How to Stop Untrusted Certificates From Being Installed on Your Device
There’s a nasty type of attack that tries to trick your device into trusting a fake security certificate. If successful, this allows an attacker to "impersonate" secure websites, making your device think it’s safely connected to your bank, email, or social media, when in fact, it’s talking to the bad guys.
When your device encounters a security certificate that it doesn’t trust, it should show you a warning. These warnings are there to protect you – don’t ignore them!
What is a security certificate?
Think of a security certificate like a digital ID for a website or app. It verifies that the site or app is legitimate and that your connection to it is secure and private. Your device automatically checks these certificates whenever you visit a secure website (you’ll see “https://” in the address) or use an app that connects to online services.
How do rogue certificates get installed?
Most often, you might accidentally install a rogue certificate by clicking on a malicious link in a phishing email or text message. These links can lead to fake websites that prompt you to install something, or they might automatically download and install software in the background without you even realising it. Another way is if your device is physically accessed by someone who then manually installs a certificate.
- Unexpected pop-ups asking you to install software or a “profile”
- New, unfamiliar apps appearing on your device
- Your device running slower than usual or behaving erratically
- Warnings about untrusted websites appearing more frequently
Regularly check your installed certificates
It’s a good idea to periodically check the certificates installed on your devices. This lets you spot anything suspicious that shouldn’t be there. If you find any certificates you don’t recognise or that seem out of place, you should remove them immediately.
- On Windows: Search for “Manage computer certificates” in the Start menu.
- On macOS: Go to Finder > Applications > Utilities > Keychain Access. Look under “System” and “login” keychains.
- On Android: Go to Settings > Security > Encryption & credentials > Trusted credentials > User. (Exact wording may vary by device).
- On iOS: Go to Settings > General > VPN & Device Management. Look for Configuration Profiles that you didn’t intentionally install.
Only download apps from official stores
One of the simplest and most effective ways to protect yourself is to only download applications from official and trusted app stores. Apple App Store, Google Play Store, and the Microsoft Store have security measures in place to check apps for malicious content, significantly reducing the risk of installing something harmful.
- Before downloading, check the app’s reviews and ratings.
- Look at the developer’s name – is it the official one?
- Be wary of apps that ask for excessive permissions during installation.
Keep your operating system and browsers updated
Software updates often include critical security patches that fix vulnerabilities. By keeping your operating system (Windows, macOS, Android, iOS) and web browsers (Chrome, Firefox, Edge, Safari) up to date, you’re ensuring you have the latest protections against known threats, including those that might try to sneak in rogue certificates.
- Enable automatic updates for your operating system and apps.
- Regularly restart your devices to ensure updates are fully applied.
- For browsers, check the “About” section (e.g., Chrome: Settings > About Chrome) to confirm it’s up to date.
Key takeaway
Being vigilant about security certificates might sound a bit technical, but it’s a crucial step in keeping your online life safe. By regularly checking your installed certificates, being careful about what you download, and keeping your software updated, you’re building strong defences against sneaky attacks that try to trick your devices into trusting fakes. Stay aware, stay secure!