Helping people with computers... one answer at a time.

Https is a fundamental security technology used on the internet. I'll look at how it's used to confirm you're connecting to the site you think you are.

In Internet Explorer, when I open or log-in to some websites, like PayPal, the Address Bar color changes to green with certificate information. If I click it, a digital certificate appears in a new dialog box. Can I trust each and every website that shows a digital certificate in this manner? Are there any chances that I may get fooled by such type of websites?

Of course, there are no absolutes, but the chances of getting fooled are actually pretty small, particularly when it comes to the so-called "green bar" site validation.

I'll review what those mean and what to look for to make sure that the site that you visit is the site that you think it is.

Https

Using an https connection does two things: it validates that the site that your browser connects to is the site that it claims to be, and it encrypts the data sent and received between your computer and that site.

The encryption part gets a lot of press, because it's an important component of staying safe when you do things like online banking from home, or just about anything remotely personal from an open WiFi hotspot.

But encrypting the data is kinda pointless if the site isn't the site that you think it is.

That's the "other half" of an https connection: validation.

Https in the Browser Address Bar

Visit https://encrypted.google.com, the https version of the Google search engine, and you'll see an indication that you're visiting a site that has been validated to indeed be the real https://encrypted.google.com:

https indicator for encrypted.google.com in FireFox 4

https indicator for encrypted.google.com in Internet Explorer 9

If you click on the indicator, you'll get additional information (using IE as the example here):

Additional security information about an https site

I have similar validation for my site https://secure.pugetsoundsoftware.com (this time using FireFox 4 to show the information):

https information for secure.pugetsoundsoftware.com

Great, but what does it mean and how does it validate anything?

Https Validation Steps

As a website owner, I had to apply to a certificate authority for a secure certificate to be used on my website. You can see that I happened to use GoDaddy, which operates a certificate authority, while Google got theirs from a different authority: GeoTrust. In fact, there are many trusted authorities world-wide charged with handing out certificates.

The process of getting a basic certificate is actually pretty simple: you pay some money (of course), submit a specially formatted request that includes the domain name ("secure.pugetsoundsoftware.com", in this example) and some additional information about the domain's owner. In my case, GoDaddy then checked the "whois" information for the domain and sent confirmation email to the owner listed in that public record to confirm authority to request a certificate. Once that's been confirmed, the assumption is made that the person requesting the certificate is operating with the blessing of the domain's owner and the certificate is issued.

Once a certificate is issued, it is placed on the server holding the website. When an https connection is made, that certificate is then used to validate that yes, the connecting machine is indeed talking to the site to whom that certificate was issued.

If another server were to attempt to impersonate the secure site https://secure.pugetsoundsoftware.com, they would fail because they do not have a certificate that matches, or perhaps any certificate at all, and your web browser would alert you on the connection attempt.

Extended Validation

As you might have noted, the steps to validate that someone requesting a certificate is indeed authorized to act on behalf of a domain are pretty simple. While basically secure, they essentially only need to respond to an email - something that could potentially be intercepted.

That's what "extended validation" or EV certificates are all about.

Extended validate certificate for Paypal in Internet Explorer 9

Extended validate certificate for Paypal in FireFox 4

Extended validation means just that: the steps to actually get the certificate are more extensive, take more time and are, naturally, more costly. Typically, it involves additional written or telephone communication and documentation that the individual requesting the certificate is indeed an authorized representative of the organization for which the certificate is to be applied.

Or put more bluntly: there are several more hoops to jump through to get an EV certificate.

EV certificates are recognized by current browsers and displayed slightly differently. As you can see, Firefox 4 turns the owning company name green in the address bar, while Internet Explorer turns the entire address bar green.

It's important to note that EV certificates use the same encryption technologies than normal certificates do - the only difference is that the more extensive amount of verification is performed when issuing the certificate.

Certificate Authority Security

Https security relies on certificate authorities themselves being secure. That's a fairly reasonable assumption, although with well over 200 certificate authorities worldwide, it's not something that can be stated with absolute certainty.

In fact, earlier this year, one certificate authority was found to have issued certificates to individuals that it should not have.

Even then, the system worked.

Certificates are also subject to something called a "revocation certificate". That means that when a certificate is being verified for authenticity by your browser, it should also check for its revocation. In short, a special certificate is issued that, in essence says "If you run across this specific certificate, it's no longer valid". Revocation certificates for the improperly issued certificates were issued as soon as the problem was discovered.

The scarier scenarios actually revolve around certificate authorities that could be compelled by their government to issue certificates spoofing other domains so as to enable interception of otherwise private communications. Even then, this can be detected, but only by carefully examining the details of the certificates each time an https connection is made. (I do believe that there are browser extensions available that can be used if you feel you're at risk for this type of issue.)

By and large, the https infrastructure, while not absolutely positively bullet-proof, is extremely secure and resilient. It's extremely unlikely that you'll ever be fooled and encounter a bogus one and have it slip past your browser's ability to detect it as a fraud.

Article C4794 - April 16, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
Al Kack
April 22, 2011 6:36 PM

An interesting article. However, My IE(8) does not turn green when I sign into Pay Pal. Is there a setting I have turned off?

Make sure you're going to httpS://www.paypal.com. Here's an IE8 example:
IE8
Leo
23-Apr-2011

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.