Amazon certificates

I’ve noticed strange behavior on my Mac (iMac late 2013 , macosx 10.14.6) in Safari; I regularly visit Amazon – I’ll visit it several times a day without incidence; but every so often, I will try to visit and get the Safari warning that the site may not be authentic; when I check the Certificate id has changed from the legitimate Amazon to some funky derivative that’s suspicious even to a novice security-minded person. If I reboot my system and go to Amazon the site loads securely and displays the proper certification. What can cause a URL to point to a legitimate site one moment, but then to load a false one the next?

Do you have some 3rd party plug-in of questionable origin in Safari? Maybe a shopping plugin for Amazon or something?

Edit: Or are you using a dodgy DNS service or VPN?

1 Like

I’m not running any sort of plugins; I only have a couple of Extension, all reputable (1Password, Instapaper). I do run a VPN, but it’s Private Internet Access, reputable and has been quite dependable…

What’s the funky derivative? Might give a clue. Post a screenshot of the certificate if you can.

I’ve never had a problem like this with PIA. Haven’t used them in a few years though.

Assuming this isn’t a malicious attack, I have seen well-meaning network analysis systems do stuff like this. If your laptop was attached to a network trying to do this sort of analysis but the CA for their analysis system was never installed, you could end up in such a situation.

Does 1Password offer the password for Amazon, when the site is using the bad certificate?

It could just be that one of their servers is misconfigured, but if 1Password doesn’t recognize the site to offer your username and password, the the site isn’t legitimate.

Are you typing in, opening a bookmark or clicking on a link from somewhere else?

This is once I’m already logged in; by way of example - I visited earlier today and everything was fine; I left a product window open to review at a later point; this afternoon I went to review the page and noticed that one of the pictures on the item page didn’t load, so I hit refresh on the page and then got the error - image attached…Screen Shot 2021-03-15 at 4.30.41 PM

Issued by AVG. Do you use an AVG product?

1 Like

Ah-ha… you may have hit on it; yes, AVG Anti-virus; funny, b/c never would I have any reason to think it would have anything to do with site certificate stuff; what’s it doing superseding the site info like that?

I presume it wants to “inspect” inside secure (HTTPS) traffic, in an attempt to block anything malicious that might arrive that way. This is a version of what corporate firewalls do where the corporate PCs have a root certificate added to their trusted certificate store so that they can impersonate any site and thus be able to inspect all traffic. It’s consider hard to do this securely on a stand-alone PC because the certificate key (aka password) for the root certificate needs to be on the same PC, potentially exposing it to bad actors.

The issues certificate is from AVG, as @PHolder says, but it is issued for the video conferencing site of 3CX in Denmark. It looks like the AVG software is getting mixed up and has used the wrong certificate for the site you are visiting.

I’d report the issue to AVG.

Thanks to both of you – since I only vaguely understand certificate security issues it’s great to get this insight; at the very least to know what’s happening even if I can’t yet stop the behavior, though I like the suggestion to report the issue to AVG…

Have you checked Google? Seem like a lot results for a search of AVG trusted certificates.