The Importance of Valid Certificates in Secure Website Connections
Following a test I had today where we were asked if it was better to be on a secured website or on an authentic website when browsing on a shopping website, I wondered if there was any difference between secured and authentic.
IMO, by definition, an authentic website has to be secured, otherwise any authentication of the website would be meaningless.
But then, is it true in the other way? Is a secured website necessarily authenticated? Can we still consider that you are using HTTPS and that there is a security benefit to it if the certificate isn’t valid?
From my personal understanding, while a “non-authenticated asymmetrically secured connection” will be less secured than an authenticated one, there is still the benefit that as long as no man in the middle attack occurs, nobody will be able to decode what was transmitted, am I right?
The Importance of Valid Certificates in Secure Website Connections
Generally speaking, you are correct. You are still connecting via HTTPS, as you surmised. Authentication, however, is indeed a critical part of TLS and HTTPS security. Even though the data is protected by TLS, without a valid and correct certificate, you can’t be certain who you’re actually talking to on the other end. It may be a server for the site you expect. It’s very hard to know, however, if in fact there may be a man-in-the-middle instead, decrypting and examining (and possibly tampering with) the traffic in the clear before re-encrypting it to forward back and forth between you and the site you think you’re talking to.
So while there is certainly a possibility that an unauthenticated connection might still be secure, it’s quite difficult to know, and in most cases a certificate error is indeed going to be an indication that something is amiss with the connection.