A few months ago, the New York Times ran an article titled Data Security is a Classroom Worry, Too (linked below this article). The quick summary? An online education vendor did not encrypt all the pages of their application. Encrypting website data is so easy to do, and built in to most or all legitimate web hosting services, I was stunned. Presumably the vendor had good reasons. And presumably they’ve fixed the issue.
This article is a basic primer to follow up the main point of the Times article: kids, parents, teachers, anyone can easily tell if a page is encrypted. Here’s how to tell if a website encrypts data between their web site and your web browser, and back again, with a Secure Socket Layer certificate.
Secure Socket Layer (SSL) certificates are relatively unknown to non-technical people. There is the visually obvious part, what web site visitors see, and the behind the scenes technology.
What You See
It's easy to tell if the web site you're currently visiting uses SSL. Look up towards the top left of your web browser. If you see this, the site does not use an SSL certificate.
However, if you see a lock icon, or lock icon plus a company name, in the top left corner of your web browser, the web site uses an SSL certificate to encrypt traffic between your web browser and their web server:
If you click the icon to the left of the URL, a popup window should appear with details about the web site and the method of encryption used to deliver their web pages:
If you click the More Information button on this initial popup screen, you will see the actual SSL certificate in the web browser’s certificate viewer popup:
The SSL Certificate popup can be interesting but the key details are the level of encryption used and expiration date. Today, SSL certificates should use 256-byte encryption. No worries, though, you don't need to know what that actually means. If you do look at the SSL certificate popup, simply check the encryption used is 256-byte or higher.
Also, the fancy colored icon with company name is not necessary. It’s a feature companies pay extra to have. It’s an extra level of care, branding, and validation. You are as safe on a site without the coloring and company name if both sites use 256-byte encryption with the same vendor or another reputable vendor.
For most people, this is enough information to determine if the web site they're visiting passes their personal data in encrypted form. Many web sites do not need SSL because they don't use personal information. However, if you are on a web site where your personal information is displayed, check the top left of the web browser of every page to confirm your data is encrypted as it is sent back and forth across the internet.
Why does SSL matter? It is possible for someone to capture the non-encrypted traffic between you and any web site. They can capture your encrypted traffic but it doesn't mean much because they can't easily decode the traffic. Sites use SSL certificates to ensure all their data traffic is encrypted.
What You Don't See
How SSL certificates work is not too difficult to understand. In its simplest form, the certificate has to be attached to something in order to work. The certificate is attached to a physical computer with a unique address and connected to the internet.
On the internet, addresses for computers are called IP addresses, or Internet Protocol addresses. An SSL certificate is attached to a unique IP address and computer on the internet. Almost always, the computer is in a data center and controlled by a web hosting company.
If you are interested, internet addresses or IP addresses exist in one of two forms, either four blocks or six blocks. Each block has up to three digits. 18.104.22.168 is an IP address and so is 999.999.999.999.999.999. Every computer connected to the internet has its own unique IP address. We rarely see this address as humans, however. We only see the URL, for example, http://www.nytimes.com. But there are servers on the internet that translate the URL into its IP address to ensure web browser requests travel back and forth to the correct server. These translation servers are called Domain Name System servers or DNS. They work like address books: give an IP address to a DNS and it’ll hand you the human-readable URL. Hand a URL to a DNS and it’ll hand you the IP address.
Once assigned and configured to work on a computer, with a unique IP address, traffic from the web server to and from web browsers uses data included in the SSL certificate to encrypt and decrypt the data traffic.
Your personal details, for example, only appear in decrypted form in your web browser and on the web server as the web server works with your data. For example, the web server could pass your credit card data to another application to process for payment, usually through another transaction also secured with an SSL certificate.
Where to Get SSL Certificates
Because SSL certificates have to be assigned to a computer and internet address, almost all certificates are sold and managed by web hosting companies. Companies sell certificates to hosting companies who then sell the certificate to you for use with your web site hosting. In some cases, larger businesses buy certificates directly and attach them to computers they control in their data centers where they host web sites and web applications.