To see if a web site is secure, we have been trained to look for the padlock in the browser. Sadly, not all padlocks are the same…
Take a look at the following two web sites in Internet explorer, both have padlocks…
On Google Chrome…
Why is one highlighted green, but the other one not?
Both are using HTTPS. Both are using TLS. Both have padlocks on display.
The answer lies in the type of certificate used by the underlying TLS protocol.
The first certificate has been Domain Validated (Cyber Matters), whereas the green one has Extended Validation (Symantec).
A Domain Validated certificate simply says the web site owner has demonstrated they own the associated DNS; i.e. in the example above, whoever is running the web site http://cybermatters.info has demonstrated they have control of the DNS for cybermatters.info.
Given we know the frailties of DNS, is this sufficient to conclude this site is trustworthy? No, it’s not intended to. The intent is to say the communication between your browser and the site is secured, that’s all.
There is a second type that can simply display a padlock, called Organisation Validated, in which the certificate provider has undertaken some checking the requesting company has some rights to use the domain name. I’d argue this does not add a great deal of additional security.
(I’ve not seen browsers treat Organisation Verified any differently to Domain Verified certificates. Have you?)
Extended Validated certificates are different. The organisation has been through a thorough vetting process, defined by the CA Browser Forum. The vetting is undertaken by the Certificate Authority operator, using a process that is audited at least annually. It’s only by agreeing to this audit, will your web browser recognise the Certificate Authority and display the padlock in green.
The Google and Microsoft browsers choose to show slightly different information in the respective address bars, Google the verified company name, whereas Microsoft show who verified the information.
All in all, it’s a much more trustworthy process, that means you can have greater confidence in the security the site provides. In fact, if you know your way around a Certificate, you can find out exactly what assurance is provided (more on this in a future blog).
This is a serious point. Since Google changed their search policy to give sites that use HTTPS by default a higher ranking, there has been a rush to get certificates on websites. In many cases, they are domain verified certificates, provided for free (as in the Cyber Matters case).
Over the years we’ve come to accept free internet applications and accepted the loss of privacy as a trade-off. Are we now accepting free security, and thus risking a false sense of security?
The moral is, don’t just look for the padlock, look for the entire address bar going “green” if you are to trust a site with your personal data.