No. This is a common misconception. Connecting to a website that uses a valid certificate and using HTTPS does not mean the site is secure or can be trusted. Certificates and HTTPS are designed to secure the connection to a server, they don’t identify who is in control. While you should never enter data into a website not using HTTPS, just because a site displays the secure lock does not mean you can automatically trust it.

When a visitor connects to a website on the Internet, the data is transferred trough to multiple computer devices over the global network. It starts with the persons computer (client) and goes to the Internet service provider (ISP), and multiple other companies until data packets finally arrive on the end server that serves the website (host).

The purpose of certificates and HTTPS is to secure the connection between the client and host in order that someone in the middle can’t intercept or manipulate the data. It avoids your ISP or anyone else that sits between your computer and the end server from spying or accessing the data transferred and received. This is important because today we use websites for several activities that require trust, for example when you access an online banking service or while making a website payment. Network data must be secured to avoid interception by third parties. That is the purpose of HTTPS and SSL certificates, to encrypt the connection from one point to the other on the Internet.

But certificates and the HTTPS protocol do not protect data before they leave a computer, and neither they do anything on the server side once data arrives. If your computer is compromised with malware, or the end server hosting the site was hacked, an attacker can still steal the data. While HTTPS protects the connection once established, it does nothing to protect the sender or receivers end. A certificate on its own does not mean a website can be trusted since anyone can get a certificate for a domain. A website could be compromised and maybe the owner is not aware. Most phishing sites and dangerous pages today already use certificates and HTTPS. A certificate purpose is only to verify the connection is valid for that specific domain. It does not tell you who the owner is or if data transmitted to that website will be used in an acceptable and responsible way.

Currently, the only certificates that verify who is the owner of a website are EV certificates (Extended Validation) as the certificate authorities make additional steps to verify who is requesting the certificate. While EV certificates don’t mean a website is secure, at least they inform visitors a valid legal organization is responsible for a website. This avoids other sites trying to falsely pose as the real owner. Most financial institutions and known brands prefer for that reason EV certificates since browsers make additional checks and display the organization name and country in the address bar.


Related Articles