How To Tell if a Website is Truly Secure - What You Need to Know About HTTPS
Important Take Away – HTTPS is not a good measure of whether a certain website is good or bad. When you see the name of the website in the address bar of the browser then you can trust the website to the greatest degree.
In days gone by, the advice from IT security pros, when determining the validity of a web link was to check for HTTPS. Most of us know that the ‘S’ in HTTPS stands for ‘Secure’. For a website to be allowed to have that ‘S’ in their web address, they need to acquire an SSL (Secure Sockets Layer) certificate through a trusted authority (called Certificate Authority or CA). When we see that ‘S’ in a weblink and when see the corresponding lock symbol in our browser we feel secure that this is a good website. Right?
Not so fast…
It is important to note just what exactly that ‘S’ does. It does 2 things:
- It tells you that all data between your computer and the website is encrypted or scrambled. This is good because even if the message was intercepted with malicious intent, the information would be gibberish.
- It provides a level of authentication that the website it who it says it is.
What it does NOT do is tell you whether the site is good or bad. Let’s look at an example. A client forwarded this email to me to confirm if it was a fake… it was. It looked like this:
Yup… pretty much the same email I get almost daily and then quickly delete (or save for use in training). Those who are savvy enough will hover over the hyperlinks to see if they are valid. If you did that, when you hovered over the ‘verify your account’ link you would see:
Hmmm… it does look a little weird but… it has HTTPS! Surely, it’s valid. We’ve been told for years… check if it’s HTTPS and if it is you’re good to go. Please… delete that rule from your mind.
In this case, the SSL certificate does what it is supposed to do. It encrypts the data as it crosses the Internet… and it provides a level of authentication. However, the only authentication we can be sure of is that the domain exists. Yes, we are definitely dealing with the website called : vmglhjjt.tk. What do they do? Is it a known good side? Are the owners of the website in any way validated? We don’t know!
Of note is how easy it is to get an SSL certificate these days. In fact, cost is not even a barrier anymore as several organizations, including Let’s Encrypt (https://letsencrypt.org/) gives them out for free (the website from the phishing email above got their certificate from here). Their intentions are good, as they are on a mission to make the Internet safer with more encrypted traffic. Nothing wrong with that.
Whether or not offering the SSL certificates for free lowers the bar and makes it easier for cyber-criminals to scam people is a debate for another day.
So, is SSL any good for determining whether to really trust a website. It can be… but it depends on what kind of certificate the website owner has purchased. There are 3 types of SSL certificates available and 2 of them DO provide a cozy feeling of trust when you see them. One of them, the most common one, does not. All provide the same level of encryption, but where they differ is in the amount of vetting and verification required to get them.
Let’s look at each one starting with the highest level form of SSL.
Extended Validation (EV) certificates
In order to issue an EV SSL the Certificate Authority must check that the organization has the right to use a specific domain AND it conducts a rigorous validation of the company. It generally takes several days or even weeks before one is issued since there are several checks and measures in place to validate the company and make sure they are who they say they are. They are more expensive (about $300 and up/year). You can tell if a website is using an Extended Validation certificate because the name of the company will appear to the left of the URL as in the Duck Duck Go example below. It will also note the country of origin. This type of website has the highest level of trust.
Organization Validated (OV SSL) and Domain Validated (DV SSL)
The next level down is the Organization Validated (OV) certificate. In this case the Certificate Authority will conduct SOME vetting of the organization. It still carries a high level of trust since there has been some validation but not as warm and fuzzy as seeing the full company name as with the EV type.
The lowest level of SSL, and the most common, is the Domain Validated or DV SSL. In this case the Certificate Authority will simply confirm you control the domain and the certificate is yours. They are cheap (less than $100/year) or as noted above, even free.
How can you tell these two types of certificate apart? Sadly, it is not intuitive and can be very difficult. In both cases you will see the generic padlock and perhaps the word ‘Secure’ by the address bar. Without digging deeper there is no way to tell them apart. In Chrome, an OV and a DV certificate look the same as in this example:
Since you can’t easily tell them apart it is fair to say that for the average user there are really only 2 kinds of certificate. The warm and fuzzy one where we see the name of the organization in the address bar of the browser, and the other one which provides only basic verification and therefore no validation as to whether the site is good or bad.
Why does this matter. This writer feels it is important to know which websites have been validated and which have not. It adds a huge level of confidence. Hopefully, more companies will want to clearly separate themselves as being legit and pay a few extra bucks for the EV certificates on their websites. Until then, remember that SSL does nothing to guarantee a good site or a bad site so be careful clicking those links.
Technical Note: The Secured Sockets Layer (SSL) encryption protocol has not been used in 20 years or so. It's replacement, and the current encryption type in use, is called Transport Layer Security (TLS). However, creatures of habit as we are, everyone still refers to this type of technology as SSL and we still call them SSL certificates.