Understanding Padlocks on Browsers

Sugandha Sapra
Nov 28, 2019 · 6 min read

Have you ever observed padlock in the address bar of your browser?

Any idea why it’s there?

If not, keep reading 😊

I am sure you might be aware that this is something related to security over the web. Now the question arises on how this security is attained?

Well, the simple answer has to do with encryption and encryption is security.

The communication between the client and server are encrypted using SSL. SSL is used to secure transactions, data transfers and logins and more recently it is becoming the norm when securing browsing of social media sites.

There are two elements that indicate that a site uses encryption

  • A closed padlock
  • A Uniform Resource Locator (URL) that begins with “https:” rather than “http:”

SSL certificates are the way to protect communication between client and server in such a way that the information can only be decoded by a party with a corresponding key using cryptography. We will dig into it but before that let’s first understand SSL.

SSL

SSL(Secure Sockets Layer ) is a protocol, developed by Netscape Communications, that secures the communication between client and server using public key and symmetric key cryptography authentication technology.

SSL Handshake

SSL handshake involves a number of steps that start from validating the identity of the other party and concludes with the generation of a common key — secret key if you may call it. The reason it’s called a handshake is that it’s when two parties — client and server come across each other for the first time.

Fundamentally, the SSL handshake is nothing but a conversation between the client and the server wanting to accomplish the same purpose — securing the communication with the help of symmetric encryption.

There are two types of SSL handshakes:

  • One Way SSL
  • Only the server authenticates to the client
  • Usually done when browsing HTTPs website
  • Mutual SSL
  • Both server and client authenticate to each other.
  • Mostly used in server to server communication where both parties need to communicate & exchange information.

SSL certificates

SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser.

SSL Certificates bind together:

  • A domain name, server name or hostname
  • An organizational identity (i.e. company name) and location

How does SSL certificate work on browsers

When you navigate to a website, the website provides the certificate to the browser. The browser then validates that the certificate that has been provided by the website:

  • Is valid for the same domain as the one being accessed.
  • Has been issued by a trusted CA (Certificate Authority).
  • Is valid and not passed its expiration date.

If an SSL certificate is installed on the server, the browser running the website will recognize the organization’s information, which is stored in the SSL certificate, and display the secured URL as “(https://) with Green Pad-Lock”.

Once the user’s browser has verified the validity of the SSL certification, the connection continues as secure. If not, you will get a not secure warning in your browser, or it will deny access to the site. If successful, the browser and website server exchange the necessary details to form a secure connection and the site loads.

Thus the green padlock simply represents that traffic to and from the website is encrypted.

How do you check the certificate

One of the easiest ways to render a certificate from the browser is simply clicking the padlock icon on the address bar of the browser window and then select “View Certificate”. Another way is to check for the certificate in the browser menu options.

All browsers are slightly different but the certificate always contains the same information.

The certificate includes the following information:

  • Who issued the certificate — You should make sure that the issuer is a legitimate, trusted certificate authority (like VeriSign, Thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets. These are termed as self-signed certs.
  • Who the certificate is issued to — The certificate should be issued to the organization that owns the website. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • Expiration date — Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations that hold its certificates, maybe ten years.

Now let’s look at the certificate for one of the websites, for eg:

https://www.paypal.com

To view the actual content of the certificate, click the “Details tab”

Click the “Certificate Path” tab to see which Trusted Root Certificate has been used to issue the SSL Certificate:

What you will see here is, a hierarchy of certificates. This is termed as Certificate Chain.

Certificate Chain

A certificate chain is an ordered list of certificates, containing an SSL Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA’s are trustworthy. The chain or path begins with the SSL certificate, and each certificate in the chain is signed by the entity identified by the next certificate in the chain.

Any certificate that sits between the SSL Certificate and the Root Certificate is called a chain or Intermediate Certificate. The Intermediate Certificate is the signer/issuer of the SSL Certificate. The Root CA Certificate is the signer/issuer of the Intermediate Certificate. If the Intermediate Certificate is not installed on the server (where the SSL certificate is installed) it may prevent some browsers, mobile devices, applications, etc. from trusting the SSL certificate. In order to make the SSL certificate compatible with all clients, it is necessary that the Intermediate Certificate is installed.

The chain terminates with a Root CA Certificate. The Root CA Certificate is always signed by the CA itself. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

Types of SSL Certificate

Today, SSL certificates are widely used by website owners/network admins to encrypt their websites with a strong cryptographic system and to protect every user’s data over the internet.

There are different types of SSL Certificates available in the market which may vary based on the platforms of the website.

  • Domain Validated(DV) Certificates:

These are “encryption only” SSL certificates. This type of certificate contains “Only Verified” in it & does not include any organizational information.

  • Organization Validated(OV) Certificates:

OV certificate verifies organization is indeed the owner of the website. It contains the verified domain and organization name in it.

  • Extended Validation(EV) Certificates

It is designed specially to instill trust in customers. This involves extensive verification of the applicant’s business and identity by the CA. The browsers with this type of certificates installed provide a green address bar for assuring the visitors about authenticity instantly. This type of certificate contains the verified domain name and name & address of the organization.

Conclusion

The padlock is a complicated thing. And I have tried to condense those complications of secure link between client and server in this blog. Now you guys can check whether the website is SSL compliant or not.

Hope you have enjoyed reading the blog. Let me know your thoughts in the comment section.

Xebia Engineering Blog

The Xebia Engineering Blog

Sugandha Sapra

Written by

Xebia Engineering Blog

The Xebia Engineering Blog

More From Medium

More from Xebia Engineering Blog

More from Xebia Engineering Blog

More from Xebia Engineering Blog

More from Xebia Engineering Blog

Istio Ingress Request Flow

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade