What Is a Website Security Certificate and Why Should You Care?

Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.


Ever seen the error, “There is a problem with this website’s security certificate” and wondered what it meant? I’ll explain what a security certificate is, and how it works – so you can get back to your browsing – without the worry.

Internet security is quite complex, so this article gives only a simple overview of the topic for non-technical readers, and tips for what to do when you encounter security errors.

Why Security Certificates Matter

When you access a website where you need to log in and manage an account, it’s important that your account details stay between you and your service provider, so your money, identity, and personal information stay safe. Your online service provider could be your bank, an online store or e-commerce website, PayPal, your email, or your private blog.

When you access these kinds of websites, you’ll notice the URL starts with a lock icon and “https://” instead of just “http://”.


HTTPS (HyperText Transfer Protocol Secure) indicates that the website is protected by Secure Socket Layer/Transport Layer Security. Data sent between you and the website is encrypted so the information is private, and that the website is identified to be who it claims to be. Just like how you verify your identity (by means of username and password, and other information they may ask for such as in two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More ), the website needs to as well. The website proves it is operated by its true owners by showing a security certificate to your Internet browser, which then indicates to you that the site is legitimate with the lock symbol.

If you don’t see those things when you should be on a secure site, or if you see a warning, it means that the website could be a fake. On a site like that, you may be sending your data to the wrong people, which would make you a victim of a man-in-the-middle attack What Is a Man-in-the-Middle Attack? Security Jargon Explained What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More . You can click on the lock symbol for more details, if it doesn’t appear in green, or if it has a yellow warning mark on it.


Security symbols differ: check Google’s explanations for those used in Chrome, while Internet Explorer users should consult Microsoft’s key. Safari browser’s security buttons appear at the end of the URL, as explained by Apple.

Site Owners, Browsers, And Certificate Authorities

E-commerce website owners pay a third-party called a Certificate Authority (CA) to verify who the company is and that its transactions are authentic.

Web browsers, like Google Chrome, Firefox, and Internet Explorer maintain lists of Certificate Authorities they consider trustworthy. When you access what should be a secure website, the site presents its security certificate to your browser. If the certificate is up-to-date and from a trusted Certificate Authority, you are allowed to log in and complete your transactions, warning-free.

If you’re starting a secure website, there are lots of different CAs to choose from. They may include Norton, GoDaddy, Microsoft, and numerous others. Their job is to verify that you own the site they are issuing a certificate for, also known as Domain Verification. This may be done by sending an email with instructions for updating your website’s Domain Name Server (DNS) settings, or files on your webserver, to the email address associated with the website domain. The idea is, only the person who received that email would have the exact instructions for updating the website, and be able to do so.

Greater Security

There are other, more stringent types of certificates a CA may offer (which cost more) to verify who you and your business are, such as Extended Validation, which can cost hundreds of dollars (large companies will sometimes pay thousands). Extended Validation includes verifying information like the website owner’s legal identity, company name, physical address, registration, and jurisdiction of incorporation. This website security is an important measure of trust if you run a business What Is a Website Security Certificate and Why Should You Care? What Is a Website Security Certificate and Why Should You Care? Read More .


When you visit a site that has undergone Extended Validation, modern browsers include the company name in green in the URL bar, to let you know you are dealing with the correct company.

Free Certificate Authorities

There are free Certificate Authorities out there, but because the service is free they don’t have the same layers of security and branding as the big names. Additionally, they often lack in their ubiquity of browser recognition. That means if you get a free security certificate, you may hear from your website readers that their browser presents a warning when they visit your site that your site’s Certificate Authority is untrusted. You can get free Domain Verification from StartSSL (without identity validation), and that will clear your site to be trusted by Mozilla browsers, Safari, and Internet Explorer. You won’t, however, get the green bar for the Extended Validation packages, which cost around $200. The company is based in Israel, however, and is required to hold onto your verification documents for several years.

CACert is a free, community-driven Certificate Authority. Volunteer CACert Assurers meet with site owners to review your ID documents in person. Unfortunately, CAcert’s certificates aren’t trusted in major browsers, and they only come included in a few open-source operating systems.



Using CACert and StartSSL will however offer your site encryption, so if you have simple user interaction on your site (such as a forum or a wiki) these free services may be just what you need.

What To Do If You See A Certificate Warning


The important thing to do when you get that browser warning is to check for details. You’ll be able to find out why the certificate was rejected, and decide for yourself if you want to continue and use the site anyway. If the certificate is expired, the website owner may have just forgotten to renew it on time. If you see this error a lot, you should check your computer clock’s date and make sure that is accurate.

However, if the security certificate was revoked, it means the site is using the certificate fraudulently, and you shouldn’t trust it. You could also get the warning that the Certificate Authority is not trusted. If you feel you understand and trust CACert’s model of peer-to-peer verification or StartSSL’s domain verification, you can tell your browser to trust those CAs. There are other kinds of warnings and errors, so keep your eyes peeled and read up on the details.

When you see a certificate warning from a site you trust, you can also try checking the website’s Twitter feed – often home to updates about the site, downtime, security, and other issues.


If they don’t have any updates, and if you’re able, it can help to contact the website owner and ask what’s going on. You might be saving the website owner and other users a lot of grief, in the event that they aren’t already aware of the certificate warning.

In short, be vigilant (because phishing scams New Phishing Scam Uses Scarily Accurate Google Login Page New Phishing Scam Uses Scarily Accurate Google Login Page You get a Google Doc link. You click it, then sign in to your Google account. Seems safe enough, right? Wrong, apparently. A sophisticated phishing setup is teaching the world another online security lesson. Read More are out there), but also be curious. Go forth and find out why you see security warnings.

Have you ever encountered a security certificate warning? Do you take the time to find out why you’re seeing it? Which ones worry you the most, and do you have any tips for what to do about them?

Explore more about: Online Security, Online Shopping.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mel
    December 5, 2016 at 10:52 pm

    So is it safe if it pops up on an app?

  2. Anonymous
    May 28, 2016 at 2:03 pm

    Yes, it's very likely that your phone doesn't use SSL (or a direct TCP/IP connection) to place calls, but check with your carrier or phone manufacturer just in case.

  3. Doc
    November 10, 2014 at 6:24 pm

    Some interesting notes: Newer updates to web browsers are turning off SSL v3 in favor of TLS (Transport Layer Security, essentially SSL v4); attackers could cause problems with TLS so that the browser dropped back to SSL v3, which can be hacked.
    SSL Security Certificates using SHA-1 encryption are being deprecated (marked as outdated) in favor of SHA-2 for much the same reason: it's becoming increasingly possible to hack SHA-1.