IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

“Continue” Link Missing from Certificate Error Page?

“Continue” Link Missing from Certificate Error Page?

  • Comments 7

A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance.

The error page’s Continue link is hidden:

  1. If the certificate is revoked
  2. If the certificate is deemed insecure (e.g. contains a 512-bit RSA key)
  3. If the page is in a “pinned site” instance
  4. If group policy is set to Prevent Ignoring Certificate Errors

In this case, #2 is the most likely.

Had the user provided a screenshot of the blocking page and the URL of the page (shown in right-click Properties, NOT the address bar) it would simplify troubleshooting of the issue. Similarly, providing the make/model of the router will allow contacting the vendor to request a firmware update.

Here's what you see if the server sends a certificate with a 512-bit RSA key:

image[1]

Old IE versions (prior to IE10) omitted the line “The security certificate presented by this website is not secure” and included the “Continue” link although clicking it was non-functional. IE10 fixed those shortcomings. At the time that this page was designed, complaining about RSA key length specifically in the error page was deemed unlikely to help users, since they’re rarely able to change the certificate a site uses.

Having said that, as a geek, I do like the page that Chrome shows:

image[3]

Firefox 26 doesn’t care or warn about the weak certificate. In contrast, if a certificate with a strong key is signed with a weak hash (e.g. MD5), IE doesn't complain, but both Firefox and Chrome will block access to the site.

Testing Weak Keys

You may be wondering how you can easily see how your software behaves with weak keys. Doing so is very easy with Fiddler and its plugin Certificate Generator. After installing the add-on and enabling HTTPS decryption in Fiddler, type prefs set fiddler.certmaker.bc.KeyLength 512 in the black QuickExec box underneath the Web Sessions list. Hit Enter, and restart Fiddler. Subsequently, Fiddler will generate server certificates that use a 512 bit key. To later revert this configuration, either type about:config in the QuickExec box and remove the preference using the UI, or type prefs remove fiddler.certmaker.bc.KeyLength hit Enter, and restart Fiddler.

-Eric

  • Note, the "not secure" explanation doesn't seem to show if there is a "more obvious" error like an expired certificate. In this case it only shows the warning about the certificate and no other sign that there may be more problems. The problem with this is that the continue link is still missing, but not because of the expired certificate but because of the other (unknown) reason (out of 4).

    [EricLaw] That's not what I see. When a cert is both expired and insecure, I see only the warning about the fact that it's insecure. That's because the check for certificate integrity happens (and fails) first before the browser looks at the date in the certificate.

  • I have the same problem with the current version on IE 11 on Windows 8.1 Pro. The site is inside our firewall and doing a redirect to VMWare. I receive no error message.

    [EricLaw] What precisely does "I receive no error message" mean? What exactly do you see? Which browser are you using?

    A colleague on Windows7 with the same Browser has no issue and gets the Continue option on the webpage.

  • Now that CA Browser forum's baseline requirements deadline for ending issuance of certs with 1024 bit keys has passed, when will certs with 1024 bit keys be blocked in IE?

    [EricLaw] As I no longer work for Microsoft, I have no way to answer that question.

    Having said that, it's important to recognize that 1> Not all CAs are members of the CA Browser Forum (e.g. national government CAs, etc) and 2> Not all HTTPS scenarios rely upon public CAs (e.g. virtually all routers ship with self-signed certificates) and many enterprises have their own private CAs.

  • I am using IE version 11.  The company I deal with sends me to a secure site, but the same company has allowed their certificate to lapse, canceled 1SEP2009, yet the same company insists on working on a secure page to finalize the process.  This is required for everyday activities in my commissioning work. Worked fine with older versions of IE, but with my computer at IE ver 11, I am unable to complete the process. Is there a way to install IE ver 9 on windows 7,, to replace my IE ver 11?

    [EricLaw] Hey, John-- The only way to have IE9 instead of IE11 would be to uninstall IE11 and then either install IE9 or you'll have it already (depending on what you had installed before). However, it's not clear that uninstalling IE11 will really solve the problem for you, since nearly all of the reasons you wouldn't see a Continue link are reasons that you wouldn't see such a link in IE9 either. What is the exact text at the top of the Certificate Error page? If you have Firefox or Chrome, what do their error pages say? Is the URL public?

  • Hey, Eric,What the screen says: The provider’s web page of their “secure” site , during a required registration process, sends this message:

    “Content was blocked because it was not signed by a valid security certificate. For more information, see “About Certificate Errors” in Internet Explorer Help.”There was no pop up box, like with older versions of IE that allowed you to “by-pass” the invalid certificate and continue.

    EricLaw Did you see this in a yellow notification bar or a full red error page?

    Here the provider’s secure web site would not let me proceed and complete my process.

    (I am not providing the provider’s name here

    EricLaw: Why not?

    but just say it is a big corporation who is not supporting the product that requires registration, and they are attempting to move users to a more expensive and newer system, and they refuse to provide corrections to this older system, even though they continue to collect revenue from it. They will not validate their certificate nor will they remove the requirement to go to a secure site to finalize the registration. I know the corporation and I must trust this process, it is not like a scammer or thief. )

    EricLaw The point is that if the certificate isn't valid, you have no idea whether you're talking to the real "corporation" or someone who is intercepting your traffic.

    I borrowed an older laptop, older version of IE, sorry forgot the version, and used that machine.The old IE version when presented with the failure of an “invalid certificate” (in this case an “expired certificate” gave me the pop-up box to exit(sp), details or continue, and I clicked on details

    EricLaw That sounds like IE6 to me.

    There it explained that their certificate had expired 1SEP2009.  (ed. Trying to back set the clock on the computer didn’t work either, since the certificate was expired.)

    EricLaw If the certificate having expired were the only problem with the certificate, then changing your system's clock would have worked just fine.

    Then I clicked on continue and the process went thru as intended.  Which I must be able to do, to get my registration. What I want to do, is avoid having to borrow and older computer with the proper version of IE. It is my objective to be able to do this with my Windows 7 PC.

    With windows 7 and IE11, I can’t find how to remove IE 11, like I could with older windows,nor can I figure out how to make IE8 work with windows 7.  

    EricLaw When you remove Internet Explorer 11 using the Add/Remove Programs control panel (just like all other IE versions) the older version of IE is restored automatically.

  • @John: You need to go to "View Installed Updates" to find IE11 in the list.

  • I can tell you the company he's talking about is most likely hughesnet. I'm having the exact same problem with their outdated security certificate which expired in 2009. The problem is it's also unsigned since back dating my pc got around the expiration problem.

Page 1 of 1 (7 items)
Leave a Comment
  • Please add 8 and 8 and type the answer here:
  • Post