Safari users hit by Facebook certificate error

A hosting error for Facebook's embedded services resulted in a brief but widespread error for Safari users.

In the past day a number of Safari users noticed a frequent and seemingly widespread error that claimed a certificate is invalid for a connection to the URL "static.ak.facebook.com," cautioning users against trusting the connection and providing options to continue or cancel the connection. The error seemed random in nature since it happened on different Web sites that use Facebook's embedded services such as the "Like" button, but also seemed to revolve around a recent event or change that is affecting only Safari users.

Upon viewing the invalid certificate when this error occurs, you would see the root of problem was from a host name mismatch error in the certificate being used to validate the connection.

Certificate URL mismatches in Safari
When viewed, the certificate's URLs (lower two circles) do not match the URL that Safari has associated with the certificate (top circle). Click for larger view. Screenshot by Topher Kessler/CNET

This type of error happens when the certificate in question is validated for one URL, but is being accessed from your Web browser using a different URL. This situation breaks the trust of the certificate and causes the browser to raise a red flag, but is not always a cause for concern. For example, a common reason to see this error is if a site uses a truncated URL service or removes a component of a URL, such as the "www" section (ie, "facebook.com" instead of "www.facebook.com").

In this situation, the URL "static.ak.facebook.com" is used to load a small 16x16 pixel PNG image for use with Facebook's embedded services on third-party Web sites; however, in some instances this URL is being resolved to a different URL (a248.e.akamai.net) that has a certificate associated with it, which has Safari warning users against trusting the certificate.

While this may raise concern about where the connection is going, the situation does not appear to be malicious in any way and instead has arisen from an apparent hosting configuration change for the image file.

Valid certificate URLs do not present an error
A valid URL for Apple's iCloud.com site shows a match for all URLs (click for larger view). Screenshot by Topher Kessler/CNET

In the case of the hosted PNG file, Facebook's image URL being a widely accessed feature resolves to multiple URLs in the Akamai network (a popular hosting service for many commercial services including those from Apple, Microsoft, Facebook, and Twitter), including "a248.e.akamai.net" -- the URL in question and the one being loaded from Safari.

Such connections for small images like this file usually do not have certificates associated with them, but a change in Akamai's hosting configuration apparently resulted in one being temporarily linked to the URL. As a result, when users were redirected to it from Safari, the browser processed the certificate and invalidated it.

Ultimately this occurrence is not usually a problem and happens from time to time as hosting configurations change; however, this occurrence was more widespread because of the popularity of Facebook's embedded services.

Currently it appears Akamai has fixed the issue and a certificate is no longer associated with the connection, so the image should show up normally when accessed.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

About the author

    Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments