I Surf Secure Websites, Do You??
Why does a website need a security certificate?
Attackers often create malicious sites to gather your information. You should always be cautious while entering your information on any website. Security can be ensured by checking that the website content is in encrypted form. Two elements that indicate a site uses encryption are:
- a closed padlock, located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
- a URL that begins with “https:” rather than “http:”
A security certificate indicates that the security authority has taken steps to verify the URL belongs to the authority and is genuine. In case of a problem, your browser will send you an alert notification telling you that there is an error in the site certificate. Such alert notifications should always be taken seriously. In case you have any doubt do not enter your personal details over the website. Even if the information is encrypted, make sure to read the organization’s privacy policy first so that you know what is being done with that information.
Can you trust a certificate?
Having or not having a certificate is a secondary thought. When you open a URL your browser checks the following:
- The website address matches the address on the certificate
- A certifying authority, that the browser recognizes as a “trusted” authority, signs the certificate.
If the web address matches the address on the certificate, a trusted certificate authority signs the certificate, and the date is valid, you can be more confident that the site is genuine. However, you can only be absolutely sure when you personally verify that certificate’s unique fingerprint by calling the organization directly. The question that arises before that is how trustworthy is this certificate. By default, your browser contains a list of more than 100 trusted certificate authorities.
How do you check a certificate?
You can check the information of a website certificate in the menu under the file properties or the security option within page information. The following details should be under the information:
- Who issues the certificate? – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, Thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
- Who receives the certificate? – The organization that owns the website receives the certificate. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
- Expiration date – Most certificates expire after one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, maybe ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.
References:
https://www.us-cert.gov/ncas/tips/ST05-010