Look out for faulty SSL on websites

For the past couple of years, there’s been trouble brewing for certain SSL certificates.

(If you don’t know, SSL certificates encrypt data sent between web browsers—like Google Chrome, Mozilla’s Firefox, and Apple’s Safari—and servers.)

You can easily recognize if a site has a valid SSL certificate by the familiar green padlock in a URL bar.

The point is, SSL certificates are extremely important to online security—which is why you should be aware of the recent findings discovered by Google.

Google started cracking down

In March of 2017, Google announced that they were no longer going to be trusting certain SSL certificates.

Why?

Google had problems with the steps some Certificate Authorities (CAs) were taking to issue Extended Validation (EV) certificates. EV certificates are the most trusted type of certificate, as they’re supposed to verify the identity of the certificate holder.

Google found that these certificates were not being properly issued, and, in order to protect internet users and website owners, announced that it will eventually distrust all certificates issued by any of the affected brands.

What you should do

Many sites are affected by this crackdown: Google has said that over 30,000 certificates were mis-issued, so a very sizeable chunk of sites out there.

With that in mind there are some steps you should take to check if you’re visiting a site that has an SSL that Google will no longer trust.

1. Learn which certificates have been mis-issued

This post, written by TrustedSite, explains in greater depth which SSL brands are affected.

2. Learn how to check if a certificate is trusted

Each browser does things differently. In some, you simply have to click on the green padlock to view a certificate.

In others, because SSL certificates are somewhat technical and not everyday items, they’re not always easy to inspect. This blog post provides a good rundown of how to do so in various browsers.

Once you do that, you can see if the site you’re on has a mis-issued SSL certificate.

3. Use a browser that cares about security

So far, the two most vocal browser developers in this fiasco have been Google and Mozilla, with their Chrome and Firefox browsers, respectively.

They’ve both agreed on a timeline to stop recognizing the mis-issued SSL certificates. The other big browser developers—Apple and Microsoft—have thus far been silent.

4. Visit sites built on major platforms

An area of good news in this situation is that sites that operate on major platforms, like Shopify, Weebly, and Magento, are not affected by the mis-issued certificates.

This is great, because they power many, many big websites out there. Here are some that use Magento, and some that use Shopify.

5. Look for security certification

While it sounds similar to an SSL certificate, security certification is something else entirely.

Many sites display trustmarks that let visitors know that the site they’re visiting has been tested and certified by an authoritative third-party. And very, very often, those certifications indicate if a site has a valid SSL certificate.

6. Make sure the certification is actually a certification.

Many sites display SSL trustmarks. These are badges that let you know if a site has an SSL certificate from a certain brand, but nothing else about a site’s security. They are not security certifications.

If a site has an SSL trustmark, make sure it’s not from a brand that mis-issued their certificates. When you’re on a site and you’re not sure it’s legitimate, look for something like the McAfee SECURE trustmark. It lets visitors know that the site you’re on has passed a rigorous security test, and has been certified to be SECURE to use.

Wrapping up

This issue is far from resolved. While it is certain that thousands of mis-issued certificates will have to be replaced, much of the situation is in flux. For now, take the appropriate actions to ensure you’re browsing the internet safely, and we will keep you informed of vital new developments as they occur.

*Want to learn more about this issue? Read this post on the TrustedSite blog.