What is a security certificate?

I'll bet one time or another you've surfed the web and suddenly found a pop-up window in front of you, demanding your approval for a security certificate. I occasionally see these on shopping sites, usually the smaller, less-well-funded companies.

The first time I saw one of these windows I had no idea what to do. What the heck is a security certificate? And whatever it is, why is the browser asking me about it? I mean, I had enough questions about ActiveX controls, now I was being asked about security certificates?

Let's look at security certificates from the perspective of dating. Let's say you are a woman looking for a date. How do you know you can trust a person?

Well, you can just decide for yourself or you can ask a trusted friend about the potential date. So you call up "Sally" and ask "can I trust Bill on a date?" Sally will tell you yes or no, and since you trust her if she says "no" the poor guy will not be going out with you.

That's the way a security certificate works. The certificate is an electronic document which is highly secure (encrypted) and stamped with an identifier. That identifier says the web site with the certificate is whom it claims to be.

The way it works is straightforward. Let's say I want to sell something on my web site. I might purchase a security certificate from Verisign (or any number of other companies) to prove to people visiting my web site that I am who I say I am.

Before it grants the certificate, I will need to provide Verisign with proof that I am indeed the person (or company) that I claim to be. Verisign will ask me for documents, notarized, such as a birth certificate (for a personal certificate) or other documents from businesses. Several documents must be presented in order for Verisign to grant the certificate.

Okay, now you also have to understand that your browser automatically comes with a number of security certificates, including one from Verisign. Thus, when you visit my secure site my certificate is retrieved. The browser sees that my certificate was granted by Verisign, and checks it's own certificates and finds Verisign. The browser then grants access to the secure web page, since it has "proof" that I am who I say I am. This means that a secure channel is now set up so the browser can talk to the web site (and vice versa) without fear of someone listening in on the conversation.

So in other words, Verisign is simply a trusted organization which verifies that people (and companies) are who they say they are. 

Remember the purpose of security certificates is merely to provide a means whereby you can trust entities (companies and people) on the internet. A security certificate does not in any way imply a web site is "good", will protect your privacy or will deliver your products.

Let me stress that again - security certificates so not imply anything about a web site except that it is what it says it is. They DO NOT mean the site is trustworthy or valuable.