Go to any financial institution’s website, then find the lock icon on your browser and click on it. Does anyone ever do that before typing in their credit card information when shopping online - click on the lock icon? Lock icons can be forged. By clicking on the icon instead of just relying on its presence to validate the vendor, you’ll see an SSL security report. My bank shows Verisign Class 3 Primary CA, identified the URL of the site itself and verified the site was encrypted.

All SSL certificates are NOT created equally.

As a vendor, if you purchase one of the less expensive SSL certificates, you will be able to use the lock icon. Validation of the vendor is the differentiation between the types of certificates issued.

VeriSign, Thawte or GeoTrust are solid choices for extended validation (EV) certificates. They’re more expensive, but highly recognizable (green) and trusted. The issue is (if you’re running eCommerce), to minimize abandoned shopping carts by converting more prospects. People buy from reps they know, like and trust. On the Internet, that trust level is your SSL certificate.

Great article, Steve! Good work pointing out that the presence of the padlock does not always mean the site is secure...and most people don't take the time to click it to verify it is legit.

I personally like to follow Tim Callan's 5 Visual Cues for Internet Safety:

#1. Look for the Green Address Bars - The green highlights are confirmation that the Web site has undergone extensive identity authentication so that you can be confident you are on the correct Web site and not a fraudulent Web site made to look like the real one.

#2. Look for https:// - Most Web addresses (URLs) begin with "http://." If the site's Web address begins with an "s" after the "p" (https://), that means that the information you share on that page is encrypted, making it difficult for anyone to see what has been entered into the page. You should never enter credit card info, SSN, or any other personal identifiable info on a Web site that does not have the https:

#3. Look for the padlock - All popular browsers feature a padlock somewhere in the interface and it is another indication that encryption is taking place. Make sure the padlock is located in the browser interface and not within the content on the page itself. Fraudsters sometimes place a padlock into the content on the page to trick you into believing that you are on a secure page, even when you're not.

#4. Trustmarks - Popular Trustmarks can indicate important things about an online business. For example: The VeriSign Seal indicates online security and verified site identity. An eTRUST Trustmark indicates customer data privacy. A Better Business Bureau Trustmark indicates approved business practices. There are TONS of these that a consumer can look for to help determine if a site is secure. Locating and understanding these trustmarks will help you better judge a Web site's trustworthiness.

#5. Check the Web address - Many fraudulent Web sites deliberately employ Web addresses that are confusing or ambiguous in order to trick unsuspecting victims into thinking they are on a site that they are not. For example, you want to go to www.yourbankname.com, but you are really on www.someotherdomain.com/yourbankname

REMINDER - None of these cues is the silver bullet to remaining safe online, but they are all pieces to the puzzle.

I hope this info helps someone out.


<<MOD NOTE: Allen, please setup your signature through User CP instead of manually adding it to posts. We appreciate your cooperation.>>

Thanks Allen for the additional information.

I'd add Comodo to your list of trusted SSL types. We've been a partner with Comodo for over 8 years at this point. They are very much in the KNOW these days. They too offer EV SSL Certs, and the certs are trusted by 99.99% browsers (just like Verisign or Thwarte)

Thanks for sharing steve.

I had added Comodo positive SSL in one of my sites, its working fine, also its free from namecheap.com

I knew there was something here about Comodo. With their recent outage, has your relationship changed any?

I’ve used and have distributed comodo SSL certs for a long while now; never really had a problem with them and this short outage almost went unnoticed until I was informed by them via email. Their support is rated highly in my books and they as mentioned do seem to be more on the ball than others although I have limited experience with Verisign but they seem increasingly popular due to their use on large and popular sites where trust logos are clearly displayed.

Where those users link that trust logo as expected across sites, similarly to thawte whose services are again well known for not to dissimilar a reason, however thawte have previously been the ace in my hand previously.

afaik Mozilla tells you of an insecure SSL cert.

True, but part of being diligent is trusting who is on the other side of that SSL, secure or not. I'm personally much more comfortable if I get the green EV bar.

I never got my notice from Comodo acknowledging the outage. Whats worse is when we contacted their support about the issue, they were unaware of the issue. That's just a case of the left hand not knowing what the right hand is doing, BUT, when you're the frontline defense, you must be given the information on what's happening.

Our relationship with Comodo hasn't changed at all. We're still very much strong supporters of their SSLs and still use them here on our own sites. I just wish that they would put a simple code in their javascript that if the site is unavailable then skip the display of the trustlogo.

The events are rare, and this one was short (less than an hour if I have all my data right), but not being in the loop on what was happeneing or an acknowledgement on their site of the issue, that's just a pet peve of mine.

Happy to hear that some people got notice about the issue. I'm still waiting on my email from them I guess