The Toolbox Blog

Is this site really who it says?

If you’ve used a web browser, you’ve almost certainly seen sites that display a lock icon in the address bar. It indicates the site has an SSL Server Certificate installed making it more secure than sites without one, but what does icon actually mean?

Example of site with SSL Service Certificate
Example of a site with an SSL Server Certificate installed. But who owns the site?

A website with an SSL Server Certificate installed creates an encrypted connection between the website’s server and the user’s browser.  It prevents someone else from being able to intercept the traffic and read what is sent from and to the server and user (technically the traffic can be captured, but being encrypted it is unreadable).

Anytime you are providing confidential information on a website form (login credentials, credit card information, personal information, etc.), the page you are on should show the lock icon. If it does not, your information could be exposed.

But is your information secure just because the browser shows a lock icon?  While no one should be able to intercept your communications, how do you know who owns the website with which you are securely communicating?

Setting up a website is a pretty simple process, and there is little preventing someone else from creating a website that “spoofs” another website, which means it mimics the appearance of the target site (it can be a very simple process). The fake site owner can even purchase an SSL Server Certificate so visiting users will see a lock icon in their browser.

There are several options available when a site owner adds an SSL Server Certificate. All provide encryption. Certificates with Organizational Validation (OV) provide arguably the most important feature of SSL Server Certificates. In order to be issued, the Certificate Authority (CA) who issues certificates has to verify the organization requesting the certificate is actually who they claim to represent and that they own the domain for which the certificate is being issued. The certificate issued and installed on the server includes an embedded key from the CA who is vouching for the authenticity of the site. Your browser is set up to recognize and trust hundreds of these CAs, and if the browser validates the site and server keys match the certificate, the lock icon will be displayed.

As a website user, you can view the site’s certificate details which, if it has OV, would include the owner of the site. Some SSL Server Certificates have an option that displays (on most browsers) the name of the site owner within the address bar and is often highlighted with a green background or text color.

Example of site with SSL Service Certificate with OV
More detail is provided directly in the address bar when the certificate installed has the ‘green bar’ feature.

Unfortunately, browsers don’t always make it easy to view the certificate details. Below are basic instructions to see more information of a site’s SSL Server Certificate. Note that there can be major differences for these instructions depending on the browser version you’re using. So, if these instructions don’t work, internet search for ‘view ssl certificate in ____’ with the name of the browser you are using.

Go to the Three Dots Menu -> More Tools -> Developer Tools.
Click on the Security Tab.
This will give you a Security Overview with a View Certificate Button.
Click the padlock icon in the address bar.
From the panel that displays, select the first item that should show secure connection.
That displays the ownership information for the certificate and site.
Click on the padlock icon in the address bar.
Should show a panel that displays message that your connection is encrypted, and just above if the certificate is OV or better the name and address of the owner.
Click on the padlock icon in the address bar.
Should show a panel that displays an encrypted connection is being used, including if the certificate is OV or better the name and address of the owner.
While you will be warned if the site’s SSL Server Certificate is not valid, there currently is not a way to display more information about site’s certificate within Safari on these devices. Hopefully that will change in the future.

To test some of the differences in certificate, our blog site and our primary site use two different types of SSL Server Certificates. The blog site is a basic DV style certificate, while our main site has an EV (an upgrade version of an OV certificate with extended validation). When you view information on both sites you should discover the main site provides more information about the owner of the site then the blog.

So to be sure the website you are visiting is secure, view it’s certificate information to verify it’s really owned and operated by who you think it should be.