Web Analytics

How can I check if a website is run by a legitimate business?

The UI of many browsers makes it hard for users to avoid phishing websites. Here's how to look for validated information about a website's owner.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

As you probably already know, the web has no shortage of cybercriminals out to steal your money and/or identity. You may have gotten a taste yourself — a little over a year ago I had to deal with a bill of over $700 for a smartphone ordered in my name! What you might not know is how easy it is to create a realistic, fake website to harvest passwords, credit card numbers, and other sensitive information from unsuspecting victims. Websites like this are often set up as part of phishing schemes – if you click a link in a scam email that claims to be from a legitimate organization like a business or school, you will be taken to a phony login page where the scammers hope you will give up the juicy details.

And here’s the scary part: About three-quarters of all phishing websites now have an SSL/TLS certificate! According to the Anti-Phishing Working Group’s Phishing Activity Trends Report for the 4th quarter of 2019, 74% of phishing websites use HTTPS. It’s free and easy for attackers to set up a DV certificate on a scam website, and your web browser will happily let you know that it’s “secure.” Google Chrome will even suggest that it’s perfectly fine to enter your password or credit card number:

Google Chrome

Sure, your connection is “private,” as long as you don’t mind that it might be all just between you and some lowlife scammer on the other end. Abuse of free DV HTTPS has gotten so bad that the FBI issued a public service announcement on June 10, 2019 that states, “Do not trust a website just because it has a lock icon or ‘https’ in the browser address bar.” A detailed 2019 study of HTTPS phishing websites, by Vincent Drury and Ulrike Meyer of RWTH Aachen University, echoes this conclusion: “the simple user advice to check whether a website is HTTPS-protected is no longer effective against phishing.”

Despite these serious problems, most major web browsers have recently moved away from displaying validated information about website owners in the browser address bar for sites protected with Extended Validation (EV) certificates. Most browsers have also eliminated the “green bar” UI that previously indicated an EV-protected website. As a consequence, some businesses and other organizations have moved away from EV certificates and are protecting their websites with cheap (or free) Domain Validated (DV) certificates.

A DV website certificate does offer users a degree of protection by ensuring that communication is encrypted and that the entity running the site controlled the domain name when it applied for the certificate, but it provides no assurance of who actually owns and operates the website. Only a CA-validated EV or OV (Organization Validation) certificate provides this information.

Here’s how you can check in these popular browsers to see if a website owner has made the extra effort to protect and inform site visitors by using EV or OV certificates:

To summarize the information shown below, Internet Explorer currently does the best job of communicating EV information to users. Safari is still using the “green bar” UI to communicate EV status to users, but it still takes a click to identify the site’s owner. Chrome, Firefox, and Edge do not present any EV indicators in the address bar, and require users to dig for any validated information about a website’s owner. Chrome for macOS is particularly bad, requiring three clicks to view this information (or even determine if it exists).

Google Chrome

These screenshots were made in Chrome 80.0.3987.149 on Windows 10 Enterprise Version 1809.

1. Google Chrome displays a closed, dark gray lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV):

EV SSL website in Chrome

2. To get more information about a website’s certificate, click the lock.

Click the lock

3. Chrome shows that the connection is secure (encrypted), and we can see that the certificate was issued to SSL Corp. You can get more detailed information by clicking Certificate.

Certificate issued to SSL Corp

Note: In macOS (Chrome 80.0.3987.132), the website owner is not shown here — you need to dig deeper for this information by clicking Certificate.

Connection is secure

4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab. (Note: In macOS, this information is shown in a different format that is similar to Safari.)

certificate details

A DV certificate will only show the website’s domain name in the Subject field:

Subject field for DV certificate

Mozilla Firefox

These screenshots were made in Firefox 73.0.1 on macOS 10.14.6 (Mojave).

1. Firefox displays a dark gray lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV).

HTTPS site in Firefox

2. To get more information about a website’s certificate, click the lock.

Click the lock

3. Now we can see that the website’s certificate was issued to SSL Corp:

SIte Information

If the website has a DV certificate, information about the site owner will not be shown:

Information for DV certificate

 

4. You can dig for more information by clicking the > symbol on the right side of the dialog box.

Click the arrow for more information

5. Now we can see that SSL Corp is located in Houston, Texas.

Certificate information

6. If you’d like to see more detailed information, click More Information.

More Information

7. A page will open with full information about the certificate and chain of trust. Information about the website owner is shown under the Subject Name heading.

Subject Name

For a website with a DV certificate, only the domain name will be shown under Subject Name:

Subject info from DV certificate

Microsoft Edge

These screenshots were made in Edge 80.0.361.66 (Chromium) on Windows 10 Enterprise Version 1809.

1. Edge displays the outline of a closed lock to the left of the URL for all SSL/TLS certificates (DV, OV, and EV):

EV website in Edge

2. To get more information about a website’s certificate, click the lock.

Click the lock

3. Edge shows that the connection is secure (encrypted), and we can see that the certificate was issued to SSL Corp. You can get more detailed information by clicking Certificate.

EV certificate info

Note that on a website protected by a DV certificate, the Issued to information is absent:

Certificate info from DV website

4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab.

certificate details

A DV certificate will only show the website’s domain name in the Subject field:

Subject field for DV certificate

Internet Explorer

These screenshots were made in Internet Explorer 11.11098.11763.0 on Windows 10 Enterprise Version 1809.

1. For EV websites, Internet Explorer displays the address bar with a green background. A closed lock and the name of the site owner are shown to the right.

EV website in IE

2. For DV and OV websites, IE shows a lock but not the company name and green background:

DV website in IE

3. To view information about the website certificate, click the lock.

Click the lock

4. Here we can see that the site is operated by SSL Corp, of Houston, Texas.

For a site with a DV certificate, only the domain name is displayed here:

DV website in IE

5. To view more information about the website certificate, click View certificates.

View certificates

4. In the window that opens, you can view details about the website owner by selecting the Subject line on the Details tab.

certificate details

A DV certificate will only show the website’s domain name in the Subject field:

Subject field for DV certificate

Apple Safari

These screenshots were made in Safari 13.0.5 on macOS 10.14.6 (Mojave).

1. For EV websites, Safari displays a green lock and domain name:

EV website in Safari

2. For DV and OV websites, Safari displays a gray lock and black text:

DV website in Safari

3. To view information about the website certificate, click the lock:

Click the lock

4. For EV websites, information about the website owner will be displayed:

Website owner information in Safari

For a site with a DV certificate, information about the website owner is not shown:

DV certificate info in Safari

 

5. You can get more information by clicking the Show Certificate button:

6. Here you can get detailed information about the website certificate and the entire chain of trust leading to the root CA (in this case, SSL.com).

Certificate information (Safari)

7. You can view details about the certificate by clicking the triangle to the left of Details.

Details

8. You can see detailed information about the website owner under the Subject Name heading.

Certificate details

For a site with a DV certificate, only the domain name will be shown under Subject Name:

Subject Name info for DV site in Safari

Thank you for choosing SSL.com! If you have any questions, please contact us by email at Support@SSL.com, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.

 

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com and stay informed of the latest changes about digital identity and encryption that can impact and enhance your life.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.