SSL stands for "Secure Sockets Layer" and refers to a protocol for using the web in a secure, encrypted, manner. Every time you connect to a website with an address prepended with https://, instead of just http://, you're connecting over SSL. Almost all banks and e-commerce sites, for example, use SSL exclusively.
SSL helps provide security for users in at least two ways. First, it helps keep communication encoded in such a way that only you and the site you are communicating with can read it. The Internet is designed in a way that makes messages susceptible to eavesdropping; SSL helps prevent this. But sending coded messages only offer protection if you trust that the person you are communicating in code with really is who they say they are. For example, if I'm banking, I want to make sure the website I'm using really is my bank's and not some phisher trying to get my account information. The fact that we're talking in a secret code will protect me from eavesdroppers but won't help me if I can't trust the person I'm talking in code with.
To address this, web browsers come with a list of trusted organizations that verify or vouch for websites. When one of these trusted organizations vouches that a website really is who they say they are, they offer what is called a "certificate" that attests to this fact. A certificate for revealingerrors.com would help users verify that that they really are viewing Revealing Errors, and not some intermediary, impostor, or stand-in. If someone were redirect traffic meant for Revealing Errors to an intermediary, users connecting using SSL would get an error message warning them that the certificate offered is invalid and that something might be awry.
That bit of background provides the first part of this explanation for this error message.
In this image, a user attempted to connect to the Whitehouse.gov website over SSL --- visible from the https in the URL bar. Instead of a secure version of the White House website, however, the user saw an error explaining that the certificate attesting to the identity of the website was not from the United States White House, but rather from some other website called a248.e.akamai.net.
This is a revealing error, of course. The SSL system, normally represented by little more than a lock icon in the status bar of a browser, is thrust awkwardly into view. But this particularly revealing error has more to tell. Who is a248.e.akamai.net? Why is their certificate being offered to someone trying to connect to the White House website?
a248.e.akamai.net is the name of a server that belongs to a company called Akamai. Akamai, while unfamiliar to most Internet users, serves between 10 and 20 percent of all web traffic. The company operates a vast network of servers around the world and rents space on these servers to customers who want their websites to work faster. Rather than serving content from their own computers in centralized data centers, Akamai's customers can distribute content from locations close to every user. When a user goes to, say, Whitehouse.gov, their computer is silently redirected to one of Akamai's copies of the Whitehouse website. Often, the user will receive the web page much more quickly than if they had connected directly to the Whitehouse servers. And although Akamai's network delivers more 650 gigabits of data per second around the world, it is almost entirely invisible to the vast majority of its users. Nearly anyone reading this uses Akamai repeatedly throughout the day and never realizes it. Except when Akamai doesn't work.
Akamai is an invisible Internet intermediary on a massive scale. But because SSL is designed to detect and highlight hidden intermediaries, Akamai has struggled to make SSL work with their service. Although Akamai offers a service designed to let their customers use Akamai's service with SSL, many customers do not take advantage of this. The result is that SSL remains one place where, through error messages like the one shown above, Akamai's normally hidden network is thrust into view. An attempt to connect to a popular website over SSL will often reveal Akamai. The White House is hardly the only victim; Microsoft's Bing search engine launched with an identical SSL error revealing Akamai's behind-the-scenes role.
Akamai plays an important role as an intermediary for a large chunk of all activity online. Not unlike Google, Akamai has an enormous power to monitor users' Internet usage and to control or even alter the messages that users send and receive. But while Google is repeatedly --- if not often enough --- held to the fire by privacy and civil liberties advocates, Akamai is mostly ignored.
We appreciate the power that Google has because they are visible --- right there in our URL bar --- every time we connect to Google Search, GMail, Google Calendar, or any of Google's growing stable of services. On the other hand, Akamai's very existence is hidden and their power is obscured. But Akamai's role as an intermediary is no less important due its invisibility. Errors provide one opportunity to highlight Akamai's role and the power they retain.
Responses to This Post
- You make the statement "Except when Akamai doesn't work." However, in the example you give, the system is working exactly as designed. For customers that choose to deliver their whole site (www.example.com) over Akamai, but choose not to leverage our SSL delivery service, requests for https://www.example.com will cause our servers to return the generic certificate that is used by customers serving only objects securely through Akamai. (As noted, the certificate is for a248.e.akamai.net.)
- For customers that are leveraging Akamai's services to serve their whole site securely through Akamai, a request for https://www.customer.com/ will, in fact, return a certificate for that hostname. (As an example, do a DIG on www.cathaypacific.com, and look at the certificate returned from https://www.cathaypacific.com/. You will see tha that the site is served by Akamai, and that the proper certificate is returned.)
- You note that Akamai has recently begun to offer an SSL delivery service. This statement is inaccurate, as we have offered a Secure Content Delivery service, supporting dedicated customer hostname certificates delivered by a global server deployment, since the 2001/2 timeframe.
