So, you’ve added an SSL certificate to your website to make it ‘secure’, but what exactly does that mean and who is it secure for?
One purpose of the Secure Socket layer (SSL) certificate is to encrypt data between the users computer and the web server, all types of SSL certificate will do this. The other purpose is trust, and this is where there is a big difference.
Let’s look at the 3 types of SSL certificate there are and what is required to have one installed on a website:
DV - Domain Verified
All this is required to get a DV certificate installed is that the website owner needs access to the server it is hosted on. If you view the certificate and there are no company details then the certificate is a DV.
OV - Organisation Verified
To obtain an OV certificate the issuing authority will check that the company exists and is a reputable company. If you view the certificate and you can see company details then the certificate is an OV.
EV - Extended Verified
Similar to an OV certificate, the EV will check that the company exists, is reputable and will also check the operation and physical existence of the company. This is the maximum amount of trust to be given by an SSL certificate. If you see the company name within the address bar then the certificate is an EV.
As anyone who can make a website is able to put a DV certificate on it, purely seeing a green padlock and the word secure at the top of the screen does not mean it is safe to enter bank details or username and password.
Users still need to be vigilant to ensure they know exactly who they’re dealing with, and cautious about what kind of information is transmitted. A couple of negative scenarios that could occour from SSL Cetificates are:
Scenario 1 - Stealing online payments
A fraudster sets up a website selling cheap phones and installs a DV certificate. A user visits the site, sees that the site is ‘secure’ as it has an SSL certificate, they enter their bank details and purchase a great deal on a phone. No phone is every dispatched and the hacker has cash in their bank.
Scenario 2 - Stealing usernames, Emails and passwords
Again, a fraudster sets up a website promising super discount vouchers for top high street stores if you subscribe, again he installs a DV certificate - easy and cheap. The user sees the chance of getting these discounts and quickly signs up with their username, email address and password. The fraudster now has their username, email address and password all stored in plain text. Now imagine, that user is one of the many users that has the same username and password for multiple accounts, the hacker can now access their paypal account, google account, amazon account etc.
If you’re a site owner, the recommendation is to instill the highest level of trust that you can - and as the ‘stakes’ rise, so should your level of authentication.
As a site visitor - even if the site has an SSL, don’t take it as a given that you’re dealing with who you think you are - if you’re handing over personal details, use extreme caution. And always use a different password for every site - if you think this is impossible, use a trusted password safe such as LastPass. Stay safe out there!
Looking for further information and advice on SSL Certificates? Contact us or give us a call on 01484 30 20 10.