What is a security certificate?
I'll bet one time or another you've surfed the web and suddenly
found a pop-up window in front of you, demanding your approval
for a security certificate. I occasionally see these on shopping
sites, usually the smaller, less-well-funded companies.
The first time I saw one of these windows I had no idea what to
do. What the heck is a security certificate? And whatever it is,
why is the browser asking me about it? I mean, I had enough
questions about ActiveX controls, now I was being asked about
security certificates?
Let's look at security certificates from the perspective of
dating. Let's say you are a woman looking for a date. How do you
know you can trust a person?
Well, you can just decide for yourself or you can ask a trusted
friend about the potential date. So you call up "Sally" and ask
"can I trust Bill on a date?" Sally will tell you yes or no, and
since you trust her if she says "no" the poor guy will not be
going out with you.
That's the way a security certificate works. The certificate is
an electronic document which is highly secure (encrypted) and
stamped with an identifier. That identifier says the web site
with the certificate is whom it claims to be.
The way it works is straightforward. Let's say I want to sell
something on my web site. I might purchase a security
certificate from Verisign (or any number of other companies) to
prove to people visiting my web site that I am who I say I am.
Before it grants the certificate, I will need to provide
Verisign with proof that I am indeed the person (or company)
that I claim to be. Verisign will ask me for documents,
notarized, such as a birth certificate (for a personal
certificate) or other documents from businesses. Several
documents must be presented in order for Verisign to grant the
certificate.
Okay, now you also have to understand that your browser
automatically comes with a number of security certificates,
including one from Verisign. Thus, when you visit my secure site
my certificate is retrieved. The browser sees that my
certificate was granted by Verisign, and checks it's own
certificates and finds Verisign. The browser then grants access
to the secure web page, since it has "proof" that I am who I say
I am. This means that a secure channel is now set up so the
browser can talk to the web site (and vice versa) without fear
of someone listening in on the conversation.
So in other words, Verisign is simply a trusted organization
which verifies that people (and companies) are who they say they
are.
Remember the purpose of security certificates is merely to
provide a means whereby you can trust entities (companies and
people) on the internet. A security certificate does not in any
way imply a web site is "good", will protect your privacy or
will deliver your products.
Let me stress that again - security certificates so not imply
anything about a web site except that it is what it says it is.
They DO NOT mean the site is trustworthy or valuable.