Поделиться через


“Continue” Link Missing from Certificate Error Page?

A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance.

The error page’s Continue link is hidden:

  1. If the certificate is revoked
  2. If the certificate is deemed insecure (e.g. contains a 512-bit RSA key)
  3. If the page is in a “pinned site” instance
  4. If group policy is set to Prevent Ignoring Certificate Errors

In this case, #2 is the most likely.

Had the user provided a screenshot of the blocking page and the URL of the page (shown in right-click Properties, NOT the address bar) it would simplify troubleshooting of the issue. Similarly, providing the make/model of the router will allow contacting the vendor to request a firmware update.

Here's what you see if the server sends a certificate with a 512-bit RSA key:

image[1]

Old IE versions (prior to IE10) omitted the line “The security certificate presented by this website is not secure” and included the “Continue” link although clicking it was non-functional. IE10 fixed those shortcomings. At the time that this page was designed, complaining about RSA key length specifically in the error page was deemed unlikely to help users, since they’re rarely able to change the certificate a site uses.

Having said that, as a geek, I do like the page that Chrome shows:

image[3]

Firefox 26 doesn’t care or warn about the weak certificate. In contrast, if a certificate with a strong key is signed with a weak hash (e.g. MD5), IE doesn't complain, but both Firefox and Chrome will block access to the site.

Testing Weak Keys

You may be wondering how you can easily see how your software behaves with weak keys. Doing so is very easy with Fiddler and its plugin Certificate Generator. After installing the add-on and enabling HTTPS decryption in Fiddler, type prefs set fiddler.certmaker.bc.KeyLength 512 in the black QuickExec box underneath the Web Sessions list. Hit Enter, and restart Fiddler. Subsequently, Fiddler will generate server certificates that use a 512 bit key. To later revert this configuration, either type about:config in the QuickExec box and remove the preference using the UI, or type prefs remove fiddler.certmaker.bc.KeyLength hit Enter, and restart Fiddler.

-Eric

Comments

  • Anonymous
    December 12, 2013
    Note, the "not secure" explanation doesn't seem to show if there is a "more obvious" error like an expired certificate. In this case it only shows the warning about the certificate and no other sign that there may be more problems. The problem with this is that the continue link is still missing, but not because of the expired certificate but because of the other (unknown) reason (out of 4). [EricLaw] That's not what I see. When a cert is both expired and insecure, I see only the warning about the fact that it's insecure. That's because the check for certificate integrity happens (and fails) first before the browser looks at the date in the certificate.

  • Anonymous
    December 19, 2013
    I have the same problem with the current version on IE 11 on Windows 8.1 Pro. The site is inside our firewall and doing a redirect to VMWare. I receive no error message. [EricLaw] What precisely does "I receive no error message" mean? What exactly do you see? Which browser are you using? A colleague on Windows7 with the same Browser has no issue and gets the Continue option on the webpage.

  • Anonymous
    January 02, 2014
    The comment has been removed

  • Anonymous
    January 28, 2014
    I am using IE version 11.  The company I deal with sends me to a secure site, but the same company has allowed their certificate to lapse, canceled 1SEP2009, yet the same company insists on working on a secure page to finalize the process.  This is required for everyday activities in my commissioning work. Worked fine with older versions of IE, but with my computer at IE ver 11, I am unable to complete the process. Is there a way to install IE ver 9 on windows 7,, to replace my IE ver 11? [EricLaw] Hey, John-- The only way to have IE9 instead of IE11 would be to uninstall IE11 and then either install IE9 or you'll have it already (depending on what you had installed before). However, it's not clear that uninstalling IE11 will really solve the problem for you, since nearly all of the reasons you wouldn't see a Continue link are reasons that you wouldn't see such a link in IE9 either. What is the exact text at the top of the Certificate Error page? If you have Firefox or Chrome, what do their error pages say? Is the URL public?

  • Anonymous
    January 28, 2014
    The comment has been removed

  • Anonymous
    February 02, 2014
    @John: You need to go to "View Installed Updates" to find IE11 in the list.

  • Anonymous
    February 27, 2014
    I can tell you the company he's talking about is most likely hughesnet. I'm having the exact same problem with their outdated security certificate which expired in 2009. The problem is it's also unsigned since back dating my pc got around the expiration problem.

  • Anonymous
    November 19, 2014
    So I just started having this issue for pages that I used to be able to access completely fine.  IE11 would notify me that my cert was untrusted (self-signed certs) but would get the option to continue.  All of a sudden that stopped working for me.  It does not appear my issue is related to key size. For instance I'm trying to hit an internal appliance and all I get from IE is:       "The security certificate presented by this website is not secure.  Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. " When I access it from Chrome, it does not mention anything about a weak key.  It simply states     "Your connection is not private.    NET::ERR_CERT_AUTHORITY_INVALID" The difference is Chrome lets me continue anyway, but for some reason IE stopped allowing me to continue.  Any ideas what this is?   Nevermind.  It looks like I am running into the 512 bit key issue as this article mentions, but Chrome does not state this as the issue, as eluded to in this same article.  Perhaps it's because the cert has multiple "issues" and Chrome just reports the one in the main message, in my case the untrusted CA.  <shrug>   I found a workaround blog.oracle48.nl/internet-explorer-10-continue-to-this-website-option-missing for those who want to continue using IE11 but still insecurely access older sites; it resolves my issue.  

  • Anonymous
    October 02, 2017
    I am having this problem with an internal sandbox website I am supposed to be testing. Our company has kept all of our production certificates up to date, but some of our sandbox certificates don't get all the love they need. The website works fine in Chrome, but won't load in Firefox or IE11, and I need to do cross browser testing to make sure it looks good everywhere. Needless to say, our company is large enough that getting the attention of the department in charge of security certificates requires someone at a much higher pay grade than myself.