Pinterest Stumbleupon Whatsapp
Ads by Google

Ever seen the error, “There is a problem with this website’s security certificate” and wondered what it meant? I’ll explain what a security certificate is, and how it works – so you can get back to your browsing – without the worry.

Internet security is quite complex, so this article gives only a simple overview of the topic for non-technical readers, and tips for what to do when you encounter security errors.

Why Security Certificates Matter

When you access a website where you need to log in and manage an account, it’s important that your account details stay between you and your service provider, so your money, identity, and personal information stay safe. Your online service provider could be your bank, an online store or e-commerce website, PayPal, your email, or your private blog.

When you access these kinds of websites, you’ll notice the URL starts with a lock icon and “https://” instead of just “http://”.

https-lock

HTTPS (HyperText Transfer Protocol Secure) What Is HTTPS & How To Enable Secure Connections Per Default What Is HTTPS & How To Enable Secure Connections Per Default Security concerns are spreading far and wide and have reached the forefront of most everybody's mind. Terms like antivirus or firewall are no longer strange vocabulary and are not only understood, but also used by... Read More  indicates that the website is protected by Secure Socket Layer/Transport Layer Security. Data sent between you and the website is encrypted Stay Safe & Private With These 5 Encryption Add-Ons [Firefox] Stay Safe & Private With These 5 Encryption Add-Ons [Firefox] Ciphers have been used throughout history to maintain secrecy and security for sensitive pieces of data. Instead of leaving important information out in the open and available to anyone for reading, these ciphers kept knowledge... Read More  so the information is private, and that the website is identified to be who it claims to be. Just like how you verify your identity (by means of username and password, and other information they may ask for such as in two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More ), the website needs to as well. The website proves it is operated by its true owners by showing a security certificate to your Internet browser, which then indicates to you that the site is legitimate with the lock symbol.

Ads by Google

If you don’t see those things when you should be on a secure site, or if you see a warning, it means that the website could be a fake. On a site like that, you may be sending your data to the wrong people, which would make you a victim of a man-in-the-middle attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More . You can click on the lock symbol for more details, if it doesn’t appear in green, or if it has a yellow warning mark on it.

chrome-warning-explanation

Security symbols differ: check Google’s explanations for those used in Chrome, while Internet Explorer users should consult Microsoft’s key. Safari browser’s security buttons appear at the end of the URL, as explained by Apple.

Site Owners, Browsers, And Certificate Authorities

E-commerce website owners pay a third-party called a Certificate Authority (CA) to verify who the company is and that its transactions are authentic.

Web browsers, like Google Chrome, Firefox, and Internet Explorer maintain lists of Certificate Authorities they consider trustworthy. When you access what should be a secure website, the site presents its security certificate to your browser. If the certificate is up-to-date and from a trusted Certificate Authority, you are allowed to log in and complete your transactions, warning-free.

If you’re starting a secure website, there are lots of different CAs to choose from. They may include Norton, GoDaddy, Microsoft, and numerous others. Their job is to verify that you own the site they are issuing a certificate for, also known as Domain Verification. This may be done by sending an email with instructions for updating your website’s Domain Name Server (DNS) settings, or files on your webserver, to the email address associated with the website domain. The idea is, only the person who received that email would have the exact instructions for updating the website, and be able to do so.

Greater Security

There are other, more stringent types of certificates a CA may offer (which cost more) to verify who you and your business are, such as Extended Validation, which can cost hundreds of dollars (large companies will sometimes pay thousands). Extended Validation includes verifying information like the website owner’s legal identity, company name, physical address, registration, and jurisdiction of incorporation. These are important measures of trust if you run a business.

extended-verification

When you visit a site that has undergone Extended Validation, modern browsers include the company name in green in the URL bar, to let you know you are dealing with the correct company.

Free Certificate Authorities

There are free Certificate Authorities out there, but because the service is free they don’t have the same layers of security and branding as the big names. Additionally, they often lack in their ubiquity of browser recognition. That means if you get a free security certificate, you may hear from your website readers that their browser presents a warning when they visit your site that your site’s Certificate Authority is untrusted. You can get free Domain Verification How To Get Your Very Own Free SSL Certificate How To Get Your Very Own Free SSL Certificate Read More from StartSSL (without identity validation), and that will clear your site to be trusted by Mozilla browsers, Safari, and Internet Explorer. You won’t, however, get the green bar for the Extended Validation packages, which cost around $200. The company is based in Israel, however, and is required to hold onto your verification documents for several years.

CACert is a free, community-driven Certificate Authority. Volunteer CACert Assurers meet with site owners to review your ID documents in person. Unfortunately, CAcert’s certificates aren’t trusted in major browsers, and they only come included in a few open-source operating systems.

cacert

 

Using CACert and StartSSL will however offer your site encryption, so if you have simple user interaction on your site (such as a forum or a wiki) these free services may be just what you need.

What To Do If You See A Certificate Warning

security-warning

The important thing to do when you get that browser warning is to check for details. You’ll be able to find out why the certificate was rejected, and decide for yourself if you want to continue and use the site anyway. If the certificate is expired, the website owner may have just forgotten to renew it on time. If you see this error a lot, you should check your computer clock’s date and make sure that is accurate.

However, if the security certificate was revoked, it means the site is using the certificate fraudulently, and you shouldn’t trust it. You could also get the warning that the Certificate Authority is not trusted. If you feel you understand and trust CACert’s model of peer-to-peer verification or StartSSL’s domain verification, you can tell your browser to trust those CAs. There are other kinds of warnings and errors, so keep your eyes peeled and read up on the details.

When you see a certificate warning from a site you trust, you can also try checking the website’s Twitter feed – often home to updates about the site, downtime, security, and other issues.

security-warning-twitter

If they don’t have any updates, and if you’re able, it can help to contact the website owner and ask what’s going on. You might be saving the website owner and other users a lot of grief, in the event that they aren’t already aware of the certificate warning.

In short, be vigilant (because phishing scams New Phishing Scam Uses Scarily Accurate Google Login Page New Phishing Scam Uses Scarily Accurate Google Login Page You get a Google Doc link. You click it, then sign in to your Google account. Seems safe enough, right? Wrong, apparently. A sophisticated phishing setup is teaching the world another online security lesson. Read More are out there), but also be curious. Go forth and find out why you see security warnings.

Have you ever encountered a security certificate warning? Do you take the time to find out why you’re seeing it? Which ones worry you the most, and do you have any tips for what to do about them?

  1. Howard Blair
    May 28, 2016 at 2:03 pm

    Yes, it's very likely that your phone doesn't use SSL (or a direct TCP/IP connection) to place calls, but check with your carrier or phone manufacturer just in case.

  2. Doc
    November 10, 2014 at 6:24 pm

    Some interesting notes: Newer updates to web browsers are turning off SSL v3 in favor of TLS (Transport Layer Security, essentially SSL v4); attackers could cause problems with TLS so that the browser dropped back to SSL v3, which can be hacked.
    SSL Security Certificates using SHA-1 encryption are being deprecated (marked as outdated) in favor of SHA-2 for much the same reason: it's becoming increasingly possible to hack SHA-1.

Leave a Reply

Your email address will not be published. Required fields are marked *