Privacy error while making a payment

  • 1
  • Question
  • Updated 2 years ago
  • Answered
I tried to make a payment using the web self serve portal but my browser stopped me. This occurred after I entered the payment amount (first step, pressed a button that says "Next"). While using an up to date version of Chrome, I got a "Your connection is not private" error page with an error of NET::ERR_CERT_AUTHORITY_INVALID.

Here's the advanced message:
This server could not prove that it is pay2.koodomobile.com its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
  • anxious about how Koodo is handling my secure data

Posted 2 years ago

  • 1
Photo of Philip Song

Philip Song, Employee

  • 310 Points 250 badge 2x thumb
you need to trust security certificate of  pay2.koodomobile.com first, otherwise your access is not safe and will be blocked, here is the link help you to fix it:

http://www.toppctech.com/fix-net-err-cert-authority-invalid-error/
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
This is a really bad idea. See my full reply below.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
I believe I've uncovered the whole story now and this fix is reasonable (when you know all the details). See my last post. Manually trusting certificates is generally a bad idea though.
Photo of Bernard

Bernard, Official Rep

  • 81,048 Points 50k badge 2x thumb
@ Nathan, per Phillip above this is a "browser" error message not one coming from Koodo. Follow his recco and it should be alright.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
"should be alright" eh?
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
How do I mark this question as "Not Answered"?
Photo of Chadwick

Chadwick, Mobile Master

  • 33,092 Points 20k badge 2x thumb
You don't, a forum moderator will do so at their discretion. Just because you dont like an answer doesn't mean it's not answered. Please don't mistake my reply as being rude. Just stating a fact. Best of luck.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
"Just trusting the certificate" is a really bad idea. For all I know, the certificate is a self-signed certificate by a third party wanting to steal my credit card information. If you run into this error, please don't follow the suggestion in Philip's reply unless we've got more information.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
You're right that SSL certificates are best practice for e-commerce sites. SSL certificates enable us to have https connections. However, we don't have to manually trust each site's certificate. Have you ever gone to Amazon.ca to purchase something and been forced to trust a certificate?

We don't have to trust each individual certificate because there are organizations called certificate authorities that digitally sign certificates. Chrome and other browsers know about these established certificate authorities and accept them. When something is wrong with the certificate (a bad signature or an untrusted certificate authority), then Chrome shows the warning page I've been seeing.

The lesson: Don't trust certificates that Chrome doesn't trust automatically. There's a good reason that Chrome throws that warning page at you. I will look for alternate payment methods if Koodo doesn't get this fixed soon.
Photo of Philip Song

Philip Song, Employee

  • 310 Points 250 badge 2x thumb
Our SSL certificate is issued by Symantec, a Trusted CA. 
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
Okay, that's good. Do you know why Chrome is displaying the untrusted CA error then?
Photo of David

David, Mobile Master

  • 93,614 Points 50k badge 2x thumb
The comments in the first link @Philip Song posted offer a long, but likely incomplete, list of clashes with SSL certificates. Possibly those examples might begin to give you some direction for a search.
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
I'm not sure I follow you @David. Do you mean the list of Chrome errors, starting with net::err_cert_authority_invalid? I understand what the error is and when it would be displayed in general. I'm not understanding why other people don't seem to be seeing the same error and what Koodo is doing to make sure their SSL certificates (and secure connections) are properly set up.
Photo of Robert

Robert, Mobile Master

  • 107,602 Points 100k badge 2x thumb
There's a lot of different paying methods you can use if you don't want to use the one above : http://help.koodomobile.com/my-bill/billing-and-payment-options/how-can-i-pay-my-bill

But I never had any true problems with Koodo.
Photo of EmilX

EmilX

  • 7,746 Points 5k badge 2x thumb
My chrome browser is up to date, just made a payment online and never got that error message from koodo. Otherwise I likely would have questioned it too. Maybe it's something on your end? 
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
This reply was created from a merged topic originally titled Privacy Error While Making a Payment.

My question is marked as "Answered" but it is definitely not answered. Hopefully this one will get another round of attention. The original question: https://community.koodomobile.com/koodo/topics/privacy-error-while-making-a-payment
Photo of Ivan

Ivan, Mobile Master

  • 96,634 Points 50k badge 2x thumb
I think the better question here is to ask Google why Chrome is rejecting the valid certificate. As nobody else has complained of this issue, it doesn't seem to affect most customers.

What about other browsers? Do you get any warnings there? Is the connection identified as secure?
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
Okay, I asked a guy at work who knows his stuff:

I'm likely seeing a certificate error because there's an intermediate certificate that my computer doesn't have and Koodo is only sending their certificate to the client (or a partial chain of certificates). Source: https://www.ssllabs.com/ssltest/analyze.html?d=pay2.koodomobile.com.

Others who don't see the warning page have browsers that are automatically fetching intermediate certificates or have them cached.

https://en.wikipedia.org/wiki/Intermediate_Certificate_Authority

I'm frustrated that Koodo doesn't have their server configured to automatically provide all of the needed certificates. I'm also disappointed that no Koodo representative provided a reasonable explanation and solution.

For people that are following along: My conclusion is that the certificate is safe to trust (manually, using the method referenced by Philip Song) because the warning is because of a misconfigured server and not because of an insecure certificate (given the SSL Labs' B ranking).
Photo of Ivan

Ivan, Mobile Master

  • 96,634 Points 50k badge 2x thumb
Thanks for the update.
Photo of Philip Song

Philip Song, Employee

  • 310 Points 250 badge 2x thumb
@Nathan, Could you please  clear your cache and try again?  Your problem should  disappeare now.
(Edited)
Photo of Nathan Feaver

Nathan Feaver

  • 222 Points 100 badge 2x thumb
You're right. That fixed it. Thanks! This is a much better solution.