You are at risk anytime you enter any secure information or credentials online without the use of SSL.
When using SSL, you are at risk during the initial check when your browser is verifying the sites information, which is the critical step. If your browser receives any information that does not match what it is expecting, you get a pop-up that explains that there was a problem and attempts to tell you what the problem was. These problems fall into one of three categories:
- The server name that I am talking to does not match what its certificate says it is supposed to be:
This can mean that you entered a shortened URL such as https://uwmail rather than entering the full name of the site, https://uwmail.uwyo.edu, which is what was used to get the original certificate.
This can also mean that you entered an alias for the site name, which may be used to make the name more easy to remember. Examples include entering https://exchange.uwyo.edu, which is an alias for the actual site name of https://uwmail.uwyo.edu.
- The certificate that it sent has expired:
This indicates that the company did not renew the certificate for the site. Certificates are issued in various blocks of time and must be renewed periodically.
- The browser does not consider the Certificate Authority that issued the certificate to the site a "trusted" authority:
This indicates that the browser does not recognize the Certificate Authority (CA), and thus it tells the user about the problem. The issue with this problem is that issuing certificates is something that literally anyone can do. Thus, you must put considerable thought and research into whether or not you should allow your browser to trust the specific CA or not. There are many large commercial Certificate Authorities that back up their certificates in various ways to show that they are reputable and honest companies and that they can be trusted. These companies are often added to browsers automatically by the bigger companies so that their certificates are trusted automatically. This is why entities usually choose to purchase certificates when they have public sites that need SSL; otherwise, when you hit an SSL page on their site you would get this error message and it would be up to you to determine if the company is reputable and honest.
IMPORTANT: This particular error may also have a more sinister cause. In some cases, it is possible for a less-than-scrupulous individual that is connected to the same network as you to load software that acts as a middle-man between you and your gateway to the Internet. This is very hard to detect and, if you as the user are not careful and security conscious, an easy way to potentially get accounts and passwords that you enter into online sites, even those secured with SSL (if you choose to trust their CA and enter the site). The Certificate Authority signature cannot be faked, so if someone is hacking your network traffic, you will get a warning such as this one when the hacker attempts to fake the certificate.
These errors can have a lot of meanings and implications. It is imperative that you as the user are very conscious of your actions online and do not disregard warning messages. The bottom line is that if you get any error messages when accessing an SSL site or page, it is best to cancel that session and not enter any confidential information. Call the company and verify that their pages are up and running, and talk to them about the error before utilizing their online services. Also, any time you are prompted for credentials, you should always ensure that the page is using SSL by looking for the tell-tale padlock. Sometimes companies write SSL Web pages that are embedded within other non-SSL pages and you do not see the padlock. In these instances, it is best to call the company and verify that the pages are using SSL prior to entering anything confidential. It is always better to be safe than sorry.