Security Technology Explained

What Is a Website Security Certificate? What You Need to Know

Simon Batt Updated 09-03-2020

Ever seen the error, “There is a problem with this website’s security certificate” and wondered what it meant? Security certificates can be a little complicated, but it’s worth learning about what they are and how they help us.

Advertisement

So, what are security certificates, and why should we care about them?

Why Website Security Certificates Matter

When you access a website where you need to log in and manage an account, it’s important to protect communications between you and the service. This service could be your bank, an online store or e-commerce website, PayPal, your email, or your private blog.

When you access these kinds of websites, you’ll notice the URL starts with a lock icon and “https://” instead of just “http://”.

The HTTPS certificate on Google

This extra “S” means you’re using HTTPS (HyperText Transfer Protocol Secure). An HTTPS connection is protected by Secure Socket Layer/Transport Layer Security. Data sent between you and the website is encrypted and keeps the information private.

Much like how you log in to a website to prove you’re the real deal, a website also has to prove to you that it’s real. It does this by showing an internet security certificate to your browser. If the browser accepts the certificate, it indicates to you that the site is legitimate with the lock symbol.

If a secure website is missing the HTTPS protocol or its certificate, you may be looking at a fake. Logging into this website may be sending your data to the wrong people, which would make you a victim of a man-in-the-middle attack.

If you want to check if everything is up to par, you can click on the padlock to see more details on the certificate. This padlock icon will also change to inform you if a problem occurs.

Check Google’s explanations for those used in Chrome, and Mozilla’s Firefox descriptions. At the time of writing, both browsers will show a regular lock if everything is okay. If the lock has or is replaced by an icon of some sort, that’s an indication something went wrong.

How Do Site Owners Get a Certificate?

E-commerce website owners pay a third-party called a Certificate Authority (CA) to verify who the company is and that its transactions are authentic.

Web browsers, like Google Chrome and Firefox, maintain lists of Certificate Authorities they consider trustworthy. When you access a secure website, the site presents its security certificate to your browser. If the website certificate is up-to-date and from a trusted Certificate Authority, you are allowed to log in and complete your transactions.

There are plenty of security certificate websites that help website owners get secured. This includes Norton, GoDaddy, Microsoft, and numerous others. Their job is to perform Domain Verification, where they ensure the person applying for a certificate is also the website’s owner. We went into detail about what happens in our guide to the benefits of verifying your domain on Google and Bing The 5 Main Benefits of Verifying Your Domain on Google and Bing If you have your own website, here's why you should verify your domain on Google and Bing with their webmaster tools. Read More .

This is usually done by sending instructions to the website’s email address to ensure only the site owner reads it. The sender will ask the admin to change the Domain Name Server (DNS) settings or files on the website to prove it’s really them. If the admin did apply for a certificate, they can follow the instructions to verify their identity.

How Security Certificates Can Be Upgraded

There are more stringent types of certificates a CA may offer to verify businesses, such as Extended Validation. This can cost hundreds of dollars, and large companies will sometimes pay thousands.

Extended Validation includes verifying information like the website owner’s legal identity, company name, physical address, registration, and jurisdiction of incorporation. This website security is an important measure of trust if you run a business.

In 2019, you used to see the business’ name in the certificate section of a Chrome or Firefox browser; however, in 2019, both browsers removed this feature. You can still see it if you use Opera, however.

The VeriSign website showing an extended certificate in Opera

Certificate Authorities That Work For Free

There are free Certificate Authorities out there, but they don’t have the same layers of security and branding as the big names. Additionally, they often lack in their ubiquity of browser recognition. That means if someone gets a free security certificate, visitors may see a warning that the certificate is invalid.

You can get a free Domain Verification from StartSSL without identity validation. Mozilla browsers and Chrome will trust your website with this certificate. However, there won’t be a green bar like the Extended Validation packages, which cost around $200.

CACert is a free, community-driven Certificate Authority. Volunteer CACert Assurers meet with site owners to review your ID documents in person. Unfortunately, major browsers don’t trust CACert, and they only come included in a few open-source operating systems.

The CACert website with a free certificate

Using CACert and StartSSL will however offer your site encryption, so if you have simple user interaction on your site (such as a forum or a wiki) these free services may be just what you need.

What To Do If You See A Certificate Warning

Expired website certificate

There’s a chance that you come across a certificate alert while browsing the internet. You can see what they look like over on BadSSL, which has links to bad certificates for you to try.

When you get an alert on a real website, check the certificate’s details by clicking on the padlock. You’ll be able to find out why your browser rejected the certificate and decide for yourself if you want to continue. If the certificate expired, the website owner may have forgotten to renew it on time. You should check your computer clock’s date if you see this alert often.

If the browser revoked the security certificate, it means the site is using the certificate fraudulently and you shouldn’t trust it. If the browser doesn’t like the Certificate Authority, it comes down to you. Should you feel you understand and trust CACert’s model of peer-to-peer verification or StartSSL’s domain verification, you can tell your browser to trust those CAs.

When you see a certificate warning from a site you trust, you can also try checking the website’s Twitter feed—often home to updates about the site, downtime, security, and other issues.

If they don’t have any updates, and if you’re able, it can help to contact the website owner and ask what’s going on. You might be saving the website owner and other users a lot of grief, in the event that they aren’t already aware of the certificate warning.

Browsing the Internet Safely

Website security certificates may sound boring, but they’re essential for identifying a secure website. Now you know how to check a certificate if something looks wrong, as well as how to secure your own website if you like.

Interested in browsing the internet safely? Why not try one of the best security Google Chrome extensions 13 Best Security Google Chrome Extensions You Need to Install Now Staying secure online can be tough. Here are several Chrome security extensions that you should consider adding. Read More ?

Explore more about: Online Security, Online Shopping, Security Certificate.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mel
    December 5, 2016 at 10:52 pm

    So is it safe if it pops up on an app?

  2. Anonymous
    May 28, 2016 at 2:03 pm

    Yes, it's very likely that your phone doesn't use SSL (or a direct TCP/IP connection) to place calls, but check with your carrier or phone manufacturer just in case.

  3. Doc
    November 10, 2014 at 6:24 pm

    Some interesting notes: Newer updates to web browsers are turning off SSL v3 in favor of TLS (Transport Layer Security, essentially SSL v4); attackers could cause problems with TLS so that the browser dropped back to SSL v3, which can be hacked.
    SSL Security Certificates using SHA-1 encryption are being deprecated (marked as outdated) in favor of SHA-2 for much the same reason: it's becoming increasingly possible to hack SHA-1.