How to encrypt a connection. Your connection is not secure - how to fix the error
Let’s learn the basics of “anonymity” on the Internet.
The article will help you decide whether you specifically need a VPN and choose a provider, and will also tell you about the pitfalls of this technology and alternatives to it.
This material is simply a story about VPN with an overview of providers, intended for general development and solving minor everyday problems.
It won’t teach you how to achieve complete anonymity on the Internet and 100% traffic privacy.
What is a VPN? Virtual Private Network
(virtual private network) is a network of devices that is created on top of another and within which, thanks to encryption technologies, secure channels are created for data exchange.
The VPN server manages user accounts on this network and serves as an entry point to the Internet for them. Encrypted traffic is transmitted through it.
Below we will talk about providers that provide access to VPN servers in different countries. But first, let's figure out why this is necessary?
Benefits of Using a VPN
1. Change of “address”
In what cases does a law-abiding Russian need a different IP?
2. Protection from small evil spirits
- A VPN provider will not save you from persecution by the authorities, but it will protect you from:
- An office network administrator who collects incriminating evidence against you or simply likes to read other people’s letters;
Schoolchildren who indulge in listening to the traffic of a public WiFi point.
Disadvantages of Using a VPN
Speed
Internet access speed when using a VPN provider may be lower than without it. First of all, this applies to free VPNs. In addition, it can be unstable: depending on the time of day or location of the selected server.
Technical difficulites
The VPN provider may experience outages. Especially if it is small and little known. The most common problem: the VPN disconnected and did not tell anyone anything. Necessary trace
to ensure that your connection is blocked in case of problems with the server.
Otherwise, it could be like this: you write angry comments on your roommate’s articles, but the VPN quietly turns off and the real IP appears in the admin panel, you missed it, and your neighbor noticed and is preparing a plan for revenge.
Imaginary anonymity
The license agreements of many VPN providers openly state that the user does not have the right to violate copyrights, run hacker programs, send spam, and in case of violation, his account is blocked without returning funds. Example: ExpressVPN Term of Service. From this it follows that the user's actions on the network are controlled.
And some smart VPN providers, for example Astrill, require SMS confirmation to activate your account (does not work for Russian numbers). Do you want to hide your IP and encrypt traffic? Ok, but leave your number just in case.
And the questionnaires when registering accounts are sometimes annoying with unnecessary questions. For example, why does a VPN provider need a person's zip code? Sending packages for the New Year?
The user's identity is also May be identified by bank cards (or through wallets of payment systems through which virtual cards are replenished). Some VPN providers lure users by accepting cryptocurrencies as payment. This is a plus for anonymity.
Choosing a VPN service
VPN providers are a dime a dozen. After all, this is a profitable business with a low entry barrier. If you ask such a question on a forum, service owners will come running and bombard you with their advertising.
To help you choose, the website bestvpn.com was created, where ratings and reviews of VPN providers are published. 
Let's briefly talk about the best VPN services (according to bestvpn.com) that have an application for iOS.
ExpressVPN
96 cities in 78 countries. 30-day money back guarantee in case of service interruptions. There are applications for OS X, Windows, iOS and Android. You can work with 5 devices simultaneously.
Price: from $9.99 to $12.95 per month (depending on payment period).
Private Internet Access
25 countries. There are applications for OS X, Windows, project website.
Price: from $2.50 to $6.95 per month (depending on payment period).
IP Vanish VPN
More than 60 countries. There are VPN clients for iOS, Android, Windows, Mac, Ubuntu, Chromebooks and routers. It is possible to work with several devices at once.
Optimistic paranoids
A very interesting marketing ploy. They propose to run encrypted traffic not through one, but through two or three servers.
My opinion on this matter is this: if a VPN is needed only to hide which country you are from, then it does not make sense. But if there really is something to hide, then what’s the point of transmitting it through three other people’s servers at once?
Alternatives
Own OpenVPN server
Tor
Traffic on the Tor network is transmitted through several independent servers in different parts of the world in encrypted form. This makes it difficult to determine the user's original IP address. But the cautionary tale of Ross Ulbricht (owner of Silk Road) reminds us that American intelligence agencies are capable of many things.
