Event 1033 - Secure Sockets Layer (SSL)

  • Article

Applies To: Windows 7, Windows Vista

HTTPS uses encryption to secure your Internet traffic to protect it from snooping or tampering by others on the network. HTTPS uses either the Secure Sockets Layer (SSL) or the Transport Layer Security (TLS) protocols to protect data. To improve security, Windows® Internet Explorer® automatically blocks navigation to any HTTPS site with invalid or erroneous security certificates. This protocol reduces the likelihood of someone taking advantage of configuration or protocol weaknesses to intercept or to modify Web traffic that is transferred by using the HTTPS protocol. New error pages provide a simplified user experience, which also helps to reduce social engineering and phishing attacks.

As a user, network administrator, or Web site developer using Internet Explorer, you might experience the compatibility impact of HTTPS security improvements in the following ways:

Symptom Cause

An error page appears when viewing a site configured to use only the SSL 2.0 protocol.

Windows Internet Explorer 8 automatically disables the SSL 2.0 protocol. Due to known security issues with the SSL 2.0 protocol, it has been replaced by the SSL 3.0 and TLS 1.0 protocols.

An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on the Windows Vista® operating system.

Windows Vista disabled the weaker encryption ciphers, only allowing only the use of stronger ciphers.

An error page appears when navigating to an HTTPS site with an erroneous security certificate.

Internet Explorer 8 automatically blocks navigation to any HTTPS site with invalid or erroneous security certificates.

An Information Bar appears when viewing a page that mixes HTTPS and HTTP content.

Internet Explorer 8 automatically blocks HTTP content from appearing in HTTPS pages.

An error appears when navigating to an HTTPS site with a revoked security certificate on Windows Vista.

Windows Vista automatically performs a check for revoked security certificates on HTTPS sites.

When Is This Event Logged?

This event is logged any time Internet Explorer encounters invalid or erroneous security certificates.

Note

For more information and examples, see the Event 1033-Secure Sockets Layer topic from Internet Explorer Application Compatibility.

Remediation

The following sections describe the possible workarounds for some of the most common Internet Explorer issues as faced by users, Network Administrators, and Web site Developers.

Workarounds for Users

Users of Internet Explorer can work around the compatibility impact of the HTTPS security improvements in the following ways:

Symptom Workaround

An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista.

There is no workaround for this issue. Please contact the Web site owner and request stronger encryption options.

An error page appears when navigating to an HTTPS site with an erroneous security certificate.

There are multiple issues when discussing erroneous security certificates and workarounds.

  • Expired certificates. There is no workaround for an expired certificate. You must contact the Web site owner and request that they update the certificate.

  • Non-matching addresses. If the address in the security certificate does not match the Web site's address, you can clear the Warn about certificate address mismatch check box, located in the Advanced tab of the Internet Options dialog box and successfully navigate to the Web site.

    Important
    It is not recommended to change this setting.

  • Unsigned certificate. If a trusted certification authority did not sign the security certificate, you can manually add the authority.

Important

Trusting a malicious certification authority puts your computer at risk.

To manually add an authority

  1. Click the Certificate Error button in the Internet Explorer address bar of the Certificate Error page.

  2. Click View Details.

  3. Select the root certificate in the Certification Path tab, and then click View Certificate.

  4. Click Install Certificate in the General tab.

Workarounds for Network Administrators

As a Network Administrator of computers running Internet Explorer, you can work around the compatibility impact of the HTTPS security improvements in the following ways:

Symptom Workaround

An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista.

You must configure your Web server software to offer stronger encryption options. If the Web server is not in your control, contact the server operator.

An HTTPS error page appears, enabling users to continue on to a Web site that presented the erroneous certificate.

Enable the Prevent ignoring certificate errors setting from your Group Policy. Enabling this option removes the ability to continue to a Web site from an HTTPS error page.

To enable the setting by using Group Policy

  1. Start the Group Policy tool (GPEdit.msc).

  2. Expand the policy structure to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel.

  3. Double-click the Prevent ignoring certificate errors setting.

  4. Click Enabled, and then click OK.

Workarounds for Web Site Developers

As a Web site developer for sites viewed with Internet Explorer, you can work around the compatibility impact of the HTTPS security improvements in the following ways:

Symptom Workaround

An error page appears when viewing a site configured to use only the SSL 2.0 protocol.

Enable SSL 3.0 or later in your Web server software.

An error page appears when viewing an HTTPS site configured to use weaker ciphers (such as 40-bit and 56-bit encryption) on Windows Vista.

Enable stronger ciphers (128-bit or higher) in your Web server software.

An error page appears when navigating to an HTTPS site with an erroneous security certificate.

There are multiple issues when discussing erroneous security certificates and workarounds.

  • Expired certificates. Ensure that you are using valid, non-expired security certificates issued by a trusted root certification authority.

  • Non-matching addresses. Ensure that the address in the certificate matches the certificate for your Web site. This is particularly important for servers that are addressable by multiple hostnames. For example, a certificate issued to email.fabrikam.com is not valid for use on mailbox.fabrikam.com. You must either purchase a certificate that lists both hostnames, or purchase a wildcard (*) certificate for *.fabrikam.com.

An Information Bar appears when viewing a page that mixes HTTPS and HTTP content.

Ensure that your HTTPS Web pages do not contain embedded references to resources addressed by the HTTP protocol.

Note
If you have a Web page that is viewable from either HTTP or HTTPS, make sure you use protocol-specific hyperlinks to address resources.

For example, if you have an image on www.fabrikam.com/account.htm that is addressable using either http:// or https://, you must use <img src="//www.fabrikam.com/pic.jpg"> instead of <img src="www.fabrikam.com/pic.jpg">

This way, if the user views the site using HTTPS the image is downloaded through HTTPS, but if the user views the Web site using HTTP, the image is downloaded through HTTP.

See Also

Concepts

Known Internet Explorer Security Feature Issues