Ever seen the error, “There is a problem with this website’s security certificate” and wondered what it meant? I’ll explain what a security certificate is, and how it works – so you can get back to your browsing – without the worry.
Internet security is quite complex, so this article gives only a simple overview of the topic for non-technical readers, and tips for what to do when you encounter security errors.
Why Security Certificates Matter
When you access a website where you need to log in and manage an account, it’s important that your account details stay between you and your service provider, so your money, identity, and personal information stay safe. Your online service provider could be your bank, an online store or e-commerce website, PayPal, your email, or your private blog.
When you access these kinds of websites, you’ll notice the URL starts with a lock icon and “https://” instead of just “http://”.
HTTPS (HyperText Transfer Protocol Secure) indicates that the website is protected by Secure Socket Layer/Transport Layer Security. Data sent between you and the website is encrypted so the information is private, and that the website is identified to be who it claims to be. Just like how you verify your identity (by means of username and password, and other information they may ask for such as in two-factor authentication), the website needs to as well. The website proves it is operated by its true owners by showing a security certificate to your Internet browser, which then indicates to you that the site is legitimate with the lock symbol.
If you don’t see those things when you should be on a secure site, or if you see a warning, it means that the website could be a fake. On a site like that, you may be sending your data to the wrong people, which would make you a victim of a man-in-the-middle attack. You can click on the lock symbol for more details, if it doesn’t appear in green, or if it has a yellow warning mark on it.
Security symbols differ: check Google’s explanations for those used in Chrome, while Internet Explorer users should consult Microsoft’s key. Safari browser’s security buttons appear at the end of the URL, as explained by Apple.
Site Owners, Browsers, And Certificate Authorities
E-commerce website owners pay a third-party called a Certificate Authority (CA) to verify who the company is and that its transactions are authentic.
Web browsers, like Google Chrome, Firefox, and Internet Explorer maintain lists of Certificate Authorities they consider trustworthy. When you access what should be a secure website, the site presents its security certificate to your browser. If the certificate is up-to-date and from a trusted Certificate Authority, you are allowed to log in and complete your transactions, warning-free.
If you’re starting a secure website, there are lots of different CAs to choose from. They may include Norton, GoDaddy, Microsoft, and numerous others. Their job is to verify that you own the site they are issuing a certificate for, also known as Domain Verification. This may be done by sending an email with instructions for updating your website’s Domain Name Server (DNS) settings, or files on your webserver, to the email address associated with the website domain. The idea is, only the person who received that email would have the exact instructions for updating the website, and be able to do so.
There are other, more stringent types of certificates a CA may offer (which cost more) to verify who you and your business are, such as Extended Validation, which can cost hundreds of dollars (large companies will sometimes pay thousands). Extended Validation includes verifying information like the website owner’s legal identity, company name, physical address, registration, and jurisdiction of incorporation. These are important measures of trust if you run a business.
When you visit a site that has undergone Extended Validation, modern browsers include the company name in green in the URL bar, to let you know you are dealing with the correct company.
Free Certificate Authorities
There are free Certificate Authorities out there, but because the service is free they don’t have the same layers of security and branding as the big names. Additionally, they often lack in their ubiquity of browser recognition. That means if you get a free security certificate, you may hear from your website readers that their browser presents a warning when they visit your site that your site’s Certificate Authority is untrusted. You can get free Domain Verification from StartSSL (without identity validation), and that will clear your site to be trusted by Mozilla browsers, Safari, and Internet Explorer. You won’t, however, get the green bar for the Extended Validation packages, which cost around $200. The company is based in Israel, however, and is required to hold onto your verification documents for several years.
CACert is a free, community-driven Certificate Authority. Volunteer CACert Assurers meet with site owners to review your ID documents in person. Unfortunately, CAcert’s certificates aren’t trusted in major browsers, and they only come included in a few open-source operating systems.
Using CACert and StartSSL will however offer your site encryption, so if you have simple user interaction on your site (such as a forum or a wiki) these free services may be just what you need.
What To Do If You See A Certificate Warning
The important thing to do when you get that browser warning is to check for details. You’ll be able to find out why the certificate was rejected, and decide for yourself if you want to continue and use the site anyway. If the certificate is expired, the website owner may have just forgotten to renew it on time. If you see this error a lot, you should check your computer clock’s date and make sure that is accurate.
However, if the security certificate was revoked, it means the site is using the certificate fraudulently, and you shouldn’t trust it. You could also get the warning that the Certificate Authority is not trusted. If you feel you understand and trust CACert’s model of peer-to-peer verification or StartSSL’s domain verification, you can tell your browser to trust those CAs. There are other kinds of warnings and errors, so keep your eyes peeled and read up on the details.
When you see a certificate warning from a site you trust, you can also try checking the website’s Twitter feed – often home to updates about the site, downtime, security, and other issues.
If they don’t have any updates, and if you’re able, it can help to contact the website owner and ask what’s going on. You might be saving the website owner and other users a lot of grief, in the event that they aren’t already aware of the certificate warning.
In short, be vigilant (because phishing scams are out there), but also be curious. Go forth and find out why you see security warnings.
Have you ever encountered a security certificate warning? Do you take the time to find out why you’re seeing it? Which ones worry you the most, and do you have any tips for what to do about them?