what is https encryption?How can you be sure the website you’re using is safe? This is likely something you’ve thought about before. If you don’t already know, modern browsers have several protection mechanisms in place to stop users from navigating to dangerous websites. One of the ways your browser protects you is to alert you to the presence of HTTPS encryption on a web page, which can serve as one measure of a website’s security. Knowing about this alert system is very important because, as a consumer, it’s your first line of defense against online threats. Continue reading as we go into detail about HTTPS and your browser, as well as how both can help keep you safe on the Internet.

How does your browser keep you safe online?

If you’re using a modern browser, you’ve most likely seen a padlock symbol somewhere on the address bar, or the place where you input the URL you’d like to visit. These padlocks are part of a user interface designed to notify you of a website’s security credentials. Websites with green padlocks are secure, while websites without padlocks are considered insecure. You’ve probably read most of this on our blog before, as our previous HTTPS article also explains this concept. While the information in that post is accurate, it’s not the whole story. To truly understand the nuances of HTTPS, you’ll need a basic understanding of certificate authorities and SSL certificates, which brings us to our next point.

How do websites get HTTPS status?

Despite the importance your browser plays in alerting you to a website’s HTTPS status, it plays absolutely no role in granting that status. That’s because browsers merely report information that can be viewed from the code of the web page. One of the first things you should know is that although anyone can host a website – either through a web host, website builder or on their own server – not every website has HTTPS. In fact, by default, no websites have HTTPS because a webmaster has to purchase something known as an SSL certificate from a certificate authority (CA) before that happens. When a website requests an SSL certificate, a CA is responsible for both verifying the identity of SSL purchasers and digitally signing the SSL certificates that it issued. As such, SSL certificates play two roles. First, they provide HTTPS encryption and second, they’re also a form of identity verification, assuming the CA issuing the SSL certificate is trustworthy.

It’s important to understand that while the presence of HTTPS on a website makes it secure, it doesn’t necessarily mean that the website is trustworthy. For example, any site with SSL (displaying a padlock) will encrypt your activity, so that no outsiders can see or tamper with it, making it secure, but if a CA that issued the SSL certificate did a poor job of vetting the owner of the site that you’re “securely” connecting to, you might be engaging with a scammer. With this in mind, just remember that because a website has a padlock, doesn’t mean it should automatically be trusted. While your browser can let you know if you’re on a secure site, it does not control the legitimate or trustworthiness of the CA that issued the SSL certificate, which is why HTTPS, while important, is not the be-all and end-all of Internet security. Something else that you should know is that there are different types of SSL certificates, and in some cases, your browser will display them differently. The major difference between certificates is in the degree of verification involved in issuing them.

Here’s a general breakdown of how these certificates differ:

DV SSL certificates: A DV, or Domain Validated, certificate is an SSL certificate that is validated at the domain level. This means the CA issuing the certificate does a WHOIS or website lookup to confirm that the entity requesting the certificate actually owns the website which they’re requesting the SSL for — note that this process is often automated. This is the lowest level of validation that exists, as anybody can simply buy a domain for any purpose and have valid WHOIS credentials. As we’ve stated before, WHOIS lookups are a great way to detect scams, but not by themselves. Other signs like typosquatting (e.g., when Craigslist.com is spelled Criagslist.com) and other types of domain abuse can corroborate your doubts about a suspicious WHOIS entry.

OV SSL certificates: OV, or Organization Validated, certificates have better verification than DV SSL Certificates. That’s because instead of just verifying the identity of the webmaster, the details of the organization that the webmaster is affiliated with are also verified. For example, if NextAdvisor were to get an OV SSL, the CA would have to not only verify NextAdvisor, but also CreditCards.com, our parent company that the domain is registered under. OV SSL certificates detail real-world information about the certificate’s owner, which means getting an OV certificate is a bit more difficult and requires more of an investment, making it less likely that a scammer will have one.

EV SSL certificates: EV, or Extended Validation, certificates provide the highest level of trust possible to users. Not only are there rules regulating how CAs issue these certificates, but also the process for getting one of these certificates is extremely expensive and rigorous, as it verifies every major aspect of the organization and domain’s ownership. Usually, only large companies or companies in specific industries, like finance, will invest in these types of certificates.

How can you tell SSL certificates apart?

