We’ve all noticed the little padlock or lock icon that sometimes appears when we’re browsing the web. What’s more likely is you’ve noticed when it’s NOT there, being replaced by something like an exclamation mark in a triangle or other symbol. What does this mean?
The internet is used every day for communication, purchasing, business, entertainment, and more. In April 2023, data showed that the internet is used by 64.6% of the global population, translating to around 5.18 billion people. This means it’s more important than ever to stay protected while browsing.
In this blog we’ll establish why the padlock symbol appears on some websites and how it provides security for both users and website owners.
Meaning behind the padlock
Where a web browser displays a lock/padlock symbol, it indicates there’s a secure connection between the browser and the site server. To be specific, it signifies the site has an SSL/TLS certificate and the connection is encrypted with HTTPS. Clicking the icon will reveal more information, including the nature of the connection, any stored cookies on the site, and the number of site visits.
The exact design and positioning of the padlock with vary between browsers. However, it often appears just to the left of the URL bar before the website address starts. Users may also notice a colour change in the padlock, which can occur when the browser detects the site does or doesn’t have an SSL/TLS certificate.
It should be noted that the presence of the padlock symbol doesn’t necessarily mean a website is 100% safe. The icon is simply evidencing the connection between the site server and your browser is secure. It doesn’t reflect the intentions of the site owner, or the nature of any ads run on the site, for instance. It’s also worth bearing in mind that malicious sites can still be encrypted using HTTPS.
Secure Sockets Layer (SSL) & Transport Layer Security (TLS) Certificates
An SSL/TLS certificate is part of hypertext transfer protocol secure (HTTPS) communication technology and exists as a digital object within the site code. Its function is to identify websites and private network resources, allowing systems to communicate safely. To this end, SSL/TLS certificates get used within public key infrastructure (PKI).
The presence of an SSL/TLS certificate also results in encryption, thereby ensuring messages are only viewable by the intended recipient. This is possible as they know the rule (called a key) that governs the encryption. With SSL/TLS certificates, secure communication is established once encryption keys have been exchanged and recognised by the server and browser respectively.
The SSL/TLS handshake
It sounds formal but technical processes often are! An SSL/TLS handshake establishes a secure site-to-browser communication with the following steps:
- An SSL/TLS-secure website is opened by the browser, after which it connects to the server.
- Identifying information is requested by the browser to verify server authenticity.
- In response, the server sends the SSL/TLS certificate containing a public key. This key uses asymmetric cryptography for encryption.
- The browser then assesses the validity of the SSL/TLS certificate and ensures it matches the website domain. Following this, the public key is used to send an encrypted message to the server containing a secret session key.
- This is decrypted using the server’s private key and the session key is retrieved. A message of acknowledgement is sent to the browser, signalling that encryption has been achieved.
- After this step, it’s safe for both the web server and browser to use the same session key to exchange messages.
Types of certificates
There are many variations of SSL/TLS certificates that businesses can use to ensure secure website connections. These differ depending on the type of domain they support and the level of validation they provide. For the former, there are single domain certificates, wildcard certificates, and multi-domain certificates. For the latter, there are extended validation certificates, organisation validated certificates, and domain validated certificates.
Each of these SSL/TLS certificates have different levels of security and reach. As such, some are better suited to large online businesses with lots of subdomains, while others will be more cost-effective for smaller single websites. Take some time, perhaps with the help of an experienced digital marketing agency, to consider the option that’s best for you.
The importance of secure browsing
Safe browsing practices are important for individual consumers and businesses alike. Insecure connections come with a risk of personal data leak, such as account logins, card details and more. This can result in significant financial damage. Obtaining an SSL/TLS certificate is a simple and effective way of protecting your business online, as well as your customers.
For website owners, ensuring that little padlock symbol appears next your website can have the following benefits:
Instil customer confidence
Many consumers today have a strong base-knowledge on internet privacy. As a result, they’re more trusting of websites where there’s evidence of a secure connection. Customers are therefore more likely to share their data with your website, which you can use to help strengthen future connections.
Data protection
An SSL/TLS certificate protects data by only sending it between the website server and the user browser. It also uses encryption to ensure all communications are only readable by the intended recipient. In the event of a successful cyber-attack on either system, valuable information remains secure.
Improve search engine ranking
Major search engines like Google promote trusted sites to users. As a result, websites with a SSL/TLS certificate are more likely to rank higher than those without.
Comply with regulations
Businesses that handle user’s personal data through features like cookies, might be subject to industry regulations. Having an SSL/TLS certificate is often a straightforward way to comply. One of the best examples is GDPR, for which there are separate laws governing the collection of customer data in the UK and EU. Additional regulations can apply depending on the industry. For example, ecommerce websites must comply with the payment card industry data security standard (PCI DSS) due to the high volume of online transactions they process.
Professional website design and development
Deliver Media is a UK digital marketing agency possessing a wealth of experience in all things online. Whether you want to make sure your site’s secure, improve site health, or get your website ranking higher on Google, our web design services can help.
Get in touch today and book a free audit.