This tip is part of Westfield's occasional series on general security definitions. To look up other topics, follow the Definitions at left.
You just got a popup on your computer that "there is an error with XYZ's certificate" and asking whether you'd like to accept the certificate forever, accept it only for one visit, or choose not to accept it. (See the example below) What exactly is a web site certificate and should you accept it or not?
Certificates are small bits of code used by organizations to show that they are who they say they are online. Certificates are generally purchased from third parties called 'certificate authorities – trusted companies who give the on-line equivalent of a Good Housekeeping seal of approval on the connection. Note: Certificate authorities do not evaluate the company, the website or their products. A certificate does not mean that the site is free of viruses or other malicious content. Certificate authorities merely verify that the web address actually belongs to the organization buying the certificate. When you type a URL or follow a link to a secure web site, your browser will check the certificate to make sure that the web site address matches the address on the certificate and that the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority.
If the organization wants to set up a secure website (that is, one that uses https instead of just http and has the yellow padlock in the bottom right of the window), they will need a site or host-certificate to set up the encryption. By making sure that the website encrypts your information and has a valid certificate, you can reduce your online risks.
The problem is that almost anyone can create the piece of code that looks like a certificate. Many legitimate companies want to set up secure connections but don't want to pay extra to the certificate authority for verification so they self-generate a certificate. Hackers can generate certificates, too, and use them to more closely mimic the legitimate secure site.
If the certificate is not from a trusted authority that your browser recognizes (there are about 100 trusted authorities loaded into your browser by default) or has some error or inconsistency, you have to decide whether or not to trust the web address and allow the connection.
To verify a certificate, look for the certificate feature in the browser's menus. In Internet Explorer, you can find it under File/Properties when you are on the secured site. When you click on the certificate button, it should show:
- who issued the certificate - Make sure that the issuer is a legitimate, trusted certificate authority.
- who the certificate is issued to – This should match the owner of the web site.
- expiration date - Most certificates are issued for one or two years. Be cautious of certificates that are valid for longer than two years or that have expired.
If you want to see all of the certificates currently on your machine, try Tools/Internet Options/Content and look for the certificate button.
If you have the time and need, you can verify every aspect of the certificate by contacting the company or the certificate authority. For most sites, you don't need to bother. But if it's a connection that you're using for highly confidential information (like your banking website) or if you have a reason to be suspicious of the site (perhaps a phishing site), take the time to verify the certificate. You'll only have to do it once – your computer will remember your decision thereafter.