SSL Certificates Explained Without the Jargon
An SSL certificate (technically a TLS certificate — SSL was deprecated years ago, but the name stuck) is a digital document that proves a server's identity and enables encrypted connections. When your browser connects to an HTTPS site, the server presents its certificate and your browser decides whether to trust it. The mechanism for making that decision is a surprisingly complex chain of trust.
What a Certificate Contains
A certificate includes the domain name it's valid for, the organisation it was issued to (for OV and EV certificates), the issuing Certificate Authority, the validity period (typically 1 year), and a public key. When your browser connects to the server, it uses this public key to verify the server's identity and establish encryption. The private key never leaves the server.
The Certificate Authority System
Certificate Authorities (CAs) are organisations trusted to verify domain ownership and issue certificates. Your browser and OS ship with a list of trusted root CAs — about 150 of them. A certificate signed by any of these CAs (or by an intermediate CA they've authorised) is trusted by your browser.
This system has a critical weakness: if any trusted CA is compromised or behaves maliciously, it can issue fraudulent certificates for any domain. DigiNotar, a Dutch CA, was compromised in 2011 and issued fake certificates for Google, Mozilla, and others. It was removed from the trusted list and went bankrupt within weeks. The incident exposed how fragile the CA trust model is.
Certificate Transparency
Certificate Transparency is a requirement (since 2018 for Chrome) that all publicly trusted certificates be logged in public, append-only logs. This means any certificate issued for your domain — including fraudulent ones — is publicly visible. Domain owners can monitor CT logs for unauthorized certificates. It doesn't prevent bad certificates from being issued, but it makes them impossible to hide.
The transparency requirement has actually worked. CT logs have caught several misissuance incidents early, allowing fraudulent certificates to be revoked before significant abuse occurred. Not a perfect system, but meaningfully better than what existed before.
Let's Encrypt Changed Everything
Before Let's Encrypt launched in 2015, DV certificates cost money — typically $50-300 per year per domain. Let's Encrypt made them free, automated, and renewable every 90 days. HTTPS adoption went from around 40% of web traffic in 2015 to over 85% by 2021. The barrier to encrypting web traffic effectively dropped to zero, which is a clear win for web security.
Certificate Pinning: The Aggressive Defence
Certificate pinning is a technique where an application rejects any certificate except the specific one (or set of ones) it was programmed to accept. Rather than trusting the entire CA system, a pinned application trusts only its own server's certificate. If someone intercepts traffic with a different certificate — even a legitimately CA-signed one — the connection fails. Mobile apps in finance and healthcare commonly implement this.
The downside is operational. If a pinned certificate expires or needs to be rotated, every version of the app that pins the old certificate stops working until users update. Google removed HTTP Public Key Pinning (HPKP) from Chrome in 2018 after several high-profile cases where websites misconfigured it and accidentally locked themselves out of HTTPS for months. The protection is real. The operational risk is also real. Most sites rely on the CA trust system rather than pinning.
Check IP Security and Reputation
See whether your server IP has any flags in security and blacklist databases.
Run Security CheckAbout Kunal Khatri
Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.
Related Articles
TLS 1.3: What Changed and Why You Should Care
TLS 1.3 dropped a decade of accumulated cruft from its predecessor and came out faster, more secure, and harder to attack. Understanding what changed matters for anyone running web infrastructure.
Zero-Day Vulnerabilities: What They Are and Why They're Dangerous
A zero-day is a vulnerability that nobody knows about yet — except the people exploiting it. The timeline from discovery to patch is where real damage happens.
What Is a Botnet and How Your Device Could Be Part of One
Botnets are networks of compromised devices under attacker control. They power spam campaigns, DDoS attacks, and fraud — and your home device might be in one right now.
IP Spoofing: What It Is and How to Defend Against It
IP spoofing forges the source address on packets. It's the foundation of some of the most disruptive attacks on the internet — and it still works because basic filtering isn't universally deployed.
