Q. I had a bunch of sites throw up a message that a doubleclick.net server needed me to upload a certificate. What was all that about?
A. You weren’t alone in seeing this hiccup at Google’s advertising subsidiary at the start of this week. I found reports of the same problem across Twitter, on Reddit and in Apple’s tech-support forums after I ran into this issue myself.
The symptoms were always the same: You’d be clicking around the Web, minding your own business, when a dialog would pop up asking you to verify your identity by uploading a client certificate. On my Mac, this message would include a dialog with a locally stored file already selected.
That may sound like the behavior of a virus or a privacy-robbing marketing campaign, but DoubleClick says it was only a screwup at its end.
“A small update to our spam protection systems resulted in some users seeing this message in error,” a PR statement read. “The issue has now been resolved.”
Google PR did not answer my follow-up questions about that info-light response to my original query. DoubleClick’s system-status dashboard provided only a little more detail in a Dec. 9 update about “an issue with DoubleClick Campaign Manager” — a set of tools to coordinate ad campaigns — that reported it was resolved later that morning.
So what exactly was DoubleClick asking for with that message? Eric Mill, a Washington-based Web developer and expert on site certificates and security (among other projects, he’s working to make encryption a standard feature at government sites), said this was a rarely-used “client authentication” mode in which a site needs the browser to confirm its identity by providing a digital certificate file.
“This can, for example, be used to log in to a site using a certificate, rather than a username/password,” Mill wrote in an e-mail. Most of the time, it’s the opposite scenario: a site needs to authenticate itself (so you know you’re not logging into a hostile clone of your bank’s site) and presents a digital site certificate that your browser automatically inspects and verifies.
Because Web users normally don’t have to touch a site certificate — even if one relies on weaker security, your browser may not provide any advisory about that — the prompts and dialogs about them rarely cater to everyday users. Instead, you get brusque, jargon-heavy messages like in those DoubleClick alerts.
But the basic lesson here isn’t that complicated: If a Web site makes a weird request for you to upload a file, run an app, type in some personal data or do anything else that isn’t part of your usual Web-reading routine, lift your fingers from the keyboard or the touchscreen for a minute and think.
That kind of unexpected prompt can be legitimate, but in my experience it almost never is. That doesn’t mean it’s outright malicious — although if the message harangues you with an excess of capital letters and exclamation points, somebody’s definitely trying to spook you — but does require proceeding with caution.
At a minimum, click or tap whatever button closes the current dialog (that’s what I did to dispel DoubleClick’s dialog without further interruptions). If that doesn’t work, close the current browser tab or dialog. If that doesn’t work, force-quit the browser (for instance, in OS X you’d hit the Command, Option and Esc keys simultaneously, while in Windows the Shift, Control and Esc keys do that job). If you must, restart your computer or device.
You may have to retrace your latest Web wanderings afterwards, but that beats having a site spoof you into coughing up private information or trick you into letting it stuff unwanted software on your computer.
Read or Share this story: http://usat.ly/1QEtSg7