How many times have you clicked away browser warnings about expired or incorrect security certificates?
Probably too many for you to even remember, right?
The truth is, most people are totally clueless about how security certificates, “https” websites, and SSL really work to protect their online privacy and data (hint: they’re all the same).
As the staff over at no-track search engine DuckDuckGo tell us, every secure website relies on a two-part process to make sure information is sent securely and received by the correct individuals.
So whether you’re sending credit card information to your favorite online store or uploading your vacation photos to your cloud-based storage drive, security certificates make the internet a safer place—but only when they’re allowed to do their job.
Today we’ll clue you in as to why security certificates matter. We’ll even show you what you can do to make sure your online security isn’t at risk.
What Are Security Certificates Anyway?
Secure Socket Layer (SSL) certificates were created for secure communication between web servers and browsers.
The first part of that process involves encryption, which is when the information being sent is encoded in “ciphertext” that requires a special key to decode and make readable.
The second part involves identity verification. The website needs to know that the user on the other end of the connection is who they claim to be before decrypting the code.
Security certificates aren’t actually rolled up pieces of parchment like you received for participating in that three-legged race in fourth grade. Think of them like really advanced hall passes.
See, when you navigate to certain websites, you’ll exchange security certificates, which are truthfully more like tiny files jam-packed with important information such as:
- Issue date
- Expiration date
- Valid domains
- Issuing Certification Authorities (CA)
- The Hash
Your browser does all of this policing in the background while you click around for cat toys to buy.
When you navigate to your chosen site, your browser will check the credentials of that website’s security certificates before allowing you to proceed.
If your browser detects a shady gap in the security certificate—such as a mismatched domain name or expired activity dates—you’ll see that annoying pop-up to let you know not to move forward. Some settings will even cause your browser to avoid connecting to the site at all if it detects these.
But hang on a second. If you think this is way too much responsibility for your browser to take on alone, you’re totally right.
Thank Certification Authorities for the Assist
If every site needs to show their hall pass to every browser, consider the Certificate or Certification Authorities (CA) like teachers in charge of the hall pass pad.
In order to get that coveted hall pass, you have to convince your teacher that you need to leave class. Your teacher will ask their own line of questioning before signing off on your happy departure.
While you’re skipping down the hall with pass in hand, all another teacher has to do is scan the note quickly for the exact reason you were approved to leave your classroom. That teacher doesn’t have to ask you a million questions about why you’re where you are, only that another teacher approved of it.
You can think of the CA like that.
According to the US Computer Emergency Readiness Team (CERT):
“By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information [from each website].”
This group issues root certificates, aptly titled because they’re the base upon which more complicated security certificates originate from, which help speed the process up for the browsers.
How Security Certificates Actually Work
Every security certificate has what’s known as a “public key” and a “private key.”
“The private key allows the owner to make a ‘digital signature’ or decrypt information encrypted with the corresponding public key.”
When you visit secure websites, they automatically send you their security certificates, but what they’re really sending out is their encrypted public key.
Your browser will then verify that the certificate came from a trusted CA. If it knows the source, it will use the public key to create an identical key that will be used to encrypt your data back to the server.
The server will use its private key to decrypt the information so your browser is able to read it, creating an encrypted connection and establishing both of your identities.
Can You Spoof and Hack Security Certificates?
Be honest, you probably tried reusing your old hall passes or sneaking a sheet off your teacher’s pad when her back was turned. But can hackers do the same with security certificates?
Sure, they can create their own signatures, but since they won’t be recognized by CAs, the likelihood of making it past the browser roadblocks is very small.
As algorithms work to continually improve the way signatures are created and certificates are issued, the chances for certificate spoofing keep plummeting.
The bigger challenge actually comes from human interference.
When your company, annoying ISP, or meddling relative decides to mess with their security certificates, they open themselves up to malicious phishing attacks by those who can spot the gaps in coverage.
How to Check Your Security Certificates on Your Own
Don’t be a sitting duck—be proactive about your internet protection and learn how to check your security certificates all on your own.
Just look for the little padlock icon on the left side of your browser’s address bar:
Click on that lock and you’ll be able to read the details of the security certificate, such as which CA verified and issued the certificate, the expiration dates, etc.
Unfortunately, if you’re on a phishing website, some hackers have been known to create fake padlocks that bring up phony security dialog windows.
To really know for sure, go deep into your browser’s menu options and look for the security tab where all of your trusted and pending certificates are there for your reading pleasure.
Keep in mind that you won’t be able to see this padlock icon if you’re on an insecure site. PS: Secure websites always start with “https”.
We’re not big fans of sites sans https protection because they do not have to go through these extra verification and encryption measures to guarantee security, leaving your information exposed and vulnerable.
What Happens if a Security Certificate Needs My Attention?
Now that you know why security certificates are so crucial for your online protection, maybe you won’t be so annoyed when an expired one disrupts your binge watching session to give you a head’s up.
When you see one of these warnings, click on the certificate to see what’s going on. Make sure all of the important details are valid, such as:
- Who issued the certificate:
- Is the CA recognized and trusted?
- Who the certificate is issued to:
- The certificate should match the owner of the website or the parent organization
- When the certificate expires:
- Certificates are usually valid for one or two years and should not be trusted past their expiration as their security measures will not be tested
You don’t have to accept the certificate forever (unless you want to) and can make it a per visit basis, or not at all if you don’t like what you find.
Can you really authenticate a certificate on your own?
You can research the particular CA that issued the certificate to see how strict they are with encrypting and protecting your data to make yourself more comfortable. You should get in the habit of learning every organization’s specific stance on protecting your privacy and collecting and distributing your data anyway.
The top 3 CAs dominating the majority of the market today are:
- Comodo 40.6% market share
- Symantec 26%
- GoDaddy 12%
Never submit your personal information over a site that’s not secure and protected. Stay away from revoked certificates as those usually signal known fraudulent activity, which you should definitely not trust.
Considering the role that security certificates have to play in our online world, you would think more people would know about how they work and what happens when they stop working.
Then again, it’s just a testament to how efficient the matrix of security seems to be running behind the freshly designed websites we sometimes take for granted.