So you’re visiting a website and reassuringly you see it starts with https:// and has the green padlock. This means it’s secure and trustworthy, and no prying eyes can see what you’re doing right? Well sort-of. Although this assumption often turns out to be the case, in reality, not all padlocks (aka TLS encrypted websites) are secured equally. There are varying degrees of “securing” going on behind the scenes, and you should not automatically assume that all websites provide you with the same level of end to end encryption and trust.That said, I want to start off by saying that a site loaded over HTTPS (i.e. with the green padlock) always trumps one loaded over HTTP. For the developers building this sites, with the likes of LetsEncrypt and CloudFlare offering free TSL (formerly known as SSL) certificates and services, there is NO excuse anymore for any publicly accessible websites to NOT offer an encrypted TLS connection – period! In fact with Google’s planned naming and shaming of sites not using TSL as viewed in Chrome due imminently in Jan 2017, I think this issue will naturally begin to cause more pain for those with their unencrypted heads in the sand!In any case, lets look as two typical statements or assumptions I often hear made about TSL encrypted websites and see how they hold to reality:
- My connection is encrypted, no one can eaves drop
- The company behind the website is trustworthy, I can trust them / their content
My connection is encrypted, no one can eaves drop …
In principle assuming that only you (or rather your browser) and the website (server) that you are talking to have alone negotiated and established the connection, you do indeed have an encrypted tunnel. It is often as this point where many people assume they are fine and look no further. I would argue however that the questions you really want to be asking yourself are:
- How robust is my connection? (i.e. Could someone somehow break it and look inside)
- Does my encrypted connection go all the way to the end? (or are there any gaps in middle, where I would not be protected)?
How robust is my connection?
There are quite a lot of factors that go into determining how robust a websites certificate is, including things like protocols supported, cipher strength and the type of key exchange done. Unless you are technical, and specifically know something about security, working this out yourself can be daunting. Luckily however, there is an easy way to check this for a public site, and that is to simply put it into the Quals SSL test website. This will give it an overall health grade A+ to F, and tell you why it got the score it did.
Does my encrypted connection go all the way to the end?
A very good question, and unfortunately one where you probably won’t be able to find out the answer. It is incorrect to assume your connection goes all the way to the end website. In reality, the green padlock you see, only goes as far as the first termination point along the journey, which could be the actual website, but might not be either.CloudFlareAddressing saying which goes “I only trust you as far as I can throw you..” “you can trust them as far as you can see them, and no farther”
- Half SSL
- Full SSL
- Strict SSL
The company behind the website is trustworthy, I can trust them / their content
- DV, OV, EV
… CA’s trying to make money again (EV certs)This blog is written exclusively by the OpenCredo team. We do not accept external contributions.
Related articles
