While browsing the internet, you’ve probably noticed that your browser tells you whether a website is completely secure. If there’s an HTTPS connection, it's ok to insert passwords and credit card information since the connection is private. On the other hand, if there’s only an HTTP connection, the browser will warn against providing sensitive information cyber criminals could steal. How do browsers do this? Through SSL certificates.
What Is an SSL Certificate?
An SSL certificate is a digital computer file that has information about the authenticity of the website being visited. It also binds a public key to the website, enabling encryption. In other words, it works like the site's passport and ensures that data exchanged with the site cannot be intercepted and read by any third party.
How Are SSL Certificates Verified?
When browsers verify an SSL certificate, the process is called SSL handshaking. Simply put, when you visit a website the browser downloads the site's SSL certificate. It then checks to see if the digital signature of the authority that issued the SSL certificate can be trusted. If it can, the browser then makes sure the website you're accessing is the one listed on the certificate. When the site is verified, the browser and the site's server create a connection that allows encrypted information exchange.
How to Know If a Website Has an SSL Certificate
It's crucial to verify that you are visiting secure websites, especially when planning to provide sensitive information like your credit card number. Usually, modern browsers will tell you when you are on a site that has an HTTPS connection and therefore has a verified SSL certificate.
The easiest way to verify you’re accessing a secure website is by looking for the padlock icon near the address bar. Typically, modern browsers display that little lock on the left side, but others – like Internet Explorer – have it on the right. If you can't find the lock, there’s also the option to check the URL in the address bar. If it starts with ‘https' instead of ‘http', the website has a verified SSL certificate. However, consider that even secure sites sometimes may not display ‘https’ in their URL.
Why Is SSL Encryption Not Enough?
SSL is in fact a secure encryption method that ensures that only you and the website are participating in the conversation. However, this alone is not enough.
For one thing, some websites haven’t correctly implemented SSL. In other words, there may be parts of the site that aren’t secure. The browser may however still show the lock symbol and indicate that the URL is safe.
Even if the website's owner has done everything right, there are ways to exploit HTTPS connections through DNS leaks and DNS spoofs. On top of that, since getting them is so easy (and cheap), phishing websites typically have SSL certificates and will appear to be safe. In this case, it's crucial to ensure you’re accessing the site you actually want before providing any sensitive information.
Note that SSL safeguards only the connection between your browser and the website: a hacker can still exploit your device while you’re using public Wi-Fi. In a nutshell, it's always best to use a VPN to be 100% secure. The best-known VPN services offer military-grade encryption and protect everything on your computer, making sure your information is entirely safe.