Identifying SSL certificates and their real meaning

In a previous post we discussed about how to know if a website is secure or not and one of the main requirements was if the website had a SSL certificate and used encryption technologies to transfer information to the visitor. Today we’ll talk about the different types of SSL certificates and what you should look for.

Self signed: These certificates were signed by the webmaster instead of a certification authority. Most web browsers will display a warning message indicating that the certificate wasn’t signed by a trusted authority (CA or Certification Authority). There’s no true validation in a self signed certificate.

Domain control validated: This is the most common type of certificate today. The signing CA (Certification Authority) sends an e-mail to the administrative contact of the domain according to the whois database and validates that the requesting party is actually the owner of the domain name.

Extended validation (EV): The CA asks the requesting party for some documents that act as proof that the company actually exists, that it has a valid street address, a valid phone number and that it’s registered with some kind of government-regulated organization (commerce chamber, tax authority, etc.). With new browsers, the EV certificates turn the address bar into a shade of green.

Now, the true facts about SSL certificates:

All certificates provide the same encryption strength! Some people think that EV certificates are “stronger”, while the algorithm strenght/length depends on the web server and web browser and not the SSL certificate. So even if it’s a self-signed certificate, it means that the connection is encrypted using industry standards and your information can’t be easily seen by an eavesdropper.

An EV certificate provides a higher assurance just because a third party received and “validated” some papers, which doesn’t mean that a website bearing an EV certificate can’t scam you or could get the certificate using false documents.

Now, what’s the deal with those “seals” that some websites bear as if they were medals or trophies?

Actually they are just links to the CA that take you to a page where you can read that the website you were visiting has a valid certificate, something you could already know since your browser didn’t display any warnings! Ok, maybe I’m not being fair, sometimes they also display the company information and some “guarantee”.

So what will a CA do if I’m scammed by a website using a certificate signed by them?

Nothing! Most of the CAs advertise some “money backed guarantee” but if you read the fine print, it says that they will pay for damages up to $XX,XXX (the amount varies according to the certificate type and the signing authority) if you can prove that they messed up during the validation process and that it was their fault! They are not backing up the business/website that uses the certificate, they are just backing up their own validation methods.

From my personal point of view, visiting a website that uses an EV SSL certificate shows that they’re serious about business as they are spending some serious cash in that certificate, nothing more, nothing less.

So are SSL certificates really that important? You can say yes, but the most important thing is to know that the connection is being encrypted and therefore your information travels “safely” through the Internet.