Understanding what this validation and encryption tool does is the first step to protecting your website and customers alike
In a way, a website security certificate is like a driver’s license.
In both cases, you use it to assert identity so you can conduct your business. A website security certificate is useful for not only helping clients (your users’ web browsers) recognize your website (web server), but also for helping the users themselves identify that the website is actually your page and not the fake site of an imposter. It’s just like making an Amazon purchase — you’d want to make sure you’re on Amazon’s official site first, right? Identity is essential.
But why is identity such a big concern? It probably has something to do with the fact that cybercrime is occurring at record levels and cost businesses and consumers worldwide at least $1.5 trillion in 2018 alone. And identity theft is also soaring at unprecedented levels. Oh, and criminals like to set up fake websites to look like legitimate businesses to trick them into a false sense of security…
Do we really need to list more reasons? Well, another benefit is that a website security certificate also helps you to facilitate a secure, encrypted connection between clients and the server. Combined with the authentication benefit, this means that users can feel confident and comfortable engaging in transactions because they know that their information is protected and being shared with a verified source.
It is for these reasons that a website security certificate is essential for every business or organization regardless of whether you collect or handle personal information. (Although they’re especially important for businesses that do.) But what is a website security certificate and why is it so important?
Let’s hash it out.
What Are Website Security Certificates?
Essentially, a website security certificate is a digital stamp of approval from an industry-trusted third party known as a certificate authority (CA). More specifically, it’s a digital file containing information that’s issued by a CA that indicates that the website is secured using an encrypted connection.
A website security certificate is also known as an SSL certificate (or, more accurately, a TLS certificate), an HTTPS certificate, and an SSL server certificate. It’s the thing that allows you to display that nifty padlock in the web address bar. So, regardless of what you prefer to call them, the objective of SSL certs is important — to secure websites, assert identity, and bring happiness and joy to people throughout the world.
Okay, the last part is a bit of a stretch. But, in a way, it’s also kind of true. If people are using authentic, secure websites to conduct their business or make purchases, and they can rest assured knowing that you’ve taken the necessary measures to keep their information safe and they’ll be more likely to return to do business again in the future. This makes for happy customers and a happy chief financial officer for your organization. Everybody wins.
Why Website Security Certificates Are Important:
With a website security certificate, users can be confident that:
- They’re connected to the correct, official server for the website they’re trying to visit (not a hacker-run fake), and
- Nobody can intercept data they send to the website and use it for nefarious purposes.
But how does all of this work?
How Does an HTTPS Certificate Work?
In a nutshell, you use this type of certificate to assert your organization’s identity and to mutually authenticate clients and your web server to establish a secure, encrypted connection through a process known as a TLS handshake. In layman’s terms, it’s like those “secret” handshakes you’d do with your friends as a kid — only you guys know the specific combination of finger snaps, hand clasps, high fives, and other motions that would identify you’re part of that specific social circle.
From a technical standpoint, it’s the groundwork to perform all the cryptographic functions that are necessary to allow clients to connect with your website via the secure HTTPS protocol. This involves:
- Exchanging cipher suites and parameters to figure out which cryptographic features both parties support,
- Authenticating one or both parties in the exchange, and
- Exchanging keys and generating symmetric session keys.
Once the handshake is complete, it’s through this secure connection that users can transmit their information to your site without man-in-the-middle (MitM) attackers and other schmucks being able to decrypt any data they intercept.
It’s a pretty cool process — and one that many countries, industries, and institutions agree is necessary to protect data integrity and privacy. But what happens when the wrong people get their hands on a certificate?
The Other Side of Website Security Certificates: Why Secure Doesn’t Always Equal Safe
Wait, didn’t we literally just get through saying that an SSL certificate makes your website more secure? Yes, and it does. However, just because a website is secure doesn’t mean that it’s also safe. What we mean by this is that a website can use a basic SSL certificate but still be a malicious site. That’s because the bad guys also use encryption.
In fact, the Anti-Phishing Working Group (APWG) reports that more than half of the world’s phishing websites now use the HTTPS protocol. Yeah, phishing isn’t just an email concern. Cybercriminals use phishing websites to trick users into providing their information. They do this by using domain validated (DV) SSL certificates, which are the most basic type of SSL certificates available.
Now, as you may or may not know, you don’t have to pay for some DV SSL certs. This is because some certificate authorities (CAs) hand out certificates for free… like bead necklaces at Mardi Gras — only you don’t have to take anything off to get an SSL cert.
Now, we’re not bringing up the free guys just to throw mud in their eyes — there is a point here, and it boils down to understanding how to fight against the tide of this growing trend.
This is where identity comes into play.
Authentication & Trust: Website Security Certificates Help People Know That You’re You
When it comes to verification of an organization’s identity, commercial SSL certificate have higher standards of validation than their free SSL CA counterparts. Sure, it’s true that they sell commercial DV certificates, but commercial CAs also provide organization validation (OV) and extended validation (EV) SSL certs. Both of these certificates offer forms of business validation — OV is the intermediate level of verification and EV, much like the name describes, requires the most extensive verification.
With EV SSL certificates, for example, the CA typically has to spend several days looking into your organization, reviewing records, and verifying that your organization is legitimate and isn’t just some shady character setting up a phishing site. While this may sound like a ginormous pain in the butt for you as the website owner, it’s really not. But it does mean that you have to be able to prove, using legitimate documentation and channels, that your website is authentic and that you’re a real, established organization.
We argue that making the ability to identify whether a website is legitimate as easy as possible is important. And using a website security certificate is one of the most effective ways to help do that.
How to Use a Website Security Certificate to Check an Organization’s Information
We’ve been talking all about asserting organizational identity on websites. But if someone wants to check the information on an SSL cert, how do they do it?
On the website you wish to verify, check the web address bar and ensure that there’s a padlock, which indicates that SSL encryption is enabled. Next, to view the identifying information of the website security certificate itself, you’ll want to:
- Click on the padlock to access the drop-down menu. In Google Chrome, this will display certificate information that looks like this:
In Mozilla Firefox, it looks like this:
- In Chrome, click on Certificate to view additional information. This will pop-up a three-tab window. Under the General tab, which auto displays, it will show that the certificate was issued to “www.thesslstore.com.”
In Firefox, simply click on the arrow next to the green Connection secure verbiage to display the website’s verified organization information.
- In Google Chrome, under the Details tab, select the Subject field and you will be able to view specific, verified information about the organization that validates its identity. In the case of our extended validation certificate, you can see information about The SSL Store, which is a property of Rapid Web Services, LLC and is based in St. Petersburg, Florida.
That’s it. As you can see, it’s a pretty simple process. But verifying the identity of an organization before handing over any personal or financial information could save a lot of users headaches if they took just a few seconds to do so.