How can I recognize a valid SSL certificate?

Every modern web browser shows the use of encrypted HTTPS connections in the address bar and indicates if the website’s SSL certificate is not valid.

Pay attention to the address bar of your web browser

The following screenshot shows the Internet Explorer while accessing two different banking websites:

HTTP vs. HTTPS in the Internet Explorer address bar
  • Requesting the first domain, santander.co.uk, the user arrives at the URL http://www.santander.co.uk/uk/index – an unencrypted connection.
  • Requesting the second domain, db.com, the user arrives at the URL https://www.db.com/index_e.htm – an encrypted connection.

Example of invalid SSL certificates in the Chrome web browser

For both of the domains in the following screenshot the SSL-certificate is not valid and the web browser Chrome indicates this as follows:

Two invalid SSL certificates
Two invalidvalid SSL certificates

Why are both SSL certificates invalid and therefore create an unencrypted connection?

  • Marked in red: a self-signed SSL certificate whose identity cannot be confirmed.
  • Marked in yellow: An SSL certificate issued by a CA (Certification Authority) whose identity is confirmed. Although not all resources are loaded over the encrypted connection, which means that a potential security risk exists and the web browser does not validate the certificate.

Attention: Why a valid SSL certificate is important

By using an SSL certificate you are able to establish encrypted HTTPS connections. This is only secure if the SSL certificate in use validates 100% of the website. Without encryption, all data send and received by your website can be accessed in full on its way through the Internet and third parties are even able change the data in transit.

Additionally, while not as important as the above, HTTPS is a ranking factor for Google. In case of an invalid certificate, you will not receive a ranking-boost for your website.

With the free certificate check from globalsign.ssllabs.com, you are able to gain additional insights into a domain’s SSL certificate.

Example of a trustworthy certificate:

Trustworthy SSL Certificate
Trustworthy SSL Certificate

Example of an untrustworthy certificate:

Untrustworthy SSL Certificate
Untrustworthy SSL Certificate

The pitfalls of SSL certificates – why they may not validate

The following circumstances may cause a web browser to not validate an SSL certificate and consider it to be untrustworthy:

  • Self-signed certificate
  • No known root certificate (not recognised Certification Authority (CA))
  • The certificate is expired
  • The accessed domain does not match the valid range of the domain registered in the certificate
  • The website contains unencrypted resources, which are, for example, loaded by third party websites without HTTPS support
  • The support for the server name indication (SNI) is missing in the certificate
  • Old protocol version due to the use of an old version of OpenSSL. Always use the newest TLS library!
    • SSL v2 is unsafe and should not be used

     

    • SSL v3 and TLS v1.0 are wide-spread, although their security is being challenged

     

    • TLS v1.1 and v1.2 are the newest, safest standards

     

  • The key length is less than 2048 bit

Video explanation: What is SSL?

This video explains the basics on SSL, which are good to know, and how encryption works.

Additional information on the subject

  • SSL/TLS Deployment Best Practices: PDF