.

    HTTPS is a protocol intended to address these issues: data in transit is protected by encrypting it using an agreed session key, and the server certificate is intended to provide a means to ensure that the web server is actually the one you intended to send it to.  (Client certificates, less often used, can provide a similar assurance to the web server about the user of the web browser.)  When all is set up correctly (in particular, the certificate), these goals are met,  and the browser rewards you with a locked padlock indicating all is well (as far as it can tell).

    When something is wrong with the certificate, you get these kinds of messages.  It can mean that the website is compromised or someone is attempting a 'man-in-the-middle' attack, in which case you should abandon communication with that website immediately; or it can mean simply that someone has been less diligent than they should be in setting up the website or its certificate, and - maybe - you can cautiously continue the communication at your own risk.

    The rules which determine whether a website is set up correctly are somewhat complex, so I won't describe them here; suffice it to say that they are intended to provide assurance to users of web-commerce sites, and so assume that the owners of the website can afford to maintain the site properly, including ensuring that its certificates are current, which requires expertise and payments to Certification Authorities every year or two.

    Something like a router built for the consumer market doesn't really fit that assumption; the security provided by HTTPS is important because malicious misconfiguration of the router can be very serious -especially if it also acts as a firewall - but the cost model doesn't fit and many consumers lack the expertise needed to understand what the issues are.

    It wouldn't surprise me to find that in order to 'support' https on the router  configuration, short cuts had been taken with the certificate in order to make it affordable.  A typical short cut is to configure a self-signed certificate (which means that there is no way of verifying the identity of the server, because anyone can offer a self-signed cert).

    The security certificate presented by this website was not issued by a trusted certificate authority.

    This is very serious for a commercial website; for a consumer router, it may be significant, or it may mean nothing.  Is the certificate the one originally installed in the router?  If so, this is not a reason to mistrust it.  If it is NOT the original certificate, then there may be a security compromise. 

    The security certificate presented by this website has expired or is not yet valid.

    Even commercial websites allow this to happen occasionally, either deliberately or by accident (although the owner needs to be aware he/she may lose business because of it). 

    The main problem is that it might indicate the presence of a substitute (and suspicious) server which has somehow got hold of an old version of the priovate key and certificate.  Unless you intend to update the router cert somehow, you will have to live with this warning.

    The security certificate presented by this website was issued for a different website's address.

    You should never see this in a commercial website, and it indicates a substitution or man-in-the-middle attack.  For a consumer router, it's almost inevitable you will see it, since it's highly unlikely that you are accessing the router using any name embedded in the certificate which would enable it to pass this test.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    See above; substitution and man-in-the-middle attacks are examples of attempts to fool you.

    We recommend that you close this webpage and do not continue to this website. "

    Which is good advice for a commercial website.  Whether it's good advice for your router's website is another question. Unless the origin of the certificate is in doubt (i.e. the first warning), it would be reasonable to ignore the advice.

    Then it gives me the option of continuing (not recomended) or closing out the browser.  When I continue, I pull up the properties and it says that Linskys has issued the certificate in 2004 for like a month, and then it expired. 

    A 'short-cut' certificate.

    My main concern is......Is there a securtiy risk involved??

    There's always some security risk involved, it cannot be avoided, only minimised by various means.  The question is, are you willing to bear that risk?

    Or is this a 'glitch' that is solved by erasing the expired cert.

    Definitely NOT.  Do not erase the expiring cert, it won't help anything.  It will force you to use HTTP, thus losing any possible benefit of HTTPS.

    As Bob explained above, I had recently switched to 'https' from 'http' and that's when the problems came up.  Is 'https' really more secure than 'http'???

    That figures.  These warnings arise directly from the use of https.

    Yes, HTTPS is more secure than HTTP, provided it is set up correctly.  Even when it is not set up correctly, it cannot be less secure than HTTP.  The main downside is that using it may give you a stronger sense of security than is actually warranted.

    Is there much of a difference?

    Yes.  The encryption of login credentials alone makes it worth using.


    Answering policy: see profile.
    Saturday, March 5, 2011 10:32 PM
  • The issue I am having is the same.  The certificate from the router is dated as expired in 1970.  Why would this ever be the case since certificate authorities would never issue a cert for this invalid date.   It is very frustrating to have an option that reads "Continue to website anyway" and the feature itself has a bug and won't let you bypass the issue.

    Monday, June 25, 2012 5:14 AM