SSL certificate is not online guarantee

When a small padlock appears in the corner of a Web browser’s address bar or the browser tray, most people think they’ve landed on a safe site.

But experts say the SSL certificates those green lights signify — digital stamps of approval that Web sites buy to establish that they run a legitimate business and can send and receive encrypted data safely — don’t always guarantee the safety customers are expecting.

“They instill some sense of security, but that could be a dangerously false sense of security,” said Paul Mutton, a researcher with UK-based security firm Netcraft Ltd.

Attacks are still possible because having an SSL certificate only indicates that a third party has verified the identity of the site’s owner and set up an encrypted line of communication with the site.

The site itself could still be riddled with security holes for hackers to exploit. And the certificate could simply be bogus: Criminals have been forging them to get the padlock icon and dress up fraudulent sites.

In response, companies that sell the certificates began offering an enhanced version about a year ago, for which about 5,000 site owners worldwide have undergone an extra level of scrutiny that includes face-to-face visits.

Bad guys can exploit the security holes in order to filch credit card numbers or other data, including passwords. Security experts said Netcraft’s report highlights the continued need for full-strength malware protection.