When you see the address bar of your browser turn green, you know it’s safe to send sensitive data over the internet to that site. All eCommerce stores need an SSL certificate to keep shoppers safe, but what exactly does an SSL certificate do?
An SSL certificate has two jobs: to prove that a web page is controlled by the people who are supposed to control it and to encrypt all of the information sent from the shopper to the store and back again.
When a shopper visits an eCommerce store and the address bar of their browser turns green or displays a lock, that means the browser trusts the site and its SSL certificate and that the data the shopper sends is protected. How does the browser know that it should trust the site? After all, anyone can make up a certificate.
SSL certificates are part of a system that includes certificate authorities, browsers, and websites.
SSL certificates are issued by certificate authorities, whose job it is to make sure that the person applying for a certificate is who they claim to be and that they really do own the website they want a certificate for. Certificate authorities have a root certificate that they use to sign the certificates that eCommerce retailers put in their stores.
The language might be a bit confusing here: how does one certificate sign another certificate? It’s because they aren’t physical certificates; they’re digital certificates made of numbers, and the act of “signing” uses some clever math to make a different number that could only come from the certificate authority’s root certificate.
There are hundreds of certificate authorities and they all have a root certificate, which they keep in a very secure place — it would be a disaster if a root certificate was leaked because criminals could use it to sign certificates for any website in the world.
Now we get to the browsers. Browsers know how to recognize SSL certificates that have been signed by one of the certificate authority’s root certificates. They trust that the certificate authority did its job and verified that the organization that applied for the certificate really is who they said they were.
If the browser sees that a store has a certificate signed by a certificate authority, it assumes that everything is copacetic. The shopper is connected to the right store: it is managed by decent folks who have proven their identity and not by some shady phishing operation that wants to steal credit card numbers. The browser turns its address bar green or shows a lock icon to let the shopper know it’s safe to proceed.
The second job of an SSL certificate is encryption. Once again, this involves some pretty fancy math, but the result is that all the information sent by the user and the store — including credit card numbers and identifying data — is unreadable to anyone except the shopper and the store.
Without encryption, it would be easy for anyone to intercept sensitive data as it travels over Wifi networks and the internet. Because of SSL encryption, even if a nosy person could intercept the data, they wouldn’t be able to read what it says.
And that’s why eCommerce stores need an SSL certificate. SSL certificates help to keep shoppers and their information out of the hands of criminals.