You may have heard the term “SSL certificate” in a discussion about online security or related issues and wondered what all the fuss was about. This short guide will hopefully clear up most of the major questions about it.
SSL Basics
Let’s get the simple explanation out of the way first, before continuing more in-depth. SSL is an acronym for Secure Socket Layer. It was created for the purpose of making sure that there is a secure link between a website and the person viewing it.
When SSL is used, all of the information transmitted back and forth – between website and visitor – passes through it and is encrypted in order to prevent it from falling in to the wrong hands. You will see it most often on commercial websites that handle credit card transactions, and services that send or receive other sensitive information.
What Does The Certificate Do?
An SSL certificate can be compared, loosely, to a passport or other form of official identification. It is basically a sign that tells visitors of a website that they are in the right place, and have not accidentally visited a fake and malicious version of the website. For
For example: a common online scam is to setup a fake version of PayPal, or a bank website, in order to steal personal information from users. These fake websites will not have the correct SSL certificate, and can be avoided by checking first before logging in or entering other private information.
How Will You Know A Website Has SSL?
If you are suspicious of a website, or just want to be extra cautious before entering your login and/or payment information, check for a valid SSL certificate. The method for doing this varies depending on the type of device, and the browser, that you are using. It also depends on the validation level of the website. In almost all cases, you will see some type of indication in the address bar of your browser.
What to look for:
Make sure the website address starts with “https” (secure), instead of “http” (not secure). If you see neither of these, check for the other indications below or via this handy guide.
Look for a padlock symbol. Common colors for the symbol are green, gold, or black/gray, which means SSL is working. A red padlock symbol, a crossed out lock, or an open lock, means it is not secure. The address bar being highlighted in green also means it is secure.
You may see all or only some of the indications listed above, and you may see something else entirely, depending on the browser you’re using. In general, the “real world” rules on colors and symbols still apply here: green is good, and a closed lock is secure.
If there are no different colors present, and no padlock symbol, it is most likely not secure. That does not automatically make it a bad website – it just means you should be vary cautious of entering any sensitive information on that particular page. If you are only there to read an article or blog post, for example, then you don’t need to worry about SSL.
You can click on the padlock symbol to view more information on the certificate. These details are generally not that useful for the average viewer though. You can base your decision purely on the factors above without clicking.
Some online stores only introduce SSL protection during the checkout stage, so don’t be turned off right away if the main site doesn’t appear to be secured. Instead, add a test item to your cart – proceed to the checkout / payment page – then look for the SSL indications mentioned above. If it looks good, then you can go back and browse the store as you normally would.
Different Validation Levels of SSL Certificates
There are two main validation levels of SSL certificates. Both are just as secure as each other, so if you do not operate any websites yourself then you do not need to worry about this. For website owners, and application developers, the differences may be of interest.
Standard Validation: This is the most common type of SSL certificate in use today. It is cheaper, as well as being easier to get without a lot of waiting time. It is less visible to the viewer of a website on most common browsers.
Extended Validation: As the name suggests, an EV certificate requires more of a background check before it is issued by a Certificate Authority. It is also a lot more expensive than standard. Any organization applying for an EV certificate must go through extra steps in order to prove their identity, physical location, and control of the domain in question. This type of certificate is more visible to the viewer of a website in the address bar of most common browsers.
EV certificates are most often used by high-end online stores, banks, and other common targets for the “fake website” scam mentioned earlier in this article. It gives users an extra sense of security – usually with more visibility and brand name recognition in the address bar – but on a purely technical level it is just as secure as a standard certificate.
The bottom line is that SSL certificates have been around for a long time and have stood the test of time. They work very well, and seem to be here to stay. It is perhaps the most common form of security used online today, and it’s definitely the most visible one. If you are running a website that handles sensitive information you really should have a certificate – especially when they’re so easy to purchase, and if you’re shopping online you need to remember what to look out for.
Sir, how does a client, such as myself going to my bank for the first time, get to decrypt the message if the private password is not …somehow… sent. What “formula” does it use.