When we visit a secure website, it is important to know that the website is trusted and authentic before we browse further or provide any personal information. While there are many trustworthy websites online, there are also sites that host viruses or attempt to steal personal information. Fortunately, there are a number of technologies available to help verify a website’s authenticity including one of the most widely used technologies, website certificates.
What Are Website Certificates?
A website certificate, also known as a public key certificate, is a digitally signed document that is used as proof that a website address actually belongs to the organization that claims it. Website certificates are used whenever an organization wishes to have a secure connection with a user, such as with an email or banking website. For example, when a user types in the web address of his or her bank, a valid certificate tells the user that it is actually the bank’s website that loads in their browser.
Why is this necessary? The answer lies in the clever tactic used by some hackers of creating a dummy website and luring unsuspecting users to the fake site, tricking them into giving up their login or banking information. When a person visits a website and is presented with a notice that the certificate is missing or invalid, they may have ended up on one of these bogus websites. What the user is seeing may not be the actual company’s website, but rather an exact copy created by hackers. If the user were to try to log in to the website as they normally would, he or she would in reality be sending hackers their username and password for their banking account. As a large percentage of Internet users use the same login information for multiple websites, we can see that revealing the password could quickly become a very big problem.
Are Certificates Trustworthy?
Just because a website lacks a certificate does not mean that it has been hacked, and some certificate authorities are more trustworthy than others. By default, your Internet browser probably includes over 100 trusted certificate authorities. That is, if a website has a certificate that is signed by one of these authorities, your browser views the website as “safe” and allows you to proceed normally.
Unfortunately, there is no guarantee that each of these authorities verifies certificates with equal diligence and quality control. Valid certificates may allow you to feel confident that the website you are visiting is secure, but short of calling the organization and asking for details on an individual certificate, it is impossible to know for sure. When we visit a secure website, more often than not we are operating on faith that both the organization and certificate authority have done their jobs. If you have any doubt in your mind of the validity or quality of a certificate, err on the side of caution.
What to Look For
There are two signs that a website you are visiting is secure: a padlock icon in either the address bar or the bottom of the browser window, and a website that begins with “https” rather than “http”. To verify a certificate, you can click the padlock icon to view additional information. Not all browsers show a padlock by default, and some hackers are so thorough that they create a fake padlock, complete with a forged certification dialog box. Instead, try to check certificates by using the menu option at the top of your screen or browser window.
When you view a certificate, there are three things to check:
- The Issuer - The certificate should list a trusted certificate authority as its issuer. While you may not know this information off hand, you can search for the authority and will likely be able to tell if it is valid by search results.
- The Recipient - Be sure to check that the certificate is issued to the organization you expect, i.e. the organization that owns and runs the website in question. If the recipient does not match the organization, you should be cautious.
- The Expiration Date - Certificates are usually issued for one or two years, with few exceptions. As such, you should be wary of any certificate that lists an expiration date more than two years away. Naturally, you should be wary of expired certificates, as well.
While checking a website certificate can be somewhat time-consuming, it pays to be cautious if you have any reason to doubt the authenticity of a secure website you are visiting. In many cases, you will likely find the certificate to be valid and trustworthy, but careful attention is worth it if it prevents accidentally giving personal information to a compromised website.