Pros:
- For free;
- Access to the onion network (“darknet”). There are a number of sites that are only accessible from the Tor Browser. These are their own search engines (Grams), stores, libraries, cryptocurrency exchanges, contextual advertising systems, and the Onion Wiki encyclopedia. But for a law-abiding Russian there is nothing interesting on this network.
Minuses:
- Slow speed.
What does Roskomnadzor think?
Department employees are extremely dissatisfied with the fact that Russians strive for anonymity on the Internet. Recently, a spokesman for Roskomnadzor called Tor users “social scum,” and the agency itself advocates banning anonymizers. But Russians do not listen to such opinions. Egor Minin (founder of RuTracker) claims that half of the users of his resource know how to bypass blocking.
conclusions
This article has everything you need to start using VPN providers and have no illusions about them. But how can you achieve complete anonymity on the Internet?
Go to the Seychelles, find several reliable natives with cryptocurrency there, who will buy a dozen servers for you in different third world countries, and deploy OpenVPN on each of them? :-)
I think any paranoid person can come up with a more interesting scheme for themselves :-) In conclusion, an old joke about the elusive Joe:
A town in the Western American steppe. Saloon. Two cowboys, a local and a visitor, are sitting at the table and drinking whiskey. Suddenly someone rushes down the street at great speed, firing pistols in all directions. In the saloon no one is paying attention. Visiting local:
- Bill?
- Yes, Harry?
-What was that, Bill?
- It was Elusive Joe, Harry.
- Why is he called Elusive Joe, Bill?
- Because no one has caught him yet, Harry.
- Why hasn’t anyone caught him yet, Bill? 5.00 out of 5, rated: 1
)
SoftEnter VPN Client program.
In connection with the real threat of expanding the punitive functions of the Anti-Piracy Law and the possible beginning of transferring its effect to ordinary users, namely, the possible introduction of fines for downloading pirated content (movies, music programs, and so on), I continue to introduce visitors to my sites with information on how to avoid these fines, that is, how to download from the Internet ANONYMOUSLY. Previously, I showed how to download anonymously from direct links and torrents. In this article we will look at one of the ways to encrypt all Internet traffic. Encrypting all Internet traffic will allow you to become completely anonymous on the Internet by changing your IP address to a third-party one. After changing your IP address using the application proposed in this article, no outsider will be able to find out which sites you visited or what you downloaded, including your Internet traffic in the torrent client will be encrypted.
We are talking about an application called SoftEnter VPN Client. This is a client program for communicating with a service called VPN Gate.
The VPN Gate service is an experimental project of the Graduate School of the University of Tsukuba (Japan). The idea of the project is to organize by volunteers a public network of VPN tunnels, which are created using special software and made available for free for public use. Anyone can connect to them.
Private public VPN Gate networks are provided by ordinary people, not companies, and even the hypothetical possibility of receiving logs (the history of sites you visited and download history) at the request of the competent authorities is excluded. The VPN Gate service was created to enable citizens of countries where certain sites are blocked to visit them freely and anonymously, but the service can also be used to download the content you need without fear of unpleasant consequences.
Setting up the SoftEnter VPN Client program is not at all difficult. Now I'll show you how to do it.
First, download from the developer’s website using the link archive with the SoftEnter VPN Client software installation file.
By the way, information for those who have already used
universal instant German glue Nano Kleber
and for those who are not yet familiar with our product, our glue has changed dramatically.
Naturally for the better. Firstly, the appearance of the packaging and glue bottles has changed. Secondly, the volume of bottles has increased by a third! Now the weight of the bottle is 31.5 grams, the bottle with welding granulate is 25 grams.
And most importantly, the quality of the glue itself has been improved. Due to numerous requests from customers, the glue has become thicker. This allows you to work with it without rushing before compressing (gluing). Preparation time has been doubled! However, its price remained the same.
You can learn more about Nano Kleber glue on our official website here. You can also order it there. Delivery - throughout Russia.
After downloading the archive, unpack the folder with the installation file to your desktop.
Open it and start installing the SoftEnter VPN Client software.
After installing the SoftEnter VPN Client software, we put it into operation.
Select one of the VPN servers and connect to it.
