For some reason, some HTTPS sites (not all!) stopped opening for me. When you try to open such a site in your browser, a window with the error “This site cannot provide a secure connection” appears. Websites are not displayed in Google Chrome, Opera, Yandex Browser and Microsoft Edge. Without HTTPS, some sites open, but not all, only those whose pages are accessible via both the HTTPS and HTTP protocols. In Google Chrome, the error when opening an HTTPS site looks like this:
This site may not provide a secure connection. Sitename.ru sent an invalid response. ERR_SSL_PROTOCOL_ERROR.
So:
This site may not provide a secure connection. The site sitename.ru uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH.
The client and server support different versions of the SSL protocol and cipher suite. Most likely, the server uses the RC4 cipher, which is considered insecure." [/alert]
Or in Mozilla Firefox:
Secure Connection Failed
In Opera and Yandex Browser the error looks approximately the same.
How can I open such sites?
Answer
As you probably already understood, the problem is related to problems with SSL communication between your computer and the HTTPS site. The reasons for such an error can be quite different. In this article, I tried to collect all the methods for fixing the “This site can't provide a secure connection, ERR_SSL_PROTOCOL_ERROR” error in various browsers.
I would like to immediately note that despite the fact that the Google Chrome, Opera, Yandex Browser and Edge browsers are produced by different companies, in fact all these browsers are based on the same engine - WebKit (Chromium) and there is a problem with errors when opening HTTPS sites they are solved in the same way.
First of all, you need to make sure that the problem is not on the side of the HTTPS site itself. Try opening it from other devices (phone, tablet, home/work computer, etc.). Also check if it opens in other browsers, such as IE/Edge or Mozilla Firefox. In Firefox, a similar error was discussed in the article Error when establishing a secure connection in Mozilla Firefox.
Clear the browser cache and cookies, reset the SSL cache
Browser cache and cookies can be a common cause of errors with SSL certificates. We recommend clearing your browser's cache and cookies first. In Chrome, you need to press the keyboard shortcut Ctrl + Shift + Delete , select a period of time ( All Time ) and click the data clearing button ( Data ).
To clear the SSL cache on Windows:
- Go to Control Panel -> Internet Options ;
- Click on the Contents ;
- Click on the Clear SSL State ;
- The message “SSL cache cleared successfully” should appear;
- All that remains is to restart the browser and check if the ERR_SSL_PROTOCOL_ERROR error remains.
Disable third-party browser extensions
We recommend disabling (uninstalling) third-party browser extensions, especially any anonymizers, proxies, VPNs, antivirus extensions and other similar Addons that can interfere with the passage of traffic to the target site. You can view the list of enabled extensions in Chrome by going to Settings -> Additional tools -> Extensions , or by going to chrome://extensions/ . Disable all suspicious extensions.
If you don’t want to go into settings, but you trust the site
In some cases, you may be able to allow connections without encryption. For example, if you are blocked from entering a site that you know for sure is safe. Or you are not going to enter personal or payment information, but just want to read.
- On the page with the error “Could not establish a secure connection” in the Yandex browser, click on the “Continue without encryption” button.
- Wait for the site to load.
You may see a “Details” button instead of “Continue without encryption.” In this case:
- Click on “Details”.
- Click on “Make an exception for this site”.
Next, we use the Internet resource as usual.
Check your antivirus and firewall settings
If you have an antivirus program or firewall installed on your computer (often it is built into the antivirus), it is possible that they are blocking access to the site. To understand whether antiviruses or firewalls are restricting access to a site, try pausing their operation for a while. Many modern antiviruses have a module for checking SST/TLS website certificates by default. If the antivirus detects that a site uses an insufficiently secure (or self-signed) certificate or an outdated version of the SSL protocol (the same SSL 3.0 or TLS 1.0), user access to such a site may be limited. Try disabling scanning of HTTP/HTTPS traffic and SSL certificates. This option may be called differently in different antiviruses. For example:
- In Dr.Web, the built-in firewall (SpIDer Gate) can block access to sites;
- In ESET NOD32, you need to disable the “Enable SSL/TLS protocol filtering” option;
- In Avast, the option is called “Enable HTTPs scanning” (located in Settings -> Active Protection -> Web Screen -> Settings -> General Settings).
- In Kaspersky Internet Security you need to go to Settings -> Advanced -> Network -> add the site to exceptions or select the option Don't check secure connections.
What else do you need to consider?
Please note that the last method can only be used in cases where the user is firmly confident in the complete security of the resource to which they are attempting to log in.
Note: in some situations, you may have to add the requested site to the exclusion list of your standard antivirus. You should also pay attention to the settings of the Windows firewall, in which the default web browser will have to be added to a similar list by creating a new rule.
Check date and time settings
An incorrect date and time (and time zone) on your computer can also cause errors when establishing a secure connection to HTTPS sites. After all, when performing authentication, the system checks the creation period and expiration date of the site certificate and the higher certification authority.
Check that your time and time zone are set correctly. If the time is constantly lost, see the article “The time on the computer gets lost when turned off: what to do?”
Update Windows Root Certificates
If your computer is in an isolated segment, has not been updated in a long time, or has the automatic update service completely disabled, your computer may not have new trusted root certificates (TrustedRootCA). We recommend updating your system to install the latest security updates and time zone updates.
You can manually update root certificates in the article: How to manually update root certificates in Windows (we also recommend checking the certificate store for untrusted certificates, this will prevent interception of your HTTPs traffic and a number of other problems).