Your browser has a built-in notification system that will let you know when each type of certificate is present. Here’s what these notifications look like with five of the most-used browsers:

No SSL/No HTTPS

Internet Explorer – Click to enlarge
HTTPS encryption

Microsoft Edge – Click to enlarge
HTTPS encryption

Safari – Click to enlarge
HTTPS encryption

Firefox – Click to enlarge
HTTPS encryption

Google Chrome – Click to enlarge
HTTPS encryption

DV and OV SSL (HTTPS is present)

It’s important to know that DV and OV SSL look the same in the URL bar.

Internet Explorer – Click to enlarge
HTTPS encryption

Microsoft Edge – Click to enlarge
HTTPS encryption

Safari – Click to enlarge
HTTPS encryption

Firefox – Click to enlarge
HTTPS encryption

Google Chrome – Click to enlarge
HTTPS encryption

If you wish to tell which type of certificate a website has, you can follow the instructions for your specific browser for showing certificate details. Any domains with OV SSL should display an organization’s name and location somewhere in the details tab of the certificate menu.

EV SSL (HTTPS is present)

It’s important to note that since EV SSL certificates require complete verification of the site’s owner, the address bar also includes the owner’s name.

Internet Explorer – Click to enlarge
HTTPS encryption

Microsoft Edge – Click to enlarge
HTTPS encryption

Safari – Click to enlarge
HTTPS encryption

Firefox – Click to enlarge
HTTPS encryption

Google Chrome – Click to enlarge
HTTPS encryption

What do you need to know when viewing SSL information?

Knowing the type of SSL certificates and how your browser identifies them are only one piece of the puzzle. Here are some quick pointers to keep in mind about HTTPS when you’re browsing the web:

1. The system is not perfect. As noted above, the SSL certificate system is not foolproof — just because you’re connected to a web page with a green padlock, doesn’t mean that you’re safe. That’s why it’s important to not only confirm a web page’s HTTPS status, but also look for other contextual cues to confirm the legitimacy of the site. Pages that instantly redirect from other pages or pages that have a website naming structure that differs from other pages on the site (e.g., if you go from amazon.com to checkout.amazon.co or to amazon.net/checkout) should be immediately suspicious. Things like typosquatting, discussed in detail in our fake websites post, and incomplete sites (e.g., the Contact Us page has no information) are also tell-tale signs that something might be amiss.

2. Not every website needs HTTPS. Although you’ll want to make sure any website you enter personal or account information (e.g., a username and password) into is secure, it’s important to also be aware that not all websites need HTTPS, especially since SSL certificates can be expensive. In fact, if a web page doesn’t have HTTPS, it doesn’t mean it’s a bad site. For example, if you’re looking at a personal blog, checking a local news website or browsing an online store, the site may not have HTTPS because it’s just providing you information or showing you products and doesn’t require you to input any information. That said, the moment any site asks you to enter payment information, input text in forms or log into an account, HTTPS should be active. If the site does not have HTTPS when it’s asking for such information, you should avoid using it, as it means your connection isn’t secure.

3. Websites handling sensitive information should at least have OV SSL (if not, EV). If you’re on a web page where you’ll be putting in sensitive information, like financial details or social security numbers, EV or OV SSL should be present. This should be the case for banks, online shopping sites, investment firms and insurance websites. In general, most major banks or companies use EV SSL, but it’s possible that smaller websites may opt for OV SSL since EV SSL can be expensive. OV SSL is also acceptable, but if you want to completely ensure the OV SSL web page you’re on is legitimate, you may want to follow our guide to confirming the legitimacy of a website.

4. Plugins or VPN can encrypt your traffic. If you want your web traffic encrypted, regardless of whether or not a page has a SSL certificate, you should consider plugins, like HTTPS Everywhere, or a service, like a Virtual Private Network (VPN), that can do exactly that. Keep in mind that the purpose of a SSL certificate isn’t just to provide encryption (HTTPS), but also to serve as a form of verification. This means using HTTPS Everywhere or a VPN does not guarantee that you won’t get hacked. Instead, it just makes your connection to a website hidden from external third parties who might eavesdrop or tamper with it. This is an invaluable tool for stopping man-in-the-middle attacks, when someone gets between you and the secure website, but you’ll still need to exercise caution while surfing the web.

In addition to being your entry to the Internet, your browser also has some tools to help you confirm the legitimacy of the websites you visit. That said, it should be noted that your browser cannot always protect you from scammers or thieves. For more information about how you can protect yourself online, keep reading our technology blog.