After connecting to the selected VPN server, all your Internet traffic will be sent through a third-party server, reliably hiding your online activities.
You can easily find out that you are connected to the VPN server of your choice by visiting one of the IP address checking services. They are not difficult to find. In the search bar of any search engine, for example, in Yandex, write the search phrase “ip check”.
Disabling your VPN connection is easy. After installing the SoftEnter VPN Client software, a special icon will appear in the tray. Right-click on it and in the context menu that appears, select the bottom line to disable the program.
As you can see, it’s not at all difficult to encrypt all your Internet traffic using the SoftEnter VPN Client program and the VPN Gate service.
In the near future, we will continue to study the topic of encrypting Internet traffic and consider another way to encrypt traffic using VPN services, directly, without using third-party applications, but only by changing the Internet connection settings.
Secure sites on the Internet can be recognized by the acronym HTTPS (Hypertext Transport Protocol Secure) and the green security marking on the left side of the browser’s address bar - this indicates encryption of data exchange between the site with all modules and the browser. In addition, the server must present a valid certificate before transmitting data. This way, users can be sure that they are opening the “correct” site, and not one planted by attackers.
However, this is an all-or-nothing approach: the server transmits data either completely encrypted via HTTPS or completely unencrypted via HTTP. But there are often cases when only part of the site is encrypted, for example, if it contains advertising that is transmitted over HTTP, or uses scripts that again access HTTP resources. This leads to problems in HTTPS: browsers display warnings, block or display sites incorrectly. In such cases, Opportunistic Encryption (OE) offers a solution.
Opportunistic encryption
Opportunistic encryption (OE) is an important intermediate solution between HTTP and HTTPS. This method, if necessary, allows you to encrypt the transfer of site data via HTTP. A side effect of using OE is that site data can be transferred over HTTP/2 at higher speeds.
Increasing the share of secure connections
Chrome users are increasingly sharing data over an HTTPS connection, according to regular Google estimates.
HTTP encryption
OE is a method currently established by the Internet Engineering Task Force. The bottom line is this: the cryptographic protocol TLS (Transport Layer Security) is used to transfer data from HTTP sites. It looks like HTTPS only at first glance, so when using OE, the “HTTPS” mark is not visible in the address bar.
In order to catch the difference, you need to compare the establishment of a connection between the browser and the server over HTTPS and OE and analyze the behavior of the browser. On the right page we offer a schematic description of the operating principle of both methods. HTTPS is designed to be secure from the start and responds immediately to a specific browser request to establish an encrypted connection.
If the server cannot install it, communication ends with an error message before it can actually begin. From a security point of view, this is the right decision, since unencrypted data transfer cannot be carried out over HTTPS.
OE works differently. The browser requests an insecure HTTP site from the server on port 80. Through the so-called alternative service, a simple additional header, the server responds by telling the browser that it can transmit data from a similar site not only through port 80, but also through port 443 using TLS. If the browser supports OE (currently only Firefox), the following requests can occur over TLS.
As with HTTPS, the browser first verifies the server's certificate, then the encryption key is exchanged, and only then a secure connection is established between the browser and the server. But, unlike HTTPS, if encryption fails, the data transfer is not interrupted - it switches to unencrypted communication, as the browser originally requested from the server.
Technically, the difference between HTTP with TLS and HTTPS, as far as requests are concerned, is not the strength of the encryption, but only the letter S in the address bar. The difference lies in the establishment of a connection to the site and the fact that browsers handle HTTP and HTTPS connections differently: with an encrypted HTTP connection, as opposed to HTTPS, there may be questionable mixed content, such as links to HTTP resources or advertising that transmitted only in clear text.
Speed comparison: accessing the site via HTTP and HTTP/2
HTTP/2 protocol speed is much faster, as shown by tests, but data transfer channels are still protected by HTTPS. HTTP connections over HTTP/2 protocol are only allowed by OE.
More speed, less safety
Opportunistic encryption can be safely seen as a gap-filling tool until all sites switch to HTTPS - a process that will take many years. Meanwhile, OE can be used to increase the communication speed. For HTTP/2, the second version of the HTTP protocol, encryption is required. HTTP/2 transfers data from secure sites, and the speed of sites increases (see right), but only for those that support HTTPS. Since OE works specifically on HTTP sites, data from such sites can also be transmitted over the faster HTTP/2 protocol.
