Every modern web browser shows the use of encrypted HTTPS connections in the address bar and indicates if the website’s SSL certificate is not valid.
Pay attention to the address bar of your web browser
The following screenshot shows the Internet Explorer while accessing two different banking websites:
- Requesting the first domain, santander.co.uk, the user arrives at the URL http://www.santander.co.uk/uk/index – an unencrypted connection.
- Requesting the second domain, db.com, the user arrives at the URL https://www.db.com/index_e.htm – an encrypted connection.
Example of invalid SSL certificates in the Chrome web browser
For both of the domains in the following screenshot the SSL-certificate is not valid and the web browser Chrome indicates this as follows:
Why are both SSL certificates invalid and therefore create an unencrypted connection?
- Marked in red: a self-signed SSL certificate whose identity cannot be confirmed.
- Marked in yellow: An SSL certificate issued by a CA (Certification Authority) whose identity is confirmed. Although not all resources are loaded over the encrypted connection, which means that a potential security risk exists and the web browser does not validate the certificate.
Attention: Why a valid SSL certificate is important
By using an SSL certificate you are able to establish encrypted HTTPS connections. This is only secure if the SSL certificate in use validates 100% of the website. Without encryption, all data send and received by your website can be accessed in full on its way through the Internet and third parties are even able change the data in transit.
Additionally, while not as important as the above, HTTPS is a ranking factor for Google. In case of an invalid certificate, you will not receive a ranking-boost for your website.
With the free certificate check from globalsign.ssllabs.com, you are able to gain additional insights into a domain’s SSL certificate.
Example of a trustworthy certificate:
Example of an untrustworthy certificate:
The pitfalls of SSL certificates – why they may not validate
The following circumstances may cause a web browser to not validate an SSL certificate and consider it to be untrustworthy:
- Self-signed certificate
- No known root certificate (not recognised Certification Authority (CA))
- The certificate is expired
- The accessed domain does not match the valid range of the domain registered in the certificate
- The website contains unencrypted resources, which are, for example, loaded by third party websites without HTTPS support
- The support for the server name indication (SNI) is missing in the certificate
- Old protocol version due to the use of an old version of OpenSSL. Always use the newest TLS library!
- SSL v2 is unsafe and should not be used
- SSL v3 and TLS v1.0 are wide-spread, although their security is being challenged
- TLS v1.1 and v1.2 are the newest, safest standards
- The key length is less than 2048 bit
Video explanation: What is SSL?
This video explains the basics on SSL, which are good to know, and how encryption works.
Additional information on the subject
- SSL/TLS Deployment Best Practices: PDF
- SSL server check with the SSL-Labs test from Qualys
