In my last security post I discussed the fact that good secure passwords and proper storage and use are every web user’s responsibility. This is even more important for those of us working as web developers.
Providing a username and password to a website or application does primarily only one thing, and that is to prove that you are who you say you are. You really need to be trusted by the service you are using. However, the flip side to that is that you want there to be NO OTHER PEOPLE that can impersonate you. You, and you alone have the legitimate right to your information. It is a matter of proving identity.
Once you login, then the service you are talking to needs to prove to you that they are who they claim to be. This pairing of proven identities sets up a trust relationship. You and your web browser need a two way trust with the service on the other end of the network connection. However, from its inception the internet was a trusting place so the connections did not need built-in security. Originally, it was university researchers sharing information with other researchers. There was an inherent trust in that community. But, then many people and companies started using the internet for many different reasons, most legitimate, but unfortunately many are malicious. Secure Socket Layer (SSL) is a technology for creating a secure tunnel from the inside of your computer to the inside of a trusted service you are connected to.
How SSL works is very complicated and fortunately you don’t need to understand it all. Here is an excellent and relatively short explanation of how SSL certificates work: https://www.cloudflare.com/learning/ssl/how-does-ssl-work/ Please take a few minutes to at least browse through it to understand the basics.
Now that you have that basic understanding, we need to consider the two basic concepts that have to be carefully considered to be safe(r) on the internet:
Identity of you and your browser, and the web server and its owner. And a secure communication channel between the two programs. Certificates do both of those things.
When you enter a URL or click on a link, the URL starts with a protocol string which is either HTTP:// or HTTPS://. The S stands for Secure. You can freely communicate over HTTP protocol, but it is NOT secure. If you want it secure then it needs to be HTTPS.
Insecure connection
As an example of an insecure website, try this (no really, it’s OK): http://digitalparadox.org/ Notice the ‘http://’ and when you get there the address bar of your browser should say ‘Insecure‘. If you forget the ‘S’ on a site that is secure, it has the ability (not guarantee) to forward your request to httpS:// to ensure it is secure. Try it and notice if it makes the switch.
Secure connection
When your browser connects to a web server, AND you are using HTTPS protocol, then your browser and the web server exchange certificate files that are used to establish the secure channel. Both programs can determine for certain whether the other computer sent a properly secure certificate. When that is done, your web browser should clearly indicate the connection is secure. This is often done by displaying a lock icon to the left of the address as in these examples. Notice that these examples are all this training site: MichaelKentBurns.com which has a proven certificate.


Unfortunately Chrome browsers sometimes use an icon that is not clear to my mind. It is meant to indicate a two way secure connection. Here it is:

Secure connection to Uncertain site.
So far we have been primarily interested in the secure connection, but we have not addressed the identity of the website. Built into a properly formed certificate is the identity of the service and the identity of several independent but trusted certificate authorities that know about this claim of identity. Basically, your browser can decode that certificate and contact those independent authorities to check out the claims. If all that checks out, you can be quite certain that all is well.
However, a less secure type of certificate can’t be proven by your browser. In this case then your browser will make it plain to you. One example that I am certain of is our demo site: https://demo.MichaelKentBurns.com . We have a certificate but it’s not proven yet. The first time your browser encounters such a site it will make it very plain by showing you a severe warning instead of the website you were hoping for.

Not wanting to assume that you understand the subtleties it simply says ‘Your connection is not private‘. The connection is secure, but you can’t be sure of the destination. HOWEVER, don’t be too quick to barge on past the warning! This is where:
I give HIGH COMMENDATION to Samuel.
When he encountered this he said:
“… the problem that i have found it concern the security of this page, my software of protection had to notify me that, …”
Samuel, an astute student!
Always stop at this warning and evaluate. Double check your instructions. Make sure the site you are going to is a low risk. Your important accounts and high risk sites should NEVER cause this warning. In this case, it was our demo site that was still under construction. This warning is what prompted us to enter Issue #24. It is that issue that I have been working on that brought all of this to my attention. This is an important issue that should never be trivialized.
But, once you read the warning, you are provided with an ‘Advanced’ button. If you click that, you get a little more information:

Notice, at the very bottom line in fine print, there is a link that lets you proceed to the site. If you click that, you get your site but there is a still a stern warning in the address line of your browser:

Checking the details of a site certificate.
In some browsers there is a link or a button that will show you the details of the certificate.

That’s not usually very easy to do with some browsers. There is an easier way:
https://www.sslchecker.com/sslchecker
You can enter the domain address of any site and it will give you the details. For example:

Now, you try it yourself: https://www.sslchecker.com
Put in a site that you really depend on like Upwork.com. A really impressive one to try is google.com, give it a look.
Your responsibility as a web browser and developer.
So, what is the bottom line?
- Look for the lock!
- Beware the warning!
- If in doubt, check it out with https://www.sslchecker.com or the features built into your browser.
- Make sure the sites you are responsible for have a good certificate.
Now, dear students, it’s time to take action. Leave a comment below.
What did you know about this before reading this page?
What did you learn?
Better yet, what are you going to change?
Whose responsibility is it to check certificates?
Thanks a lot for i didn’t know anything about this i mean the reason some website were behaving like that i used to force it until i get in.
So now i’ll be checking the certificate from today before using this kind of web site. I must also make sure that the website i’m responsible for are well secure by a proven certificate.
Before reading this page, I didn’t know anything about web browser security, it’s very beneficial to me and my security.
Thus, I learned that a web site must get a TLS/SSL certification for the secure of users and the trust they must have in the website ; and now, when he doesn’t take care of it, it’s my responsibility to check whether he’s accredited and the time frame of that certificate to https://www.sslchecker.com.
The implication in my usual behavior, is that whenever I am in front of a website that is not certified, I will avoid communicating my personal data such as the password, information on my card, …
I didn’t know any of this before, I only knew that http is insecure and HTTPS is secure theoretically speaking but in practice I didn’t know what that meant until I read this post. Now I learned how as a web developer I must always secure the website, I learned the responsibilities of a web developer including checking if the site is secure, being attentive to the alert of the unsecured site and if This is my site that I developed I have to make sure that it has a good certificate.. Several times I had encountered this security problem with many sites but it meant nothing to me, I just continued ignoring that I Please be careful as this site is not secure. So this will change, I will be attentive to the alerts. It is the responsibility of the web developer to verify the certificate of his website.
Firstly, Thank you Dear Michael for these importants informations.
Before reading this page, i have already learned about the web security (just a little) ; it means that I had know of to indentify an unsecure website and a secure site, and so on.
And I have learn more about the certifications and this “Always stop at this warning and evaluate. Double check your instructions. Make sure the site you are going to is a low risk. Your important accounts and high risk sites should NEVER cause this warning”.(From Michaek Kent Burns)
According to me, It is the responsibility of the website owner or operator to ensure that the certificates for their website are valid and up to date.
Please take note of the following information:
Secure Connections
SSL (Secure Sockets Layer) creates a secure tunnel from your computer to the service you are connected to. You don’t need to understand all the details of SSL, but here’s a brief explanation to get the basic idea:
When you enter a URL, the protocol is either HTTP:// or https://. The ‘S’ in HTTPS stands for secure. HTTP is not safe, while HTTPS is secure.
With HTTPS, your browser and the web server exchange certificates to establish a secure channel. If successful, your browser indicates a secure connection, usually with a lock icon. You can see this in action by visiting MichaelKentBurns.com.
Insecure Connection
Try visiting a site with “http://” in the URL. Notice the ‘Insecure’ label in the address bar. Some sites automatically forward your request to HTTPS, but not all of them do.
Uncertain Site
Sometimes, a site has a certificate, but it’s not fully validated. For example, visiting our demo site will show a warning, indicating an insecure connection. When you see this warning, take a moment to assess and proceed cautiously if necessary.
Checking Certificates
You can use tools like SSLChecker to verify the details of a site’s certificate. Try it with a site you rely on, such as Upwork.com or Google.com.
Your Responsibility
Look for the lock icon to ensure a secure connection.
Pay attention to warnings.
If in doubt, use SSLChecker or browser features to check the site.
Ensure that your sites have valid certificates.
Understanding Secure Connections
When you connect to a website using HTTPS, your browser and the website exchange certificates. If everything checks out, your browser displays a secure connection indicator, often a lock icon, like those on MichaelKentBurns.com.
Not All Secure Connections Are Equal: The Case of Unproven Certificates
Sometimes, website certificates might not be fully verified by your browser. In such cases, your browser will warn you.
Example: Our demo site, https://demo.MichaelKentBurns.com, has a certificate but hasn’t been fully validated yet. The first time you visit, you might see a strong warning instead of the website.
Don’t Ignore Warnings!
High Commendation to Samuel: A student named Samuel encountered this warning and raised a concern, demonstrating excellent security awareness.
Evaluate Warnings Carefully:
Double-check instructions.
Verify if the site is low-risk.
Important accounts and high-risk sites should NEVER trigger warnings.
Advanced Options and Certificate Details
Most browsers offer options to view detailed certificate information. You can also use SSL Checker, a website that allows you to enter any domain address and view its certificate details: https://www.sslchecker.com/sslchecker.
What did you know about secure browsing before this lesson?
I knew that using strong passwords and avoiding suspicious websites were important for secure browsing.
I was familiar with the concept of HTTPS and its association with secure connections.
What new information did you learn?
This lesson provided a deeper understanding of how secure connections work using SSL and certificates.
I learned about the concept of mutual trust between a user and a website, and the importance of verifying both identities.
It was insightful to see how different browsers might display secure connection indicators and warnings regarding unverified certificates.
How will you stay secure online?
I will prioritize using HTTPS websites whenever possible.
I will be more vigilant about checking for secure connection indicators in my browser.
I will be cautious when encountering warnings about unverified certificates and double-check the legitimacy of a site before proceeding.
I will leverage resources like SSL checkers to verify the details of website certificates for important sites.
Who shares the responsibility of checking website certificates?
Both users and website developers share the responsibility for secure browsing.
Users have a responsibility to be aware of secure connection indicators and warnings and to exercise caution when encountering suspicious websites.
Website developers have a responsibility to ensure their websites have valid and up-to-date certificates to establish trust and protect user data.