Until all sites switch to HTTPS, opportunistic encryption is a practical workaround
When it comes to security, OE doesn't do all the work. This method can protect against passive eavesdropping, for example, by intelligence agencies that monitor network traffic in general. An active attack only needs to intercept the first header, in which the server offers an alternative service. As soon as this indication is removed, the encryption establishment process is interrupted and it becomes possible to listen to the unprotected channel.
OE is not an alternative to HTTPS; its proponents don't even insist on it. Skeptics also point out that OE is a great reason for site administrators not to switch to HTTPS. But in reality it doesn’t turn out quite like that: often the listed technical reasons hinder the transition.
Will HTTPS disappear completely?
Even the inventor of the World Wide Web, Tim Berners-Lee, joined the discussion about encryption on the Internet. He advocated moving away from HTTPS altogether - not in the sense of putting an end to encryption, but on the contrary: he proposed using TLS cryptography in real time for all network traffic - then there would be no need to separate HTTP and HTTPS.
Three Methods to Access Websites
Check-in The browser and website communicate either over an unencrypted channel using HTTP, or over an encrypted channel using HTTPS, or using the new Opportunistic Encryption method over HTTP.
HTTP
With a standard HTTP request, the browser contacts the server and sends a request over an unencrypted channel, to which the server responds without authentication, also in clear text.
HTTPS
Before sending even a bit of payload, an encrypted connection is established between the browser and the server using the HTTPS protocol. This method also includes authentication.
New: Opportunistic Encryption
Opportunistic encryption starts with an unencrypted request. Encryption is established only when the server sends an alternative header offering to encrypt the channel.
Here's the danger: Using a man-in-the-middle attack, an attacker can hijack the alternate header (see main text) Photo: manufacturing companies
When Firefox connects to a secure website (the URL begins with "http s://"), it must verify that the certificate presented by the website is valid and that the encryption is strong enough to adequately protect your privacy. If it is unable to verify this, Firefox stops connecting to the site and will show you an error page with the message, Your connection is not secure .
Click the Advanced button to view the error code and other information about the error. Common errors are described in this article.
- If Firefox shows you a Secure Connection Failed or Did Not Connect: Potential Security Issue error page instead, see this article.
Table of Contents
What to do if you see these errors?
If you see a Warning: Potential Security Risk Ahead message, you may:
- Contact the website owner and ask them to correct their certificate.
- Click Go Back (Recommended) , or visit a different website.
- If you are on a corporate network or using antivirus software, reach out to the support teams for assistance.
After viewing the error code and other information about the error, click the Accept the Risk and Continue button to load the site at your own risk. This will add a security exception for the website certificate.
Warning! Do not proceed to the website unless you understand the reasons for the security warning. Legitimate public sites will not require you to add a security exception for their certificate. An invalid certificate can be an indication of a web page that will defraud you or steal your identity.
MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED
This error indicates that the website"s certificate has not complied with security policies in Mozilla"s CA Certificate Program. Most browsers, not just Firefox, do not trust certificates by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign because these certificate authorities failed to follow security practices in the past.
The owners of the website need to work with their certificate authority to correct the policy problem. Mozilla's CA Certificate Program publishes a list of upcoming policy actions affecting certificate authorities which contains details that might be useful to the website owners.
For more information, see the Mozilla Security Blog post, Distrust of Symantec TLS Certificates.
SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
date (...)
SEC_ERROR_EXPIRED_CERTIFICATE
The certificate expired on date (...)
This error occurs when a website's identity certification has expired.
The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today"s date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article How to troubleshoot time related errors on secure websites.
SEC_ERROR_UNKNOWN_ISSUER
MOZILLA_PKIX_ERROR_MITM_DETECTED
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
man-in-the-middle attack is detected.
ERROR_SELF_SIGNED_CERT
The certificate is not trusted because it is self-signed.
How to troubleshoot security error codes on secure websites.
SSL_ERROR_BAD_CERT_DOMAIN
Firefox does not trust this site because it uses a certificate that is not valid for that particular site. Information sent over this site could be at risk, so the best thing for you to do is contact the website owners to correct the problem.
