2022's best place for Cybersecurity Insights and Advice for Everyone

#1 - Signup to our list and get regular insights and advice on how to be cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What is a Website Security Certificate?

by Cybergal | Last Updated | November 17, 2021
Cyber Dictionary|CyberSecurity - SMB

Cybercrime is happening at record levels and the statistics are getting more alarming every year. 

Cybercrime cost the world over $1 trillion in 2020, according to a report by Atlas VPN. [1] The costs are adding up. Cybersecurity Ventures predicts that cybercrime will cost the world $6 trillion annually by 2021.

Packetlabs also compiled a list of cybersecurity statistics for 2020. Here are some highlights of the report:

What do all these figures have to do with website security certificates? A lot.

What is a website security certificate?

A website security certificate is a digital certificate that asserts the identity of a website. It’s a virtual file approved by an industry-trusted third-party called a certificate authority (CA), validating the website as secured. Specifically, it guarantees an encrypted connection between two parties — the website’s server and the visitor’s browser.

When you see an HTTPS or black padlock icon preceding the domain name on the URL, it means that the website is secured by a website security certificate. 

How a website security certificate works

When you want to connect to a secured website, here are the steps that take place:   

SSL Workflow

Why a website security certificate is important

Whether you’re a general information or business website, a website security certificate will assure your visitors that they are at the genuine website they’re looking for, not a fake one. It also protects site visitors from man-in-the-middle (MITM) attacks, phishing attempts and DNS hijacking.

Google has made HTTPS an important factor in its search algorithm for ranking websites. Having it on your URL will give you a chance to be noticed by Google and potentially earn a higher ranking. 

You’ll want to prove to people that you’re you, especially if you’re a business or organization. A website security certificate will help you do that. Commercial CAs also provide organization validation (OV) and extended validation (EV) SSL certificates to further strengthen your identity. OV is the intermediate level of verification while EV requires the most extensive verification. 

Once you’ve asserted your identity, people will be more willing to trust you. Trust involves the belief that a company protects its customers’ information. Security and privacy are increasingly key concerns for consumers. People will want to make sure that your company has their best interest in mind. Will your company safely store their bank account details? Will your company keep their health records private? If yes is the answer to these and other privacy questions, then people will less likely go elsewhere.

How HTTPS works

HTTPS is short for Hypertext Transfer Protocol Secure. It is the secure version of HTTP. HTTP and HTTPS are communication protocols responsible for transmitting data between a web browser and a website. 

Technically, HTTPS and HTTP work in the same way, except that HTTPS uses an encryption protocol to secure communications. The protocol is known as Transport Layer Security (TLS), formerly called Secure Sockets Layer (SSL). TLS works in an asymmetric public key infrastructure wherein two parties use two different keys, as follows:

The private key. This key is controlled and kept private by the owner of the website. It resides on a web server and is used to decrypt data encrypted by the public key.

The public key. This key is accessible to anyone who wants to transmit information in a secure way, meaning that the information should be encrypted. The encrypted information can only be decrypted by the private key.

When information is transmitted over standard HTTP, all communications travel as plain text. Unencrypted data is highly accessible to anyone who has the right skills and tools. It is also vulnerable to interception through on-path attacks while a web browser and server are communicating.

Website Security Certificate - HTTP vs HTTPS

The handshake protocol

HTTPS always begins with an SSL handshake, an asymmetric cryptography process for establishing a secure communication channel for the server and the client. The handshake happens instantly and automatically if everything is in order. 

A failed handshake results in the termination of the connection, usually followed by a warning message in the client’s browser. 

source: https://www.makeuseof.com/tag/website-security-certificate-care/

What are the types of website security certificates

Website security certificates are classified  into two main categories according to validation levels and functionalities. 

By validation levels:

Here the are three types of website security certificates according the levels of validation:

1. Domain validation (DV) certificate

A DV certificate is validated against a domain registry to check ownership of the website domain. However, it’s not recommended for commercial websites because it does not offer organizational information. Website visitors cannot validate whether the website is legitimate or not. DV certificates can be used where authentication is not needed, such as protected internal systems.

2. Organization validation (OV) certificate

The certificate authority authenticates an organization against the domain registry and business registry databases hosted by governments. The CA may also look into organizational documents and interview personnel to gather legitimate business information. This is the ideal certificate for commercial and public-facing websites.