I'm pretty comfortable with the statement that a big warning certificate from a site the user didn't think they were connecting to is "not working." I'm sure it's a known, even intentional effect, but what constitutes an error or not working can often be subjective. I'm comfortable arguing that the behavior you describe is not what users, or Akamai customers, either want or would expect, and am happy calling that an error.
In regards to your second point, I'm sure that the SSL service works well when clients choose to take advantage of it. I don't think my post claims otherwise.
Regarding your third point, this definitely is a mistake on my part. I'll update the text to reflect this. Sorry about that!
(By the way, I just found Revealing Errors through IT'S BROKEN (http://itsbroken.2wtx.com), another interesting blog about things that are broken in life, so I thought I'd leave their link in my comment.)
Off to read your archives!
-t
That will happen with any site you try to request securely, but isn't set up to be secure. Why would Akamai use SSL on their public facing website?
I receive this message using Google Chrome as my browser, Windows XP as my operating system, and I am only trying to get onto Facebook. I am in social media marketing so it is imperative that I understand this.
Any help or advice I would be grateful for.
I receive this message using Google Chrome as my browser, Windows XP as my operating system, and I am only trying to get onto Facebook. I am in social media marketing so it is imperative that I understand this.
Any help or advice I would be grateful for.
SSL hasn't really been used or supported since 01/1999. It's called TLS (Transport Layer Security) now, since the publication of RFC 2246. The prior specification, SSL 3.0, was never actually a full specification, just a collection of "if we do this, things generally don't break" ideas.
Most places still have SSL fallback turned on, and until Windows Vista Microsoft made IE not use TLS by default. I don't know why, since SSL 3.0 relies on the security of MD5 while TLS relies on the higher of security between MD5 and SHA1. (There are newer versions of TLS which will support even more MAC hash algorithms.)
Other than that, though, I feel you're right on the money. That's one of the worst possible error pages to show -- and the worst thing is, it's part of the user's browser. It's not anything that the site can control, other than adhering precisely to the demands of the browser.
How can we fix it and or get around it?
Hope this helps
cheers
- Ash
1) It is region-specific, so the developers located in California won't see the issues in Italy, South Africa or Australia.
2) It involves their partner site Akamai.
3) It is a site wide issue, which involves possibly altering DNS settings etc., so it probably can't be resolved without serious amounts of paperwork and organisational double-checking.
Having said that, in the affected areas (I have heard Italy, India, South Africa, and Australia) the Facebook API authentication is completely broken short of users clicking the 'proceed despite the risks' button in their browser, which is discouraging. I hope they fix it soon.
Matt
I have no idea about the specific details of this. You should talk to Akamai about this. They should be able to tell you the limitations of their systems.
I feel a lot better now.
1) Follow instruction above by Hybrid24. This works a attested by GK Mandigo.
On a side note, I did not specifically power cycled or restarted or refreshed my router since it is quite far from our room. What I did was:
Access your router set up(192.168.x.x) and disconnect & reconnect your internet connection on the internet connection status subpage.
My router is Cisco v3.0.0.02
Our internet connection type is PPPoE.
1. Open your router set-up. for cisco linksys, this could be accessed through 192.168.1.1 or through network magic(i don't know how though).
2. Go to STATUS PAGE.
3. On the Internet connection details portion, there is a "Login Status" indicating that you are connected and on the side, there is a "disconnect" button. Press the button and when the numbers are set to "0", Press the "Connect" button.
4. Try facebook again. This should fix your problem without the added hassle of moving around.
^__^
I hope this helps anyone.
Look no ones hacking anything, Akamai are major part of internet infrastructure that a lot of people rely on.
If you go to a site via https and get an error explaining that blah.akamai.com isnt a valid host its because the site yout trying to go to, doesnt intend for you to access their site via https.
So stop ranting and trying to block the internet.
..... and now they tell us just as we are in 'banking scary season' again and we have this to worry about is it any wonder we are all being bombarded by some Oik from one bank or another trying to tie us all up for 2 years in an e-bond, they get the 18% whilst they can and we end up with the falling brick.And why do I mention it because of the eTrade email scam thats going about and not knowing how they are getting the addresses and the amounts so right,so of course lets nick the info on file and we will merge it with a non cert remailer who will in the end get nothing but free publicity from this connection.
Not pertinent you say!Look at the amount of people who spent good money last year on an external CD player because they could not get rid of the redirect script in the temp file for the driver add on that if you knew how you could do it yourself and could clear the error in an instant otherwise just when you need sound on your device someone come's up with a site that has no cert that automatically kicks in the script which appears to be trying to protect me and you online yet doing the exact opposite.
J Clarkson is right again.....in front of their families..