It’s always disturbing to see a warning that implies something malicious is happening. That’s the case with an alert that can appear when an app or the operating system “Cannot Verify Server Identity” in iOS or iPadOS or “can’t verify the identity of the server” in macOS.
This message’s intent is to ensure that no secure connection made via a web browser, email client, or other software has been subverted by a man-in-the-middle (MitM) attack. In such a situation, an attacker tries to fool you into accepting a different digital certificate to connect than the one that’s associated with the web server’s host and domain name that your device wants to reach.
Third parties—called certificate authorities (CAs)—cryptographically sign the digital certificates, identity documents that servers provide when a browser or other software client makes a secure connection. The CAs also have signatures that operating systems and browsers build into their release versions. When an app tries to make a secure connection, it retrieves a server’s digital certificate and validates that the certificate has a legitimate signature from a CA by checking it against its local store. (These CA counter-signatures are tied to powerful cryptographic algorithms and an attacker can’t falsify them without causing an error.)
It’s quite rare in practice to encounter this kind of attack for the last several years because operating systems and browsers have become quite vocal about warning of a problem or even making it difficult to figure out how to bypass it.
With Apple’s warning, you have the option to click Continue and authorize a connection using the wrong certificate. You should never agree to this unless you know precisely why it happened. (The only time it makes sense is for a project hosted on a local network or run by an organization you know that doesn’t obtain a third-party validated certificate. Even then, you would be given a profile to install a “self-signed” certificate before you make a connection that prompted a warning.)
Where you typically see this issue is when connecting to a Wi-Fi hotspot before you’ve authenticated through a portal page. Until you’ve click an Accept button, paid for service, or logged in, you can only reach the portal page—the rest of the internet is cut off.
As a result, if any apps on your iPhone, iPad, or Mac attempt to connect to a secure site, the network returns the certificate for its local hotspot portal server. Hence, you get an error, as that certificate isn’t the right one.
To bypass the problem, tap or click Cancel on any message that appears. Then either log into the hotspot network if that’s an option or disconnect from it. You can use Control Center in iOS, iPadOS, or macOS to temporarily disable Wi-Fi: tap or click the Wi-Fi icon.
Or you can “forget” the Wi-Fi network from your stored settings, which disconnects your device and won’t automatically reconnect to the same network:
- In iOS/iPadOS, go to Settings > Wi-Fi, tap the i info icon to the right of the connected network, tap Forget This Network, and confirm.
- In macOS, open System Preferences > Network, select the Wi-Fi network in the interface list at left, click Advanced, select the network in the Wi-Fi tab, and click the – minus button, and confirm by clicking Remove.
This Mac 911 article is in response to a question submitted by Macworld reader David.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently, along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to firstname.lastname@example.org, including screen captures as appropriate and whether you want your full name used. Not every question will be answered, we don’t reply to email, and we cannot provide direct troubleshooting advice.