SEC_ERROR_OCSP_INVALID_SIGNING_CERT
The site is not configured correctly and failed a security check. If you visit this site, attackers could try to steal your private information, like passwords, emails, or credit card details.
The issue is with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
Corrupted certificate store
You may also see certificate error messages when the file in your profile folder that stores your certificates cert9.db has become corrupted. Try to delete this file while Firefox is closed to regenerate it:
Note:
Note: cert9.db will be recreated when you restart Firefox. This is normal.
What to do if you see this error?
If you encounter a "Your connection is not secure" error, you should contact the owners of the website, if possible, and inform them of the error. It is recommended that you wait for the website to be fixed before using it. The safest thing to do is to click Go Back , or to visit a different website. Unless you know and understand the technical reason why the website presented incorrect identification, and are willing to risk communicating over a connection that could be vulnerable to an eavesdropper, you should not proceed to the website.
Technical information
Click on Advanced for more information on why the connection is not secure. Some common errors are described below:
Certificate does not come from a trusted source
The certificate does not come from a trusted source.
Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED
The certificate will not be valid until (date)
The certificate will not be valid until date (...)
Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today"s date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article How to troubleshoot time related errors on secure websites.
The certificate expired on (date)
The certificate expired on date (...)
Error code: SEC_ERROR_EXPIRED_CERTIFICATE
This error occurs when a website's identity certification has expired.
The error text will also show the current date and time of your system. In case this is incorrect, set your system clock to today"s date and time (double-click the clock icon on the Windows Taskbar) in order to fix the problem. More details about this are available in the support article How to troubleshoot time related errors on secure websites.
The certificate is not trusted because the issuer certificate is unknown
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED
MOZILLA_PKIX_ERROR_MITM_DETECTED is a special case of the SEC_ERROR_UNKNOWN_ISSUER error code when a man-in-the-middle attack is detected.
You may have enabled SSL scanning in your security software such as Avast, Bitdefender, ESET or Kaspersky. Try to disable this option. More details are available in the support article How to troubleshoot security error codes on secure websites.
You may also see this error message on major sites like Google, Facebook, YouTube and others on Windows in user accounts protected by Microsoft family settings. To turn these settings off for a particular user, see the Microsoft support article How do I turn off family features? .
The certificate is not trusted because it is self-signed
The certificate is not trusted because it is self-signed.
Error code: ERROR_SELF_SIGNED_CERT
Self-signed certificates make your data safe from eavesdroppers, but say nothing about who the recipient of the data is. This is common for intranet websites that aren't available publicly and you may bypass the warning for such sites. More details are available in the support article How to troubleshoot security error codes on secure websites.
The certificate is only valid for (site name)
example. com uses an invalid security certificate.
The certificate is only valid for the following names: www.example. com, *.example. com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
This error is telling you that the identification sent to you by the site is actually for another site. While anything you send would be safe from eavesdroppers, the recipient may not be who you think it is.
A common situation is when the certificate is actually for a different part of the same site. For example, you may have visited https://example.com, but the certificate is for https:// www. example.com. In this case, if you access https:// www. example.com directly, you should not receive the warning.
Corrupted certificate store
You may also see certificate error messages when the file in your profile folder that stores your certificates ( cert8.dbcert9.db) has become corrupted. Try to delete this file while Firefox is closed to regenerate it:
Note: You should only perform these steps as a last resort, after all other troubleshooting steps have failed.
Note: cert8.dbcert9.db will be recreated when you restart Firefox. This is normal.
Bypassing the warning
Note: Some security warnings cannot be bypassed.
You should only bypass the warning if you"re confident in both the identity of the website and the integrity of your connection - even if you trust the site, someone could be tampering with your connection. Data you enter into a site over a weakly encrypted connection can be vulnerable to eavesdroppers as well.
In order to bypass the warning page, click Advanced :
- On sites with a weak encryption you will then be shown an option to load the site using outdated security.
- On sites where the certificate cannot be validated, you might be given the option to add an exception.
Legitimate public sites will not ask you to add an exception for their certificate - in this case an invalid certificate can be an indication of a web page that will defraud you or steal your identity.
// These fine people helped write this article: