What consumers need to know about SSL Certificates
By Jeff Barto
In 1994, the first online purchase crossed the Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the ensuing 20 years, e-commerce has exploded in a fizzing economy, exceeding $1.2 trillion in sales in 2013.
This growth in online shopping rests on a foundation of trust. People trust that the websites they use to track finances and shop online are safe and legitimate; largely because of Secure Socket Layer (SSL), also known as certificates; that little padlock in your browser’s address bar.
SSL Certificates verify that the provider is who they say they are and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are the same.
The different types of certificates
Website owners purchase SSL certificates through Certificate Authorities (CAs). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the security lock in a browser’s URL bar, along with the HTTPS (“S” stands for “secure”) in the address bar, the security levels between the types of certificates differ greatly. This is why it is important to understand what type of SSL certificate a site has when it is about to carry out financial transactions or any other operation that involves the user’s personal data.
• Domain Validation (DV): This certificate is issued after verifying that the owner has the right to use the name of a particular domain. It is a simple process in which the Certifying Authority will send an email to the registered email address of the web page in order to verify its existence. Information about the organization or person that controls the site is not required. Cybercriminals often use DV certificates as they are easy to obtain and can make a website appear more secure than it really is. For example, scammers can use DV certificates to lure consumers to phishing websites that appear authentic or to cloned websites that appear legitimate but are designed to steal sensitive information.
• Organization Validation (OV): To issue an OV certificate, a Certificate Authority must validate certain information, including the organization’s identity, its physical location, and ownership of its website’s domain name. This process usually takes a couple of days.
• Extended Validation (EV): This certificate has the highest level of security. It is issued once the organization requesting the certificate is subjected to a strict authentication procedure. It is a much more rigorous verification than the one described above. Seeks to identify the legal entity that controls the website, provide the user with the assurance that the site is controlled by an entity legally authorized to operate, identified in the certificate by name, address, jurisdiction and registration or registration number.
What can people do to stay safe?
Now knowing what an SSL certificate is, the three different types, and that DV sites can pose a risk for scams, how can users reduce the risk of shopping or other sensitive transactions online?
1. Be aware! Just because a website has a lock or “https” next to a URL doesn’t mean it’s completely safe for financial transactions. Users have learned to look for those two things before making a transaction, which is exactly why cybercriminals are going to the trouble of obtaining DV-type SSL certificates; to simulate legitimate sites.
2. Know how to find the type of SSL certificate of a page. As a first step, look for visual cues that indicate security, such as a lock symbol. Browsers do not distinguish a DV certificate from an OV or EV certificate in a glance. To do this we must click on the padlock of the URL. Then click where it says the connection is secure and then click where it says the certificate is valid. In case of being an OV or EV certificate there we can see the name of the organization that owns the website.
3. Only transact and provide sensitive data on sites that have OV or EV certificates. There is a time and a place for DV certificates, but that doesn’t include their use for e-commerce sites. If a site has a DV certificate, rethink doing any type of transaction through that site. If it is a site that has an OV or EV certificate, you already know that the commercial identity of the person who operates it has been confirmed.
Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the different types of certificates, people will have to shoulder some of the burden in combating cyber risks. By knowing the risks ahead of time, consumers are less likely to be fooled by phishing websites.