3. Extended validation (EV) certificate

An EV certificate offers the highest level of validation because it goes through additional validation steps. It includes details not found in DV and OV certificates. EV certificate is the global standard for encrypting data because it is extremely difficult to impersonate an EV-enabled website. The world’s leading organizations and businesses have adopted it to protect their brand and ensure user trust. They also use it for sensitive processes, such as area logins and front-facing webpages. 

By functionalities

Website security certificates can also be classified according to what they can secure in websites. Following are the four classifications:

1. Single domain SSL certificate

This is the simplest SSL certificate covering only one domain and excluding subdomains and other websites you own.

2. Multi-domain SSL certificate

A multi-domain certificate is also known as a unified communications (UCC) SSL certificate. It allows you to include up to 100 domains and subject alternative names (SANs), facilitating communication between servers and browsers at the same time.

3. Wildcard SSL certificate

A wildcard certificate allows you to use a single certificate for the domain and an unlimited number of subdomains. For example, a single certificate can be used for: 

It’s a more affordable option than investing in a certificate for each domain and subdomain.

4. Multi-domain wildcard SSL certificate

This type of certificate allows big organizations to secure multiple domain names and subdomains, including subject alternative names, with a single certificate. 

#2 So here we are at the middle of the post. We still think it's a good idea to signup.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.

What are the common SSL attacks and vulnerabilities?

The SSL/TLS protocol is widely used, making it a potential breeding ground for attacks. As with all technology, SSL has its own downside. The most common is improperly configured servers that can expose data instead of securing it. 

Following are typical SSL attacks and vulnerabilities that cybercriminal can exploit:

1. Man-in-the-middle (MITM) attacks 

To launch an MITM attack, cybercriminals impersonate a trusted website so they can gain the trust of the communicating parties and eavesdrop on secure conversations. 

Attackers often exploit unsecured or inadequately protected wireless access points to gain entry. They can steal a website’s server key, allowing an attacker to appear as the server. 

Attackers can also steal the root key of a compromised certificate authority (CA) and issue a fake certificate generated by the stolen key. With a fake certificate, attackers can then inject malware to redirect users to fake banking sites and phishing sites, for example.

2. Advanced persistent threat (APT)

With the use of malware, APT attackers steal SSL/TLS keys and certificates for use in communications fraud and data theft. Cybercriminals exploited the Heartbleed malware resulting in a data breach of more than 4.5 million patient records at the Community Health System (CHS). The criminals worked around the CHS firewall and took advantage of a vulnerable system behind the firewall.

3. SSL stripping attacks

An SSL stripping attack is a cyberattack in which hackers downgrade a web connection from the more secure HTTPS to the less secure HTTP. This reverts all communications into unencrypted form and paves the way for a man-in-the-middle intrusion.

At this point, the MITM attacker is in control. He sends the victim’s request to the genuine server and sends back the reply to the victim’s browser in HTTP. All communications are now in plain text format, allowing the attacker to gather all the data he wants.

4. Expired SSL/TLS certificates

Expired certificates risk degrading encryption and authentication. This opens your website to attacks and viruses. You may also risk losing users if they see a warning message that says “Your connection is not private”. Your traffic could drop and you could lose business.

5. Self-signed wildcard certificates

Some server administrators resort to quick and easy ways of providing SSL certificates for websites. They create self-signed wildcard certificates using free, OpenSSL. These certificates are not signed by a publicly trusted certificate authority but by the administrator’s own private key.

This practice erodes trust because the certificate is not validated by a credible certificate authority. Websites with self-signed certificates show warning pages with error messages, such as:

These messages drive visitors away and drastically affect traffic on your website. People hesitate to share their personal information, such as usernames, passwords, bank and credit card details and phone numbers. 

Moreover, websites labeled as “not secure” are easy targets for cybercriminals to launch man-in-the-middle attacks. Once an MITM strike is happening and users bypass the security warnings, they are unwittingly exposing their information to data theft.

6. Fake certificate authorities

Fake, untrusted and unknown certificate authorities have joined cybercrime networks to fool unsuspecting victims. Internet security firm Netcraft discovered dozens of fake SSL certificates of banks, ecommerce websites, social networks and even Internet Service Providers (ISPs) in 2014.

