If a website's SSL certificate is invalid or not available, users may see an error message when they attempt to load it.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Users may occasionally find themselves blocked from reaching a website by a "Your connection is not private" message. This error means that the connection between the client (the user's device, such as a laptop or tablet) and the server (the website host) is not encrypted, even though the client device expected it to be encrypted.
As a result, attackers will be able to see what the user does on the website – messages between the client and the server are sent in plaintext, instead of being scrambled via encryption. In addition, the client is unable to verify that it is connected to the correct server.
This is why the browser will say "Your connection is not private" or "Your connection is not secure": it can't verify the web server, and it can't encrypt messages to stop attackers from reading them.
This error is caused by an issue with the website's SSL certificate – it's missing, or it's expired, or it wasn't issued by a legitimate certificate authority, or the client can't access it for some other reason. SSL certificates are necessary for serving websites over secure HTTPS connections.
An invalid or missing SSL certificate is almost the cryptographic equivalent of a cashier at a corner store asking a man for identification in order to prove he's old enough to purchase alcohol, and instead of producing a government-issued ID card, he pulls out a piece of paper on which someone has written, "This man is named Jeff, and he is 22 years old." This, of course, is not legitimate identification. The man may not in fact be 22 years old, and for that matter the man might not even be named Jeff. The cashier is right to respond with suspicion and terminate the transaction altogether.
Much like Jeff, a website without an SSL certificate cannot prove its identity. On top of that, a website without an SSL certificate can't encrypt communications – imagine if Jeff's lack of an ID card meant that anyone around the world could suddenly hear the conversation between Jeff and the cashier.
Often users can still continue on to the page in spite of this message, although this is not recommended. Without HTTPS, a variety of cyber attacks are possible.
An SSL certificate verifies ownership of a website and makes opening a secure, encrypted connection possible. It's a text file installed on a web server with information like:
An SSL certificate is necessary for encrypting communications to and from a website using SSL, or TLS, encryption. This is also known as HTTPS.
If data is encrypted with TLS/SSL, when someone intercepts the data going back and forth between client and server, it just looks like random nonsense to them. If data is not encrypted, someone can intercept the data and easily read it. Encryption is like an envelope protecting the contents of a personal letter as it goes through the mail.
A number of issues with the SSL certificate can cause the "Your connection is not private" error:
The website's SSL certificate isn't valid or is missing. This could be the case for a number of reasons. It can mean that the SSL certificate presented lists the wrong website, that the SSL certificate has expired, or that there's no SSL certificate at all when one was expected – for instance, if a user types https://www.example.com into a browser, but example.com doesn't have HTTPS.
The SSL certificate doesn't list variations on the domain name. For example, the SSL certificate may list www.example.com, but not example.com (without the "www"). This happens when the Subject Alternative Name (SAN) section of an SSL certificate is not filled out properly. As a result, the website has a working SSL certificate, but there's a mismatch between the URL the user typed in and what's listed on the certificate. The browser therefore considers the certificate invalid.
The web server presented an SSL certificate for the wrong website. This can happen when multiple websites are hosted at one IP address. If each of those websites has its own SSL certificate, the server may not know which SSL certificate to show when a client device tries to securely connect to one of the websites – much like when a package is mailed to an apartment complex but the apartment number is not included in the address. An extension to the TLS protocol called SNI helps prevent this error.
Other possible causes include:
In Chrome, this message appears when clicking on the "Not Secure" in the browser bar when on an HTTP site. It means that the website does not have an SSL certificate and does not use SSL/TLS for encrypting traffic to and from the site. Browsers won't typically block websites that don't have HTTPS, but users should avoid entering personal data, like login credentials, credit card data, or government-issued ID numbers, on non-HTTPS websites.
Cloudflare offers free SSL/TLS encryption for any website. Websites with Cloudflare TLS encryption should not encounter most of these errors, although improperly configured client devices could still cause them to pop up from time to time. Learn more about free SSL certificates from Cloudflare.