Protect: shield against untrusted certificates

Many sites use certificates that are given out by authoritative, trusted organizations to protect against phishing. A certificate contains an open key used to encrypt data that the user sends to the site over an HTTPS connection. The trusted certificate center confirms that the open key used during encryption really does belong to the site owner.

The Protect integrated security system is used in Yandex.Browser to check website certificates. If there is any doubt about a certificate’s authenticity, the browser will warn you.

If the certificate author is unknown

In this case, it's not clear if the certificate was installed by the site administrator or hackers, and you will see the following warning:

You can either choose not to visit the site, or add the certificate to the trusted list by clicking the Details button in the dialog, and then the button Make an exception for this site. The certificate will be in the trusted list for 30 days, and then you will have to make an exception for it again.

Attention. Click the Make an exception for this site button only if you’re sure the certificate is trustworthy. Otherwise hackers can get access to your personal information!

If you aren't sure of the certificate's trustworthiness, but you want to visit the site, take the following security measures:

  • For home computers. Update your antivirus and scan your computer for malware. If your antivirus discovers and deletes a certificate that was installed by hackers, you will no longer see a warning in your browser. If your antivirus didn’t delete a suspicious certificate, then it can be deleted using Windows. Be careful; if the certificate was installed by a legitimate program (rather than malware), then deleting it may adversely affect your system.
  • For work computers. Contact your system administrator to delete a suspicious certificate. They will delete any certificates they didn’t install. If the certificate was installed by your administrator for security reasons, you can click Trust this certificate. But remember that after this, the administrator will be able to view your personal information and electronic payments.

If the certificate was installed using special software

Antivirus software, ad-blockers, network monitoring programs and similar special programs can replace website certificates with their own. In order to decode traffic, they generate their own root certificate and install it in the operating system, marking it as trustworthy.

However, a certificate installed by a special program cannot be considered trustworthy, because it does not belong to a trusted certification center. The following are potential dangers:

  • Your data may become available to unknown persons, i.e., special program developers.
  • The certificate may have been installed by malware pretending to be a special program. Browsers today do not know how to verify the authenticity of certificates installed by special programs.

Yandex.Browser warns you about these problems:

To visit a site:

  1. Find out what program replaced the certificate. This information can be found by clicking the corresponding link on the warning page.
  2. Decide if you are prepared to trust the certificate preparer with your personal information:
    • If you are ready, click Trust this certificate.
    • If you aren’t ready, disable HTTPS-connection checking in the program. You can use the program instructions:
      • Kaspersky Lab antivirus
      • ESET NOD32
      • AdGuard (in addition to the AdGuard program, there is an extension of the same name that doesn’t create its own certificates, so you don’t need to disable anything for it)
      Attention. If you disable HTTPS checks, it doesn't mean you're unprotected. Yandex.Browser runs its own security checks on your downloading files, blocks malicious pages and banners, and uses advanced protection for bank and payment-system pages.

      If the browser continues to warn you about a suspicious certificate even after disabling HTTPS checks, and you don't need the program that installed the certificate, try temporarily closing that program.

Other problems with certificates

If secure encryption cannot be ensured because of problems with a site certificate, Yandex.Browser will warn you about this, and an icon  will appear in the right half of the SmartBox. We do not recommend visiting these sites, much less entering personal information or making electronic payments in them.

Problem Browser message Description of the problem Type of danger

The certificate has expired

Unable to confirm that this is the example.com server. Its security certificate expired <...> days ago. This server could be incorrectly configured or someone is trying to intercept your data. Be aware of what’s installed on the computer <current time>. If it’s incorrect, change it and update the page.

The site certificate has expired.

Transferred data will not be encrypted and hackers could intercept it.

Incorrect site address

Unable to confirm that this is the example.com server. The security certificate applies to example1.com. This server could be incorrectly configured or someone is trying to intercept your data.

There is no way to be sure the browser is connected to the right website.

If it’s a phishing site, hackers can intercept your data.

Self-signed certificate

Unable to confirm that this is the example.com server. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data.

The site certificate is issued by the site itself, rather than by a certification authority. To find out more, see Self-signed certificate.

Malware or hackers can intercept your data.

Untrusted root certificate

Unable to confirm that this is the example.com server. The computer’s operating system doesn’t trust its security certificate. This server could be incorrectly configured or someone is trying to intercept your data.

The authority that signed the certificate is not trusted.

Malware or hackers can intercept your data.

The certificate key does not match the pinned key

example.com normally uses encryption to protect your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex.Browser broke the connection just in case before any data was passed. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while.

The certificate key does not match the pinned site key. This is caused either by incorrect server settings or by hackers trying to tamper with the root certificate.

To find out more, see Root certificate for root certificates and HTTP Public Key Pinning for key pinning (linking).

The site may have been replaced by malware. Hackers can intercept your data.

Unable to enable encryption when connecting HSTS

example.com normally uses encryption to protect your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex.Browser broke the connection just in case before any data was passed. Cannot go to example.com, because it uses the HSTS protocol. This could have been caused by a network error or an attack on the site. It will probably be up again after a while.

The browser could not enable encryption and broke the connection. The server where the site is located normally uses encryption, since the HSTS protocol is enabled on it. Lack of encryption may be a sign of a hacker attack. Access to the site through HTTP may be unsafe in this case.

The site may be under attack. Hackers or malware could intercept your data.

Certificate has been revoked

example.com normally uses encryption to protect your data. However, this time it sent a suspicious response to the browser’s query. Another site may be trying to pass as example.com, or the Wi-Fi connection has been lost. Your data is still secure: Yandex.Browser broke the connection just in case before any data was passed. Cannot go to example.com, because its certificate has been revoked. This could have been caused by a network error or an attack on the site. It will probably be up again after a while.

The site certificate was compromised and has been revoked.

Transferred data will not be encrypted and hackers could intercept it.

Outdated encryption

You’re trying to address the server in the example.com, but its certificate has been signed with an untrustworthy algorithm (SHA-1 and so on). This means that the security credentials and the server itself may be bogus. You could be dealing with hackers.

The server uses an outdated, untrustworthy encryption algorithm.

Hackers can intercept your data.

Ciphers are not supported

The example.com site sent an incorrect response.

Unable to establish an HTTPS connection because the browser doesn’t support the cipher suite used by the site.

Transferred data will not be encrypted and hackers could intercept it.