What SSL Certificates Reveal About a Website's Safety

Emil Gheonea

Software engineer & founder of LinkThreatScan · 24 February 2026

Every time you see a padlock icon in your browser's address bar, it tells you that the connection between your device and the web server is encrypted using TLS (Transport Layer Security). This is important — it means a passive eavesdropper on the network cannot read the traffic. But many people incorrectly assume the padlock also means the website itself is trustworthy. That assumption is dangerous.

What an SSL certificate actually confirms

An SSL/TLS certificate confirms two things: that the connection is encrypted, and that the domain listed in the certificate matches the domain in your address bar. Nothing more. A certificate does not verify the identity of the organisation running the site, it does not confirm the site isn't serving malware, and it does not guarantee the site is legitimate. Domain Validation (DV) certificates — the cheapest and most common type — require only proof that the applicant controls the domain. No identity verification whatsoever.

Certificate types: DV, OV, and EV

There are three main certificate classes. Domain Validation (DV): the simplest, obtained in minutes, proves only domain control. Used by millions of sites including phishing pages. Organisation Validation (OV): requires the CA to verify the applicant is a real registered business. Provides more trust. Extended Validation (EV): the strictest level, requiring rigorous identity checks. Historically displayed a green company name in the browser, though modern browsers have de-emphasised this. Look for OV or EV certificates when dealing with financial or sensitive services.

Certificate expiry

Certificates have an expiry date — currently capped at 398 days for publicly trusted certificates. An expired certificate causes browser security warnings and suggests the site operator is not actively maintaining their infrastructure. This is a yellow flag on its own, but combined with other signals it can indicate an abandoned or malicious site.

TLS version and cipher strength

Modern security requires TLS 1.2 or 1.3. Sites that still support TLS 1.0 or 1.1 (both deprecated) are running outdated configurations. Weak ciphers such as RC4 or 3DES are cryptographically broken and should not be in use. Our scanner checks which TLS versions and cipher suites a target server supports and flags anything insecure.

Certificate transparency logs

All publicly trusted certificates must now be logged in Certificate Transparency (CT) logs — public, append-only records maintained by Google and others. Newly issued certificates for suspicious domains sometimes appear in CT logs before a campaign begins, making them a useful early warning signal for security researchers.

The bottom line

Before trusting a site, do more than glance at the padlock. Click it, check the issuer and the exact domain name it was issued to, and note the certificate type. Better yet, use a scanner that automates all of this and combines certificate analysis with blacklist checks, domain age, and other signals into a single risk score.