In the context of Quebec’s Act 25 on the protection of personal information, the security of communications between a website and its visitors is a basic protection measure.
When an organization collects or transmits personal information via its Web site, it must ensure that these exchanges are protected against interception or alteration.
Loi25.certi360.com therefore performs a series of technical tests to check whether web communications are reasonably encrypted.
These tests are not intended to determine legal compliance with Law 25, nor to assess the overall security of an infrastructure. Rather, they serve to raise awareness among organizations, particularly SMEs, of the essential basics of data-in-transit protection.
Why test TLS/SSL encryption?
Bill 25 does not impose a specific technology or level of encryption. It does, however, require that personal information be protected by reasonable security measures, particularly during transmission over the Internet.
TLS (Transport Layer Security) encryption, often referred to as SSL for linguistic reasons, is the standard mechanism used by browsers to secure HTTP exchanges. When correctly configured, it prevents third parties from reading or modifying data exchanged between the website and the user.
Absent, invalid or weak encryption is a clear risk signal of a lack of basic measures.
Tests carried out by Loi25.certi360.com
1. HTTPS verification only
Test objective
This test checks whether the website can only be accessed via HTTPS, and whether any HTTP access attempt is automatically redirected to HTTPS.
How the test is performed
The tool attempts to access the site using HTTP (port 80) and observes the server response. A permanent (301) or temporary (302) redirect to an HTTPS URL is considered a secure configuration.
How to interpret the result
A positive result means that visitors are automatically protected, even if they enter an unsecured address. A failure means that data could be transmitted in cleartext, which is bad practice in the context of Law 25.
2. TLS certificate validity
Test objective
This test verifies that the certificate used by the website is valid, recognized and not expired.
How the test is performed
The tool establishes a TLS connection with the site and validates the certification chain using rules equivalent to those of a modern browser. In particular, it checks the expiration date and the certification authority.
How to interpret the result** for an SME**.
A valid certificate means that browsers can establish a secure connection without alerts. An expired or unrecognized certificate will result in blocking security messages for users, which is incompatible with reasonable protection of personal information.
3. Correspondence between domain name and certificate
Test objective
This test ensures that the TLS certificate has been issued for the domain name of the site being analyzed.
How the test is performed
The tool compares the site’s domain name with the certificate’s validation fields (CN and SAN). Any inconsistency causes the test to fail.
How to interpret the result
A certificate that doesn’t match the domain is perceived as unreliable by browsers. Even if encryption is technically present, the connection will be blocked or flagged as unsafe.
4. TLS protocols used
Test objective
This test verifies that the server is using versions of TLS that are still considered secure by modern browsers.
How the test is performed
The tool attempts to negotiate a TLS connection and identifies the protocols supported by the server. Versions TLS 1.2 and TLS 1.3 are currently considered secure.
How to interpret the result
A server that only supports obsolete protocols exposes communications to known risks. The presence of TLS 1.2 or 1.3 indicates a configuration in line with current practices.
5. No blocking errors on the browser side
Test objective
This test aims to confirm that a modern browser can access the site without displaying a blocking security alert.
How the test is performed
The tool simulates a strict TLS connection, equivalent to that of a recent browser, and checks that no critical errors are detected when the connection is established.
How to interpret the result
The absence of blocking errors means that users can browse the site without security warnings. The presence of a critical alert indicates a serious problem affecting trust and data protection.
What these tests mean
Loi25.certi360.com’s TLS/SSL tests show whether web communications are reasonably encrypted and accepted by modern browsers.
Please note: They do not constitute proof of compliance with Bill 25, nor do they replace a legal analysis or safety audit.