What does a secure connection protect against?
To understand the principle of such protection, two important factors must be taken into account:
- When you do something on the Internet - communicate on social networks, pay for an order, read the news, data is exchanged between the computer and the server. The machine sends a request to the server and receives responses from it.
- The signal from the computer passes through several nodes. Before it reaches the server, the request will pass through intermediate towers and servers. Their number depends on the provider and the quality of communication.
So, since the HTTP information transfer protocol is open, all unprotected information, the computer request and the server’s return signal are in the public domain. Therefore, at each stage of data transmission, an experienced network criminal can easily intercept any information.
It's not very scary if a hacker gets hold of your private comments on social networks. It is more dangerous when passport data, payment details and banking information fall into the hands of a thief.
To ensure the security of the transmission of personal data online, the secure HTTPS protocol was invented in 1994. It has a cryptographic algorithm for encrypting SSL/TSL requests, which has a special secret key. The letter “S” in the abbreviation HTTPS is taken from the word secure, which means security in English.
Initially, the https:// connection was used only to verify users who entered their personal data: login - password, passport number, bank card. Gradually, as people became more security conscious, social networks and search engines joined the idea.
Disable QUIC protocol support
QUIC (Quick UDP Internet Connections) protocol enabled The QUIC protocol allows you to open a connection much faster and negotiate all TLS (HTTPs) parameters when connecting to a site. However, in some cases it can cause problems with SSL connections. Try disabling QUIC:
- Go to: chrome://flags/#enable-quic ;
- Find the Experimental QUIC protocol ;
- Change the Default option to Disabled ;
- Restart Chrome.
Secure connection
December 13, 2022. Published in sections: ABC of terms. 4166
More videos on our channel - learn internet marketing with SEMANTICA
When sending an item to your friend, you put it in a case, securely close it and take it to the postal employee. The courier delivers the case to the address, but your friend is unable to open it because you did not send the keys. Then the friend takes his lock, hangs it on the case, and sends the package in the opposite direction. When you receive the case, you remove your lock and send it back to your friend. As a result, the friend, completely confident in the safety of the goods, receives the case under his lock and key.
As the Internet becomes more and more popular every day, the risk of important information falling into the wrong hands, which needs to be secured, increases.
So that personal correspondence, bank details, telephone and passport numbers are not detected by other users, site owners are increasingly using a secure connection, which looks like a padlock located in the address bar of every fifth resource.
Check the versions of TLS protocols supported by your browser and site
Check which TLS/SSL protocol versions and encryption methods (Cipher Suite) are supported by your browser. To do this, simply open the web page https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
The SSL Labs online service will return a list of protocols and encryption methods that your browser supports. For example, in my example, Chrome supports TLS 1.3 and TLS 1.2. All other protocols (TLS 1.1, TLS 1.0, SSL3 and SSL 2) are disabled.
Below is a list of supported encryption methods.
Cipher Suites (in order of preference)
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
A complete list of encryption methods included in Windows can be displayed using PowerShell: Get-TlsCipherSuite | Format-Table -Property CipherSuite, Name
Next, check the list of TLS/SSL protocols that your site supports. To do this, use the online SSL testing service https://www.ssllabs.com/ssltest/analyze.html?d=domain.ru (replace domain.ru with the address of the site you want to check).
Check if all versions of TLS/SSL supported by the site are available in your browser.
In this example, you can see that the site does not support TLS 3.1 and SSL3/2. Compare the Cipher Suite list similarly.
If the encryption method is not supported by your browser, you may need to enable it in Windows.
If the site does not support the SSL protocols that the client requires, then when connecting you will see the error “This site cannot provide a secure connection.”
Reasons for the error
There are several reasons for the “unable to establish a secure connection” failure. Basically, it is responsible for the error code that is displayed on the page in the browser. This means that Yandex is having problems working with the HTTPS/SSL protocols. These are encryption protocols that are responsible for a secure connection to the server, as well as the exchange of data between it and the user.
In this case, information can be intercepted or replaced, which poses a threat to the client’s data. That is, attackers will gain access to some encrypted information, which they can then use for their own benefit.
There are several reasons:
- Problems with the site itself. It's easy to check. Log in from another device, such as a computer and phone. Use different networks, for example, on one Wi-Fi, and on the other exchange mobile data from the operator. If the failure is still present, then the site itself has problems. There is nothing you can do here; you will have to wait until the site is fixed.
- If it displays the message ERR_CERT_DATE_INVALID, then the reason is that the time or date was set incorrectly. Check your device, synchronize the time with the Internet. Perhaps there was an automatic transition to winter/summer time or the date was simply wrong. In this case, the error will disappear immediately after changing the settings.
- Sometimes it gives the message ERR_CERT_AUTHORITY_INVALID. It usually occurs when connecting through someone else's Wi-Fi or using a VPN. In this case, it may be an attack on the device using network data. Here you should be extremely careful and not go to sites that require you to enter logins and passwords, as well as any other data.
- Go into incognito mode and go to the desired site. If there are no errors, then you will have to deal with the browser settings.
- If there is a failure in only one network, for example, Wi-Fi or a mobile operator, the problem is in the settings of the provider itself. If the computer does not open the site via wire and Wi-Fi, and there are no problems with this when using the mobile Internet, then the problem can easily turn out to be in the settings of the telecom operator. There is nothing to help the user here; all that remains is either to go to the site at your own peril and risk or not to use it.
