If an incorrect hostname is specified in the SSL certificate, it is similar to having an incorrect name on your identity card. It is no longer possible for the checking authority (in this case, the browser) to recognise that there is a secure connection.
Because one data value is incorrect, the entire certificate becomes worthless. Since the encryption is based on the data contained in the certificate, it can no longer be performed as desired.
As a result, the visitor to a website receives a warning saying something is wrong with the SSL certificate. Most browsers will also show that the hostname is incorrect. The visitor can then decide whether they want to connect to the website under these circumstances or not.
Of course, many users will decide against it. Such an error should arouse the distrust of every user and accordingly lead to many customers not visiting the website anymore. This is even more true because a wrong hostname can also be a sign that unauthorised third parties have tried to manipulate the secure connection between the user and the website. So for many users, an incorrect hostname is even more serious than not using SSL encryption.
Common reasons that lead to a naming error include incorrect domain names when applying for an SSL certificate, as can easily happen with typos, for example.
Another source of error is that a multi-domain SSL certificate is not filled out correctly and not all desired fully-qualified-domain-names (FQDNS) are included in the certificate request form. A third reason is self-signed certificates, which are often generated automatically and then do not contain the correct domain name.
The solution is easy: webmasters should rely on trusted certificate authorities when issuing certificates and carefully check their application for typos or missing domain names.
When a website’s security certificate expires, every visitor receives a warning message through their browser. An expired SSL certificate is a very common reason for security warnings, as certificates usually need to be updated annually.
It’s a bit like your website trying to identify itself with an expired ID card: It’s not trustworthy. On the other hand, an expired certificate doesn’t necessarily equate to an insecure website either, but many visitors are put off by this warning message. This is especially annoying because it’s easy to keep your SSL certificates up to date.
You can even renew an expired SSL certificate in a matter of minutes. To do so, you can simply renew it at the same certificate authority where you requested your old certificate. Alternatively, you can request a new certificate from a new certification authority. In this case, however, it will be a little more effort when applying for a new certificate, because you will have to pay close attention to typing errors and careless mistakes are more likely.
Afterwards the procedure is similar: You get a new certificate file and should delete your old one. Now you can upload the new certificate file to your server and check directly with a tool to see if it works.
To prevent your certificates from expiring, you should note the expiration date in your calendar or use the reminder function of your certification authority.
The easiest way to check if your SSL certificate is about to expire is to visit your website. Most browsers have an integrated option to take a close look at the certificate. You are only two clicks away from the information you need.
Click on the lock icon next to the URL. Now a dropdown menu opens where you can get more information about your certificate. Most browsers hide the validity information under “Certificate” or “Show certificate”. If you click on it, you will find out from when to when the certificate is valid.
If this is too complicated for you, there are also many tools that can help you to find out this information, for example the SISTRIX Optimizer (which may have led you to this article in the first place) or the many free “SSL check” tools you’ll find in Google search. You simply enter your URL and get the information about the validity. There are also various suites, some of which you have to pay for, that monitor the security status of your website and inform you of any problems.
A third way is the interface of your certification authority: Here you can usually view all the certificates you use and also sort them by their expiration date. This overview is worth its weight in gold if you use multiple certificates.
SSL uses outdated protocols, however, far fewer webmasters use SSL than most would suspect. This is because SSL has been considered technically obsolete since as early as 2015. The current gold standard is TLS 1.3, which was released in 2018.
The technology of Secure Socket Layer has thus been superseded by Transport Layer Security. In everyday language, however, TLS is often equated with SSL encryption. Even vendors still use SSL as a synonym for TLS for marketing reasons, so this blurring will persist longer.
Further developments became necessary because the encryption algorithm of SSL could already be decrypted by attacks. TLS offers much better protection. In addition, TLS encrypts messages in a pseudo-random manner, thus protecting them better from attacks. Overall, the current version TLS 1.3 is clearly superior to the last published and twenty years older SSL version 3.0.
A missing HTTPS encryption can refer not only to the whole website, but to the mixed content problem. This is when some content is delivered unencrypted while the rest is encrypted. Often the unencrypted content is old links and directories whose path still starts with http:// instead of https://.
Images, in particular, are often affected by this. Websites like Why No Padlock? scan your online presence for exactly these files and directories and list them. Alternatively, you can find them in the Web Console of Firefox and Chrome.
All you need to do then is to move the affected files to https:// and change the links accordingly.
If your website even does without encryption altogether, you should integrate it as soon as possible. SSL certificates only cost a few euros a year, and setting them up is very easy, even for non-professionals. In many cases, it’s enough to apply for a file and upload it to the server. If you work with WordPress, for example, there are some powerful add-ons that you can use to implement encryption. Alternatively, encryption is also included in security suites, or you can request it directly from the hoster.
Data sent through forms on unencrypted pages in principle can be intercepted by unauthorised third parties. This means that it is not safe for your customers (or even yourself) to enter data into such forms.
With encryption, the data is transmitted unrecognisably. The server and domain communicate in a kind of secret code that can only be decrypted by the recipient. If a hacker succeeds in accessing the transmitted data, he will only receive a cryptographically encrypted string of characters, which is therefore useless to him. Authorised recipients, on the other hand, have the key to the code and can thus decrypt the sent data. Encryption, therefore, does not protect against interception as such, but it does protect against the use of the intercepted data.
Whenever a website collects personal data, it must also protect it during transmission. This has already been a legal requirement since 2018. So forms on unencrypted pages can lead to a fine. Browsers protect the security of their users. They point out that a website is insecure and the user should refrain from transmitting sensitive data.
