What is a certificate?
A certificate is a digital document that a website or other Internet service uses to prove its identity to users. If you see a lock icon in your Web browser’s address bar, that means the website you’re viewing has presented a valid certificate. And this generally means that anyone who might be spying on your Internet connection (like someone else on your Wi-Fi network) wouldn’t be able to see or modify the content you’re seeing on that website.
What does a certificate look like?
If you’re viewing a website that has a valid certificate, you can look at the certificate by clicking the lock icon in your browser’s address bar (see your browser’s help center for specific instructions). You’ll see a variety of information such as how long the certificate is valid, what domain names the certificate covers, and the name of the company that issued the certificate.
Who issues certificates?
Certificates for websites are issued by companies called certificate authorities, or CAs for short. Popular CAs are DigiCert, GlobalSign, and Let’s Encrypt. Some CAs’ sole business is to issue certificates, while others are more general cybersecurity businesses. CAs are trusted by browsers to operate as an authority of which websites are safe.
Some major tech companies, including Google and Amazon, operate their own CAs to issue certificates for their own websites. For example, if you go to any Google-owned site, you’ll see a certificate from Google’s CA, “Google Trust Services LLC.”
How does a certificate prove a website’s identity?
Certificates use a technology called “digital signatures” to prove the identity of a website. The website operator has a piece of secret information called a “private key.” They can use it to create a digital signature, which proves that they have possession of the private key without actually revealing the key. A site’s certificate contains enough information about the private key for anyone to verify that a digital signature made with that key is valid.
Before a CA issues a certificate for a website, it verifies that whoever is requesting the certificate actually controls the website. There are several ways to do that, such as by telling the website owner to add a webpage to the site with specific randomly-generated content, and then verifying this page appears on the site.
When you visit a site in your browser, the site will send its certificate, along with a digital signature. Your browser verifies the digital signature, and verifies that the domain name in the URL matches a domain name in the certificate. If those checks pass (along with several others, like ensuring that the certificate hasn’t expired), the browser will show you the site’s content.
It’s important to note that it’s easy to get a certificate for any website, so even a site with a valid certificate might be unsafe. The site may not protect the privacy of personal information you submit. It could also be a deceptive site intended to steal your password for another site (a practice called phishing).
What if I encounter a certificate warning on a website?
Your browser may sometimes show warnings about invalid certificates. Depending on the specific warning, this could mean that the site’s administrators have misconfigured something, or that your connection is being intercepted.
- If a certificate is expired, that’s likely to be a mistake on the website’s part.
- If the address on a certificate doesn’t match the address in the browser’s address bar, that could still be a mistake, but it’s significantly more likely to indicate an intercepted connection.
Whatever the warning is, it’s important to consider the source. If you see a certificate warning when you go to Google, it’s virtually certain that your connection is being intercepted; a sophisticated tech company like Google would not misconfigure their certificates. If you see a warning when you go to your local restaurant’s site, that’s more likely to be a mistake.
Browsers will give you the option to proceed after you see a certificate warning, but it’s best practice to not do so. Even if you avoid downloading files or entering personal information (like a username or password), the site may still be dangerous.
Ready for a better Internet?
Brave’s easy-to-use browser blocks ads by default, making the Web cleaner, faster, and safer for people all over the world.Download Brave