To see if a web site is secure, we have been trained to look for the padlock in the browser. Sadly, not all padlocks are the same…
Take a look at the following two web sites in Internet explorer, both have padlocks…
On Google Chrome…
Why is one highlighted green, but the other one not?
Both are using HTTPS. Both are using TLS. Both have padlocks on display.
The answer lies in the type of certificate used by the underlying TLS protocol.
The first certificate has been Domain Validated (Cyber Matters), whereas the green one has Extended Validation (Symantec).
Domain Validation
A Domain Validated certificate simply says the web site owner has demonstrated they own the associated DNS; i.e. in the example above, whoever is running the web site https://cybermatters.info has demonstrated they have control of the DNS for cybermatters.info.
Given we know the frailties of DNS, is this sufficient to conclude this site is trustworthy? No, it’s not intended to. The intent is to say the communication between your browser and the site is secured, that’s all.
There is a second type that can simply display a padlock, called Organisation Validated, in which the certificate provider has undertaken some checking the requesting company has some rights to use the domain name. I’d argue this does not add a great deal of additional security.
(I’ve not seen browsers treat Organisation Verified any differently to Domain Verified certificates. Have you?)
Extended Validation
Extended Validated certificates are different. The organisation has been through a thorough vetting process, defined by the CA Browser Forum. The vetting is undertaken by the Certificate Authority operator, using a process that is audited at least annually. It’s only by agreeing to this audit, will your web browser recognise the Certificate Authority and display the padlock in green.
The Google and Microsoft browsers choose to show slightly different information in the respective address bars, Google the verified company name, whereas Microsoft show who verified the information.
All in all, it’s a much more trustworthy process, that means you can have greater confidence in the security the site provides. In fact, if you know your way around a Certificate, you can find out exactly what assurance is provided (more on this in a future blog).
Conclusion
This is a serious point. Since Google changed their search policy to give sites that use HTTPS by default a higher ranking, there has been a rush to get certificates on websites. In many cases, they are domain verified certificates, provided for free (as in the Cyber Matters case).
Over the years we’ve come to accept free internet applications and accepted the loss of privacy as a trade-off. Are we now accepting free security, and thus risking a false sense of security?
The moral is, don’t just look for the padlock, look for the entire address bar going “green” if you are to trust a site with your personal data.
“Green highlight means safe and secure, but what about purple? #ColorConfusion”
“Who even notices those green highlights? I’ve never bothered to check. 🤷♂️”
“Who even pays attention to those green highlight thingies on websites?”
I used to think the same way until I realized those “green highlight thingies” are actually useful for navigating through content quickly. Maybe you should give it a try instead of dismissing it. You might find it more helpful than you expect.
“Who knew a green highlight could make all the difference? #WebSecurityMysteries”
I think the different colored highlights on websites confuse me more than anything. 🤔
I totally get what you’re saying! The overuse of different colored highlights can definitely be overwhelming and make it harder to focus on the content. Maybe web designers should stick to more subtle and cohesive color schemes to avoid confusing readers like us.
“I don’t get why some sites have green highlights, others don’t. Can anyone explain?”