共用方式為


Event 1033 - Secure Sockets Layer (SSL)

  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
    • Workarounds for End Users
    • Workarounds for Network Administrators
    • Workarounds for Website Developers
  • Related topics

Logged Message

Secure Hypertext Transfer Protocol (HTTPS) uses either the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols to secure Internet traffic and protect your computer from snooping or tampering by others on your network. In order to improve security, Windows Internet Explorer 8 and Windows Internet Explorer 7 automatically block navigation to any HTTPS site with invalid or erroneous security certificates.

What Is It?

New protocol defaults reduce the likelihood of someone taking advantage of configuration or protocol weaknesses to intercept or to modify Web traffic transferred using the HTTPS protocol. New error pages provide a simplified user experience, which also helps to mitigate social engineering and phishing attacks.

As an end user, network administrator, or website developer using Windows Internet Explorer, you might experience the compatibility impact of HTTPS Security Improvements in the following ways:

Symptom Cause
An error page appears when viewing a site configured to use only the Secure Sockets Layer (SSL) 2.0 protocol. Internet Explorer 8 automatically disables the Secure Sockets Layer (SSL) 2.0 protocol. Due to known security issues with the Secure Sockets Layer (SSL) 2.0 protocol, it has been replaced by the Secure Sockets Layer (SSL) 3.0 and Transport Layer Security (TLS) 1.0 protocols.
An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista. Windows Vista disabled the weaker encryption ciphers, only allowing the stronger ciphers to function properly.
An error page appears when navigating to a Secure Sockets Layer (SSL) 2.0 site with an erroneous security certificate. Internet Explorer 8 automatically blocks navigation to any Secure Sockets Layer (SSL) 2.0 site with invalid or erroneous security certificates.
An Information bar appears when viewing a page that mixes HTTPS and HTTP content. Internet Explorer 8 automatically blocks HTTP content from appearing in HTTPS pages.
An error appears when navigating to an HTTPS site with a revoked security certificate on Windows Vista. Windows Vista automatically performs a check for revoked security certificates on HTTPS sites.

 

When Is This Event Logged?

This event is logged when Internet Explorer encounters invalid or erroneous security certificates.

Example

Perform the following steps to see this event logged in the compatibility tool:

Note  These steps require the use of Microsoft Internet Information Services (IIS) 7.

 

  1. Launch Control Panel > Administrative Tools > Internet Information Services (IIS) Manager as Administrator.

  2. You need to create a test certificate. To do this select the server node in the tree view and double-click the Server Certificates feature in the list view, as shown in the following screen shot.

  3. Click Create Self-Signed Certificate... in the Actions pane, as shown in the following screen shot.

  4. Enter a friendly name for the new certificate and click OK. Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use; that is, use as a server-side certificate for HTTP SSL encryption and for authenticating the identity of the server.

  5. You now need to create an SSL Binding. Select your Default WebSite in the left tree view pane and click Bindings in the right Actions pane.

  6. In the Site Bindings dialog box, click Add.

  7. In the Add Site Binding dialog box, select https in the Type drop-down. Select the self-signed certificate you created earlier from the SSL Certificate drop-down. When finished, you'll end up with a Site Binding that resembles the following screen shot.

  8. In IIS Manager, look in the right pane under Browse Website, as shown in the following screen shot.

  9. Select Browse *:443 (https).

Internet Explorer is launched and attempts to browse to the site you set up under HTTPS. You will see the error message shown in the following screen shot.

At the same time Internet Explorer displays this message, it also logs the Secure Sockets Layer event.

Remediation

The following sections describe possible workarounds for some of the most common Internet Explorer issues, as faced by end users, Network Administrators, and website developers.

  • Workarounds for End Users
  • Workarounds for Network Administrators
  • Workarounds for Website Developers

Workarounds for End Users

As an end user of Internet Explorer, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

Symptom Workaround
An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista. There is no workaround for this issue. Please contact the website owner and request stronger encryption options.
An error page appears when navigating to an HTTPS site with an erroneous security certificate. There are multiple issues when discussing erroneous security certificates and workarounds.
  • Expired certificates. There is no workaround for an expired certificate. You must contact the website owner and request that they update the certificate.
  • Non-matching addresses. If the address in the security certificate does not match the website's address, you can clear the Warn about certificate address mismatch check box, located in the Advanced tab of the Internet Options dialog box and successfully navigate to the website.

    Security Warning:  Changing this setting is not recommended.

  • Unsigned certificate. If a trusted certification authority did not sign the security certificate, you can manually add the authority.

    Security Warning:  Trusting a malicious certification authority puts your computer at risk.

    To manually add an authority

    1. Click the Certificate Error button in the Internet Explorer address bar of the Certificate Error warning page.
    2. Click View Details.
    3. Select the root certificate in the Certification Path tab, and then click View Certificate.
    4. Click Install Certificate in the General tab.

 

Workarounds for Network Administrators

As a Network Administrator of computers running Internet Explorer 8, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

Symptom Workaround
An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista. You must configure your Web server software to offer stronger encryption options. If the Web server is not in your control, contact the server operator.
An HTTPS error page appears, enabling users to continue on to a website that presented the erroneous certificate. Enable the Prevent ignoring certificate errors setting from your Group Policy. Enabling this option removes the ability to continue to a website from an HTTPS error page.

To enable the setting using Group Policy

  1. Start the Group Policy tool (GPEdit.msc).
  2. Expand the policy structure using the following path: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.
  3. Double-click the Prevent ignoring certificate errors setting.
  4. Click Enabled, and then click OK.

 

Workarounds for Website Developers

As a website developer for sites viewed with Internet Explorer 8, you can work around the compatibility impact of HTTPS Security Improvements in the following ways:

Symptom Workaround
An error page appears when viewing a site configured to use only the Secure Sockets Layer (SSL) 2.0 protocol. Enable Secure Sockets Layer (SSL) 3.0 or later in your Web server software.
An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista. Enable strong ciphers (128-bit or higher) in your Web server software.
An error page appears when navigating to an HTTPS site with an erroneous security certificate. There are multiple issues when discussing erroneous security certificates and workarounds.
  • Expired certificates. Ensure that you are using valid, non-expired security certificates issued by a trusted root certification authority.
  • Non-matching addresses. Ensure that the address in the certificate matches the certificate for your website. This is particularly important for servers that are addressable by multiple hostnames. For example, a certificate issued to email.fabrikam.com is not valid for use on mailbox.fabrikam.com. You must either purchase a certificate that lists both hostnames, or purchase a wildcard (*) certificate for *.fabrikam.com.
An Information bar appears when viewing a page that mixes HTTPSand HTTP content. Ensure that your HTTPS webpages do not contain embedded references to resources addressed by the HTTP protocol.
Note  If you have a webpage that is viewable from either HTTP or HTTPS, make sure you use protocol-relative hyperlinks to address resources.
 

For example, if you have an image on www.fabrikam.com/account.htm that is addressable using either http:// or https://, you must use <img src="//www.fabrikam.com/pic.jpg"> instead of <img src="www.fabrikam.com/pic.jpg">.

This way, if the user views the site using HTTPS the image is downloaded through HTTPS, but if the user views the website using HTTP, the image is downloaded through HTTP.

 

Internet Explorer Application Compatibility

Events 1030 through 1037