The fake certificates bear the common names of their target websites. Many of the fake certificates impersonate known brands, such as Facebook, GoDaddy, iTunes and YouTube. But because the certificates are not signed by trusted certificate authorities, they are regarded by mainstream browsers as invalid. For banks, the danger lies in online traffic originating from apps and non-browser software that may fail to check the validity of SSL certificates.

Fake certificates alone are not enough to carry out an attack. The attacker would need to set up rogue access points to establish contact to some system between the victim and the server. The attacker can then monitor traffic and direct it to the intended IP address under his control where he can steal credentials and other financial information.

7. Attacker-encrypted communications

Cybercriminals are using encryption to deliver malware undetected, eavesdrop on private conversations, disrupt secure transactions and extract data over encrypted communication channels. An increase in encrypted traffic will mean more attack vectors for criminals.

8. Phishing attacks

Vulnerable SSL certificates allow malicious actors to use social engineering to trick people to go to fraudulent sites under their control where they can capture financial and personal information.

Benefits of a Website Security Certificate

Obtaining and implementing a website security certificate has many benefits for your customers and your business.

They Protect Data

The core objective of security certificates is to protect server-client communication. Certificates ensure all data following between elements is encrypted. In common language the data is locked and can only be unlocked by the intended participants in the communication link, for example web browser and web server. Without the key the data is simply unintelligible and useless to anyone other than the intended participants. 

They Affirm Your Identity

The second most important role of a security certificate is to provide authentication – you are who you claim to be. Verifying identity is one of the most important security controls required to ensure you are communicating with the entity (website, service, etc.) you believe you are. 

Website spoofing is a cyber crime mainstay. By protecting your website with a security certificate ensures that your customers can be confident that it’s the real site and not a fake one created and used by hackers to steal their data. 

Improved Search Engine Ranking

Google has literally made it mandatory to use HTTPS to have a chance of being returned in its top search results. You simply have no chance of having your website or any of its content displayed on the first page of search results if a security certificate is not deployed on your website.

Helps You Satisfy PCI/DSS Requirements

If your website supports ecommerce or any form of online payments, you will likely know a thing or two about PCI/DSS requirements. To receive online payments, your website must be PCI compliant. Having a website security certificate installed is one of the 12 primary requirements set by the payment card industry (PCI). 

Improves Customer Trust

Beyond just encryption and authentication, security certificates are a critical element in developing customer trust of your website and your brand. The easy to identify signs inform the users that the data they send will be secured. If you use an OV or EV certificate, users can see your organization’s details. Once they know that you’re a legitimate entity, they’re far more likely to do business with you or even revisit your site.

Benefits of a Website Security Certificate

What should you do if you see a certificate warning?

Chances are you’ll come across a certificate alert while browsing the Internet. If you get an alert on a website you’re trying to access, click on the padlock to check the details. The certificate may be expired or is being used fraudulently, in which case you shouldn’t trust it.

If you see the certificate alert on a website you trust and have been accessing before, you can check the website’s social media feed where you can see updates on downtime, security and other issues. You may also contact the website owner to find out what’s going on.

How do you choose the right website security certificate?

It’s important to choose the right security certificate for your website so you don’t end up with  inadequate security. The first thing you’ll want to do is determine the level of validation, functionality and security your business and users need.

As to functionality, a single domain certificate may be sufficient to secure your small business, but you may need a multi-domain wildcard SSL certificate for your multiple branches and locations.

As to validation, a DV certificate should be able to meet the requirements of your small business. However, if you’re a big commercial website or corporation that deals with high-risk data like health records or bank accounts, you’ll need an EV certificate to provide the highest level of validation and security to your business and customers.

Our final thoughts:  Do you want people to find your ecommerce website? Do you want them to feel comfortable and safe doing business with you? Do you want your audience to keep coming back because they feel more secure? If your answer is yes to all the questions, then you need the right security certificate. Protect your website, protect your customers, protect your brand and especially protect your business.

Get a website security certificate!

#3 You really should sign up. "Scouts Promise" ... it really will help you stay cyber safe.

By entering your email address you agree to receive emails from EveryDayCyber. We'll respect your privacy and you can unsubscribe at any time.