What is an SSL Certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. It's the technology behind the "S" in https:// and the padlock icon you see in your browser's address bar.

When a website has a valid SSL certificate, it ensures two things:

1. Encryption: All data passed between your browser and the website's server is encrypted, making it unreadable to anyone who might try to intercept it. This is essential for protecting passwords, credit card numbers, and other sensitive information.
2. Authentication: The certificate verifies that you are connected to the legitimate server for the domain you are visiting, and not an imposter site set up by a scammer.

Why is Just a Padlock Not Enough?

While the padlock icon is a crucial first sign of security, it's important to understand that anybody can get a basic SSL certificate, including scammers. A basic Domain Validated (DV) certificate simply confirms that the person who requested the certificate controls the domain name. It does not verify the identity of the person or organization behind the website.

For example, a scammer can register the domain paypa1.com, get a DV certificate for it, and the site will show a padlock. This gives a false sense of security. To be truly sure, you need to look closer at the certificate details.

How to Check an SSL Certificate

The process is slightly different for each browser, but the general steps are the same.

In Google Chrome:

1. Click the Padlock Icon: In the address bar, click the padlock icon to the left of the URL.
2. Check the Connection: A small window will pop up. It should say "Connection is secure." Click this to expand the details.
3. View Certificate Details: Click on "Certificate is valid." This will open the certificate viewer.

In Firefox:

1. Click the Padlock Icon: Click the padlock in the address bar.
2. Expand Details: Click the arrow next to "Connection secure."
3. More Information: Click "More information" at the bottom of the popup. This will open a new window with the certificate details under the "Security" tab.

What to Look For in the Certificate

Once you have the certificate details open, here's what to check:

1. "Issued To" Information

This is the most important part.

• Common Name (CN): This should match the exact domain name of the website you are on. If there's a mismatch, it's a major red flag.
• Organization (O): For high-assurance certificates (OV and EV certificates), this field will list the legally verified name of the organization that owns the website. For example, if you are on paypal.com, you should see "PayPal, Inc." listed as the organization. A basic DV certificate will not have this information.
• Locality (L) and Country (C): These fields show the city and country where the organization is registered.

If you are on a major banking or e-commerce site and the certificate has no organization information, you should be extremely suspicious.

2. "Issued By" Information

This tells you which Certificate Authority (CA) issued the certificate. Reputable CAs include Let's Encrypt, DigiCert, GlobalSign, and Sectigo. While scammers can get certificates from these authorities, seeing a familiar name is a good sign.

3. Validity Period

Check the "Valid from" and "Valid to" dates. Ensure the certificate is current and not expired. An expired certificate is a security risk, even on a legitimate site.

Types of SSL Certificates (and What They Mean)

• Domain Validation (DV): The most basic level. The CA only verifies that the applicant controls the domain name. These are fast and cheap to get, and are often used by scammers. They provide encryption but minimal identity assurance.
• Organization Validation (OV): A step up. The CA verifies the organization's identity, including its name and physical address. These provide a higher level of trust.
• Extended Validation (EV): The highest level of assurance. The CA conducts a thorough vetting of the organization. In the past, browsers would display the company's name directly in the address bar for EV certificates, though this practice is less common now. Major banks and financial institutions almost always use EV certificates.

Conclusion

The padlock icon is your first checkpoint for online security, but it's not the final word. By taking a few extra seconds to inspect a site's SSL certificate, you can verify its true identity and better protect yourself from sophisticated phishing attacks. For any site where you plan to enter sensitive information, especially financial details, checking for an OV or EV certificate is a smart and simple security habit.