aa.net.uk Broadband - Broadband you can work with

Skip to Navigation / Skip to Content

Login Browser warnings

If you access our web mail you may find you get a warning on your browser that you are going to a secure site. You may also get a warning that the browser does not recognise the certificate authority.

How does it work?

A secure web site has a certificate which says who operates the site. But anyone could make up a certificate saying anything, so the certificate is digitally signed by a certificate authority (CA).

There are lots of certificate authorities, and your browser may have hundreds of CA Certificates (root certificates) loaded in to it automatically. This means your browser can check the signature on the certificate it gets from a secure web site.

We use a certificate authority called CAcert to sign our site certificate. However, this is not in most browsers by default. Hence a warning that the browser does not recognise it.

Why make life difficult?

It is really a matter of principle. People trust their browser supplier to include root certificate authorities for them. People do not actually check any of the companies for which they have CA certificates in their browser. We believe there is nothing to suggest CAcert are any better or worse than any other CA. The fact CAcert automate the whole process and only verify that someone controlling the domain has the certificate (by email to the same domain) means there is very little chance for error.

CAcert do not charge, where as most CAs charge a lot, every year, especially for a wildcard certificate which we use. Obviously we could pay, not a problem, but what are we paying for? All we want is our site to be secure. They often have onerous terms and conditions on the use of the certificate. Yet all they are doing is acting as a notary - signing that we control a web site.

So is our site secure?

The main thing is that our site is secure. Communications between your computer and our site is encrypted. This includes credit card information or bank details. The risk you take by ignoring warnings or trusting what you may think is an untrustworthy root CA, is that someone could be intercepting traffic and pretending to be our site in order to get your details.

You take this risk when dealing with any on-line ordering site. You have not personally checked the CA, or the supplier. How can you trust us? The certificate authority does not vouch for the reputation of the supplier - just that they are who they say they are and can afford the certificate. It is easier for a fraudster to set up a web site which has security certificates that do not give errors, and collect details on bogus ordering pages, than it is to start intercepting access to our web site.

On top of all of this, we normally deal by Direct Debit and not card for most purchases. To get Direct Debit facilities you do have to convince a bank to trust you - which is a lot harder than getting a web security certificate. The fact that we do Direct Debit should say a lot about us as an organisation - much more that which root CA we use. Direct debit on-line is very safe as you can always claw back the payments. So if someone did intercept our web site traffic and get your details you would not lose out.

Surely a proper certificate is better

It is a common view that the whole CA process that now exists is no better than extortion - a new type of protection racket. We do have a proper key for our accounts system and control pages, and confirmed that this can be done with no more than an email to postmaster at our domain as the only actual check - the same check that cacert do - so a proper certificate offers you no extra security over one that is not in your browser like cacert. If you think it does you have perhaps misunderstood the whole issue.

What to do about the warning?

So, if you get a warning, what can you do?

  • One way is simply to ignore the warning. This is not ideal as you will get it each time. If something did change (such as someone intercepting our web traffic somehow) you would get much the same warning and ignore it.
  • On many browsers you can set the browser to accept our site certificate permanently. This means that you get no more warnings. However, when we renew our certificate (approximately once a year) you will get the warning again. You can check the certificate is signed by CAcert, if you like, before accepting it.
  • You could load the CAcert root certificate in to your browser. See here for details on how to install it. If you do this then our site will no longer get a warning, and neither will any others that use CAcert. This is obviously what we would recommend. If you are not sure, then maybe look at the list of root certificates you already have loaded, and try and work out if you should install each of them? Basically you have no real way to know whether to trust us, CAcert, or any of the root certificates you already have loaded, do you?

You still don't like it!

OK, if you really don't like it, feel free to call our sales or support departments on the phone instead of using the on-line pages. We operate 9am to 5pm, Monday to Friday. The phone number could be intercepted without your knowing, and there is no encryption to stop it being monitored. However, people have been trusting the telephone network with card and bank details for many years.

Your own secure site

If you want to run your own secure web site, see CAcert for details of getting your own certificate. You need a domain name of your own (which we provide with our broadband service) and a secure web server (such as with our virtual hosting). CAcert is free.

But your accounts page have a "proper" cert?

Unfortunately the accounts pages are used by several companies for which we run the system, and they have asked for a "proper" certificate. Getting a "proper" certificate involved no more security checking than done by CACert, so you are no better protected. What is ironic is that the customers of the other companies we run accounts for are now happy as they do not get a warning whereas before they were unhappy - yet the cert is for a different company (us) than they are dealing with. Nobody checks this. So now they have a certificate they supposedly trust that states clearly they are not dealing with the company they thought they were - but we have paid our protection money and so they no longer get a warning. It just highlights how this is more about protection money than about security.

Knowledge Base

  • All the technical information your geek heart could desire.
Find out more