Is This Site Safe? How to Fix a ‘Your Connection Is Not Secure’ Error

Firefox, Chrome, Windows 10 - wherever you're seeing this error, try these tips

A closeup of a web browser notification bar with HTTPS enabled

KTSDESIGN/Getty Images

If you’ve ever visited a website and been confronted with a message stating “This site is not secure,” or "Your connection is not secure," there are some simple methods for diagnosing the problem, gauging your level of risk, and mitigating any potential security hazards.

What Does 'Connection is Not Secure' Mean?

When your browser flags a website as being not secure or insecure, it has detected a problem with the Secure Socket Layer (SSL) certificate that certifies the identity of the site. You might hear these certificates referred to as TLS certificates, but for the purposes of this, we'll refer to this mechanism as an SSL certificate (or simply a certificate).

While SSL certificates use the principles of encryption to perform this identity verification, and SSL is a full-fledged encryption protocol, SSL certificates aren’t technically the encrypted connection itself. Indeed, it's technically possible for your computer to establish an encrypted connection to a malicious site posing as a legitimate site.

Your browser only understands encryption by means of the SSL certificates, so if the site has a valid certificate then it encrypts its connection to that site. However, if the site’s certificate is invalid or missing, it does not establish an encrypted connection. Basically, every site that has an SSL certificate also employs SSL encryption, so they go hand-in-hand.

What Causes 'Your Connection is Not Secure' Error?

There are several reasons why a site might register as not secure. One possibility is the site you’re visiting could have a misconfigured certificate. Setting up SSL certificates is hard, particularly if a site’s administrators have purchased one of the higher-end ones, and not everyone always gets it right. Even sites which have had a proper configuration in the past may end up with issues as server software versions get updated and potentially fall out of sync, or as personnel changes at the company maintaining the site.

It’s also possible the existing, properly installed certificate expired and the site administrators forgot to renew it. This is a fairly common occurrence as, again, maintaining SSL certificates is no easy task. Certificates might also become invalid if the admins change the site’s hosting providers or internet service providers, resulting in a new URL or IP address which does not match the one listed on the formerly valid certificate. If admins are in a situation where they are forced to change hosting providers, they have enough on their plate already and updating certificates may not be at the top of their to-do list.

Certificate errors are not always the fault of a site’s maintainers, though: browsers are shipped with certificates, and don’t always sync all the latest ones until the whole browser is updated. Therefore, if your browser is not up-to-date, it could be missing its copy of the certificate the site expects you to have.

Lastly, it could just be that the site you’re trying to go to never had a certificate and doesn’t intend to acquire one. The more reputable and trustworthy certificates cost money, and all certificates require technical knowledge that not every admin has, especially if they maintain a small site with limited resources. Some admins might opt to not go to the trouble of posting a certificate.

Is This Site Safe? How to Identify a Website That's Not Secure

Most modern browsers are consistent and explicit with how they identify "Not secure" sites.

  1. On desktop browsers: When a site meets one or more of the failure conditions cited above, desktop browsers add a "Not Secure" tag to the left end of the navigation bar (where URLs are entered and displayed), usually accompanied by an unlocked padlock icon, an information "i" icon, or some other visual cue deviating from the green locked padlock icon that accompanies secure sites.

    A Chrome page with the

    Users can usually select the "Not secure" tag and/or the insecure indicator icon to display more information about the site and why it doesn't meet the desktop browser's security standards.

    Chrome page with a
  2. On mobile browsers: Due to their compact design and focus on screen economy, mobile browsers don't usually nudge the URL over to make room for "Not secure" text, but rely solely on icon differentiation. Like their desktop cousins, mobile browsers denote a secure site with a green closed padlock, and insecure sites with a separate indicator, most commonly the opened non-green padlock or the information "i" icon.

    Mobile Chrome browser on an insecure site

    Also in keeping with the desktop UX philosophy, mobile browsers allow users to tap the icon to reveal a simple site security menu and a brief description of the site's status.

    Mobile Chrome on an insecure site with the site security menu open
  3. That's it!

How to Resolve a "Connection is Note Secure" Error

  1. Update browser. The easiest thing you can do is make sure your browser is updated to the most recent version.

  2. Use an SSL checker. You can look up the site by entering its URL on an SSL checking site. The checker will tell you everything about the flagged site, from its IP address to the certificate issuer to the expiration of its certificate. Once the SSL checker returns the results, compare them against the data you get from the menu that appears by selecting the icon on the left side of your browser’s address/navigation bar.

    A result page from sslchecker.com after looking up a URL

    If there are discrepancies between the two, you definitely have a problem. If it matches, but the match corresponds to an obvious problem area (e.g. the certificate menu and the checker site both show an expired certificate), then the error observed will give you a clue as to the severity of the issue.

  3. Use HTTPS Everywhere. If the above check reveals what is clearly a minor error for a site you’ve been to before that ordinarily has a valid certificate, you really only need to take some precautions before returning to browse as normal.

    For desktop computers running Firefox, Chrome, or Opera, install the HTTPS Everywhere extension to make sure all your connections are encrypted. This way, even if the certificate doesn’t match exactly, you should still have an encrypted connection.

    The HTTPS Everywhere extension page on the Chrome Web Store
  4. Ignore the error. If you know the site has never used encryption and doesn’t include any functionality where sensitive personal data is passed back and forth, you can ignore the error and proceed like normal.

    Web security culture has started to frown on forgoing certificate and encryption configuration, but the absence of certificates still happens. This is especially true with older sites designed before SSL became the norm. All you can really do, if you absolutely have to visit such a site, is install HTTPS Everywhere and be careful about what you enter into any forms or boxes.

  5. Avoid the website. If you’ve ruled out all of these and there is still an error, it could be a serious problem and you should exercise extreme caution. First, check to make sure the URL is entered into the address bar correctly. If you have a link or bookmark to it, select that to see if you get the same “Not Secure” flag. If the flag reappears, and the site isn't one you strictly need to visit, don’t go there for a while, so you give the admins time to sort out any serious issues.