Protection from untrusted certificates
Yandex Browser for Mobile checks site certificates. The browser warns you if the website can't provide secure data encryption because of problems with the certificate.
Why websites need a certificate
Your personal data and payment information should be protected when you send them to a website. Websites use the HTTPS protocol for secure connection. This protocol includes an asymmetric encryption algorithm, where data is encrypted with a public key and decrypted with a private key. For each session, the browser regenerates the private key and transmits it to the website with the necessary precautions to prevent theft.
If you end up on a phishing website, it might get the private key and decrypt your data. To protect against phishing, websites use digital certificates issued by certification authorities. The certificate guarantees that encryption keys really belong to the website owner.
What makes an untrusted certificate dangerous
If you open a phishing site or your data is unprotected on the original site (for example, because its certificate has expired), hackers can:
- Intercept or replace your personal data and read your correspondence.
- Get your payment data (card number, cardholder’s name, expiration date, and CVV2) and use it to steal money from your account.
Blocking websites with untrusted certificates
If the website does not provide secure encryption due to certificate issues, you will see the following warnings:
- in the SmartBox —
; - instead of the website page — a warning that a secure connection is not possible.
Do not open the site or add its certificate to the trusted list.
Add a website to trusted sites
Alert
Make an exception only if you are completely sure the certificate is secure. Otherwise, hackers could get access to your personal data and online payments.
Tap Details → Make an exception for this site. The certificate will remain on the trusted list for 30 days. After that, you will need to make an exception again.
Reasons for blocking
Yandex Browser blocks websites if:
The certificate author is unknown
The certificate may have been installed by a hacker or a program (antiviruses, ad blockers, and similar applications can replace the site’s certificates with their own). If the certificate has been installed by an application, you will have to find it and disable HTTPS checking in it.
If you trust such a certificate, remember the following:
- Your data may become available to application developers you don’t know.
- The certificate could have been installed by malware pretending to be an application. Browsers currently cannot verify the authenticity of certificates installed by special applications.
Website address is incorrect
The website's security certificate refers to another website. The server may be incorrectly configured, but there is a probability that you have ended up on a phishing website. If this is the case, hackers can intercept your data.
Self-signed certificate
The site did not receive a certificate from a certification authority and issued it to itself. To learn more, see Self-signed certificate. Malware or hackers can intercept your data.
Untrusted root certificate
The center that has signed the certificate is untrusted. Malware or hackers can intercept your data. To learn more about root certificates, see Root certificate.
The certificate has expired
Data will not be encrypted, which means that hackers can intercept it.
Certificate has been revoked
The site's certificate was compromised and revoked. Data will not be encrypted, which means that hackers can intercept it.
Encryption is outdated
The server uses an outdated, untrustworthy encryption algorithm. Hackers can intercept your data.
Ciphers are not supported
An HTTPS connection cannot be established because the website uses ciphers not supported by Yandex Browser. Data will not be encrypted, which means that hackers can intercept it.
The certificate key does not match the pinned key
The certificate key does not match the pinned site key. Attackers may be trying to replace the root certificate to intercept your data. To learn more about pinning (linking) a key, see HTTP Public Key Pinning.
Data could not be encrypted over HSTS
The browser could not enable encryption and broke the connection. The server where the website is located normally uses encryption, since the HSTS protocol is enabled on it. Lack of encryption may be a sign of a hacker attack. Hackers or malware can intercept your data.