A user recently reported that IE11 wasn’t showing the “Continue” link on the certificate error page shown when visiting their 2009-era router’s configuration UI. They were curious why that link wasn’t shown in this instance.
The error page’s Continue link is hidden:
- If the certificate is revoked
- If the certificate is deemed insecure (e.g. contains a 512-bit RSA key)
- If the page is in a “pinned site” instance
- If group policy is set to Prevent Ignoring Certificate Errors
In this case, #2 is the most likely.
Had the user provided a screenshot of the blocking page and the URL of the page (shown in right-click Properties, NOT the address bar) it would simplify troubleshooting of the issue. Similarly, providing the make/model of the router will allow contacting the vendor to request a firmware update.
Here’s what you see if the server sends a certificate with a 512-bit RSA key:
Old IE versions (prior to IE10) omitted the line “The security certificate presented by this website is not secure” and included the “Continue” link although clicking it was non-functional. IE10 fixed those shortcomings. At the time that this page was designed, complaining about RSA key length specifically in the error page was deemed unlikely to help users, since they’re rarely able to change the certificate a site uses.
Having said that, as a geek, I do like the page that Chrome shows:
Firefox 26 doesn’t care or warn about the weak certificate. In contrast, if a certificate with a strong key is signed with a weak hash (e.g. MD5), IE doesn’t complain, but both Firefox and Chrome will block access to the site.
Testing Weak Keys
You may be wondering how you can easily see how your software behaves with weak keys. Doing so is very easy with Fiddler and its plugin Certificate Generator. After installing the add-on and enabling HTTPS decryption in Fiddler, type prefs set fiddler.certmaker.bc.KeyLength 512 in the black QuickExec box underneath the Web Sessions list. Hit Enter, and restart Fiddler. Subsequently, Fiddler will generate server certificates that use a 512 bit key. To later revert this configuration, either type about:config in the QuickExec box and remove the preference using the UI, or type prefs remove fiddler.certmaker.bc.KeyLength hit Enter, and restart Fiddler.