Why does a website need security certificate?

Attackers often create malicious sites to gather your information. You should always be cautious while entering your information on any website. Security can be ensured by checking that the website content is in encrypted form. Two elements that indicate a site uses encryption are:

• a closed padlock, located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
• a URL that begins with “https:” rather than “http:”

A security certificate indicates that the security authority has taken steps to verify the URL belongs to the authority and is genuine.  In case of a problem your browser will send you an alert notification telling that there is an error in the site certificate. Such alert notifications should always been taken seriously. In case you have any doubt do not enter your personal details over the website. Even if the information is encrypted, make sure to read the organization’s privacy policy first so that you know what is being done with that information.

Can you trust a certificate?

Having or not having a certificate is a secondary thought. When you open a URL your browser checks the following:

1. the web site address matches the address on the certificate
2. the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority

If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site is genuine. However you can only be absolutely sure when you personally verify that certificate’s unique fingerprint by calling the organization directly.  The question that arise before that is how trustworthy is this certificate. By default, your browser contains a list of more than 100 trusted certificate authorities.

How do you check a certificate?

The information of a website certificate can be checked in the menu under the file properties or the security option within page information. Following details would be included under the information:

• who issued the certificate – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
• who the certificate is issued to – The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
• expiration date – Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.

References:
https://www.us-cert.gov/ncas/tips/ST05-010