Verify a website certificate

We often visit websites and simply assume that the website we are seeing is the real one. But that is not always the case and for important websites you might want to do some verification. Man in the Middle Attacks can and do happen so web browsers use certificate authorities to verify the identity of websites. You have the ability to see these checks.

Steps

The following steps are written for Firefox but similar steps will work on most modern browsers.

1. Visit a website that is likely to pay for enhanced verification. Unfortunately not many sites, even banks, do this, so I recommend trying one of the following first to see what enhanced verification looks like and then trying other possibilities:
   • BMO
   • Chase
   • PayPal
   • Citizens Bank
2. Look at the identity information. In Firefox:
   1. Click on the lock icon.
   2. You should see “Certificate issued to:” followed by the organization’s name. If this information is missing, then the organization has not paid for enhanced verification.
   3. Click on “Connection secure” to see more details. Note that now the full name and address are shown.
   4. Click on “More information” -> “View Certificate”
   5. This page lists the certificate chain that verifies this website. On the left is the organization’s certificate which has been signed. Then the certificate authorities that did the verification.
   6. Look in the “Certificate Policies” section where it should say “Domain Validation”, “Organization Validation”, or “Extended Validation”.
3. Now try visiting a site that is likely less willing to pay for enhanced verification but is still relatively large. Below are some suggestions:
   • Google
   • PCFinancial
   • arsTechnica
   • University of Waterloo
   • Tim Hortons
4. Compare the “Subject Name” section of certificates of pages with and without enhanced verification.
5. Finally, try visiting some pages that are small and use the “free tier” of certificates. Some suggestions:
   • Kami Vaniea’s homepage
   • Gallery Double T - small art space in Waterloo
   • Sobeys

Reflection questions

• How did the websites and certificates in the pages you looked at differ?
• What did you learn about how companies express their identity to end users?
• Few sites pay for extended validation. Is that a rational choice for companies to make?