Domain Names | Dangerous Common Sense

Security Warnings and the Boy Who Cried “Wolf!”

A friend of mine forwarded a link to a winery whose Cabernet we had shared at a party earlier this week. She wanted to let us check out the full selection of wines the company produced. One person on the email list immediately replied that Chrome blocked her from going to the site because the site was dangerous.

When I tried the link, my computer’s security program, BitDefender, declared a security alert and blocked me, too.

Eeek! Danger!!?

I went to the security program’s console and read the details of the alert:

Oh!

BitDefender didn’t really find specific evil on the destination site. Rather, the site’s certificate had a mismatch in the name of the website and the name of the site the certificate was issued for.

Huh?

Well, certificates are issued by third parties and attest to the genuineness of a website. The certificate also allows a secure, encrypted connection between the website and the user at home.

These benefits are important if you ever enter sensitive information on a form on the site. You want to make sure that someone who monitors random internet traffic cannot see your credit card information or eavesdrop on your communication. Moreover, the certificate issuer attests to the realness of the website, and scammers supposedly cannot get certificates for fly-by-night sites that you might accidently encounter if you follow links you see or get sent in phishing emails.

There are all sorts of real benefits that come from knowing that your browsing is secure. — Google has many articles describing the benefits of using a secure connection with a certificate.

However!

Some anti-virus programs and browsers often declare a major security emergency for genuine, phishing-free pages when either:

The site’s security certificate is expired.
You’re supposed to pay a third party every year to say that you’re a real person. If you don’t pay, the certificate expires and Chrome has a fit.
The link you followed for some reason started off https://…. when the site never applied or was issued a security certificate.
The trailing “s” means that the site is secure and has a security certificate. If the site never bothered to get a security certificate, Chrome has a fit.
Just retype the link as http://… Without the “s”, and Chrome should mellow!
The name of the website differs from the name of the site in the certificate. This what happened for today’s link to the winery.
I generally tell the security program to ignore the mismatch and show me the pages. If I was scrolling for sleazy reasons or looking to buy something, I would probably go away from the potential danger. But, if I find the grape leaves and vineyard pictures, I am not going to worry.

Basically, you should check the details of the warning that Firefox, Chrome or whoever is giving.

If it’s for an “expired certificate” I personally ignore the warning and go anyway.
If the warning is for a missing certificate, I just retype the link without the “s”.
If the certificate was issued for another name, I am cautious, but usually proceed. Sometimes a web design company gets a certificate in their name instead of their client’s name, or other innocuous mismatches occur.

I would hesitate to enter my credit card in a site the browser complains about because the browser won’t establish a secure connection to a site it doesn’t like. But, I am usually comfortable checking out a site with a faulty certificate and I am completely okay looking at a site that never applied for a security certificate.

There are real problems on the Internet with real bad guys trying to trick you. But, too often the warnings about certificates remind me a little boy crying, “Wolf!”

Know The Truth About “Domain Name Search Engine Registration”

Sleazy Domain Registration Service Email

There is a special circle of hell reserved for people who send emails like the one reproduced at right. These are the scary-looking “NOTICES” that take advantage of a business person’s unfamiliarity with the technical terms of the Internet. The messages try to get an unsuspecting website owner to buy a horribly overpriced, maybe worthless, service.

This particular email was sent to me on January 17th asking me to reply by January 18th. The sender is creating a false sense of urgency to get me to act before I figured out what I was doing.

The formatted electronic letter says it’s a “Domain Service Notice”. It looks like the senders are trying to trick you into thinking that you need to renew your site’s domain name registration. Domain name registration is a real service. Domain name registration is what records you as the owner of your www.ozdachs.biz and tells everyone on the Internet where to go to see the site. Domain name registration for .com domains currently costs under $20/year from reputable registrars.

This message is not selling domain name registration. They are offering “Domain name search engine registration.” I don’t know what that is.

I suspect that it is a made up product with no commerical value for your website.

You don’t have to register your domain with places like Google or Bing. Those search engines find and read all of the pages of your site and put you in search results for free. You can submit your site to Google, but that really isn’t necessary. Google will find your site through in-coming links from other sites it knows about. (You have to make sure that your site gets pointed to, but that isn’t difficult. Writing a public post on Facebook or in a blog like this is enough!)

At most, you might submit a new website to the major search engines to try to kick-start its visibility. Most experts don’t think you need to do this, but the search engines generally let you tell them about your site. For free.

In any case, I cannot think of a reason why you would need to submit your site more than one time, when it is new. Google and the other search engines regularly revisit the sites they’ve found to process and reindex the new content that’s published.

This come-on letter offers you a one-year “registration” for $75. The senders say their “best value” is a lifetime service for $499. I have no idea what you get for multiple years of the service.

Unfortunately some people will fall for this urgent-sounding pitch. Its wording is carefully legal: it says straight out that it’s not an invoice and you are under no obligation to pay. But, the message is skillfully formatted and it looks so official!

Luckily this sleazy message came directly to me because I am listed on the real, official domain registration for a client. My client didn’t have to panic, and he didn’t waste his money. I know what to do with offers like this: trash them!

If you have any questions about you get in your email or USPS box, talk to me or your webmaster. Don’t pay for a service you don’t understand!