Security problems on some ii screens?

EthicsGradient · 28 October at 10:42AM

I'm getting security errors (the

Your connection isn't private

Attackers might be trying to steal your information from secure.ii.co.uk (for example, passwords, messages, or credit cards).

net::ERR_CERT_AUTHORITY_INVALID
screen) on certain ii screens, when I'm logged in to the site. It seems to be screens that start "secure.ii.co.uk/" (eg "Free regular investing"), while others (such as "Investments" - "www.ii.co.uk/secure/investments") are OK.

It looks like they've reorganised, and forgotten to change some screens (I had the initial login screen bookmarked as "secure.ii.co.uk/webbroker2", and that gets the security error too, but their home page points to "www.ii.co.uk/login", and that works fine, delivering the same screen, so I just updated my bookmark). But if their internal links are hosed, this is a significant problem.

...
Now working OK, half an hour later. URLs aren't changed, so I suspect they had a security certificate they had let lapse.

fwor · 28 October at 12:01PM

It seems to be a configuration problem, rather than a certificate problem. The odd thing is that secure.ii.co.uk and ii.co.uk are covered by two different certs issued by different authorities (one by Digicert and the other Amazon). There's no sign that a certificate has lapsed, looking at the dates, so they are *probably* in the process of migrating the whole site from one issuing authority to another.

Andrew_Cottrell · 5 December at 4:09PM

This is a configuration problem. The Qualys SSL Server Test confirms that "secure.ii.co.uk" has an incomplete certificate chain. The front-end TLS (SSL) device (e.g. a load balancer) has been configured incorrectly. Every TLS (SSL) device should send a full certificate chain, including intermediate certificates.

The solution is to do a web search for "DigiCert EV RSA CA G2" and find the result on the "knowledge.digicert.com" website. Then download the DER/CRT file for "DigiCert EV RSA CA G2", which has an SHA256 Fingerprint: 95:88:EF:74:19:9E:45:AC:EF:CC:CF:C0:C4:70:10:E9:F2:A3:7A:1D:D4:4C:61:A4:E1:C6:B3:34:DA:5A:F6:14

Next, open your web browser's Certificate Manager and import a custom Intermediate Certificate using the downloaded file.

Once the above steps are completed, your browser will be able to complete the certificate chain for "secure.ii.co.uk" and HTTPS should work properly to verify if the server certificate is valid.

The above solution may not work if "secure.ii.co.uk" switches to a new certificate, but it solves the issue as of 5th December 2025. The above solution is safe and will not cause issues with your browser or any other websites.

I'd like to link directly to the DER/CRT file for "DigiCert EV RSA CA G2", but in my experience my posts are not displayed if they contain links.

The solution detailed above may sound dodgy to those unfamiliar with TLS certificates, so it may be helpful if someone else with relevant technical knowledge can verify the Qualys SSL Server Test results and that my suggest solution is safe and sensible.

fwor · 5 December at 5:29PM

Is it a problem that needs solving? If I look at ii, all I see is that the connection is secure.

Ok, if I'm looking at the ii.co.uk parts of the domain it shows that it's secured by an Amazon-issued cert, and if I look at the secure.ii.co.uk it's secured by a Digicert-issued cert.

As far as my browser is concerned, both are valid.

RacingDriver · 5 December at 6:37PM

I intermittently get a security error with II SSL around few months but usually fixes itself within the hour

DavidT67 · 5 December at 6:53PM

Are you using Mozilla Firefox perchance ? It is far stricter on certificate chains than other browsers, and the Digicert intermediates are usually the cause.

RacingDriver · 5 December at 6:53PM

No, Google Chrome

EthicsGradient · 5 December at 9:52PM

I use Microsoft Edge (which is Chromium-based, like Chrome). I have been able to reset things by deleting all ii cookies. But it has come back again sometimes; I have a vague suspicion that if I let a session time out, then when I come back, the "secure.ii.co.uk" pages don't work, but that if I log out cleanly, it'll work.

Whether that would match with Andrew_Cottrell's technical solution above, I don't know.

After some testing, it's not just a question of timing out or logging out cleanly.

Andrew_Cottrell · 6 December at 3:39PM

The solution I have posted above is only needed if your web browser displays a certificate error or warning on "secure.ii.co.uk" pages; e.g. "Your connection isn't private" or a similar message.

If your web browser is not reporting a certificate error on "secure.ii.co.uk" pages, then your web browser has already seen and remembered the "DigiCert EV RSA CA G2" intermediate certificate (most likely from visiting a correctly configured website that happens to use the same intermediate certificate).

fwor · 7 December at 12:17PM

That doesn't seem to match the OP's symptoms - because it seems he sometimes sees the problem, and sometimes doesn't. In your situation, if he was ever presented with the correct intermediate cert, the problem would go away for good (because it would then be stored locally).

It certainly does seem to be a configuration problem (at ii's end) but exactly what is hard to figure out.

Stoodles · 7 December at 7:00PM

I have contacted ii about this problem, and been advised to delete cookies. Haven't yet tried, as I found that while Chrome blocks access, Firefox is happy to let me in.

Security problems on some ii screens?

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free