The Key to Safer Browsing is a Lock

This month I want to talk about browsing the web securely. Over the last couple of years a number of the large web players, such as Google, have started to push websites and web users to secure websites.

What is a secure website? The answer is in
two parts. First there’s having confidence
in knowing that the website that you are
visiting is the one you intended to visit.
For example if you were sent a link that
looked like this: http://goog1e.com/
would you have noticed right away that
the ‘l’ is not a letter, but the number ‘1’? It
can be very tough to tell with certain fonts,
especially if you’re a reading glass wearer.
The second part is knowing that the
information that you send and receive
from a website is not being examined by
a third party. In security parlance this is
known as the ‘man-in-the-middle’. I think
at this point most people understand that
your link to a website is not direct. The
connection is made through a series of
hosts starting with your internet service
provider (ISP). Those hosts have the
capability to examine the traffic passing
through them. By encrypting the traffic
between the website and you, the traffic is
rendered unintelligible.

The vast majority of the time your
confidence in the end host and security
of your transmissions doesn’t matter.
No one cares how many “cat’s scared by
cucumbers” videos you’re watching. But
when you’re reading email, shopping, or
banking online you definitely want to
know that you’re in the right place and not
sharing your personal information with
unintended parties.

The way the web does this is through the
use of SSL certificates. Whenever you are
browsing a website where the protocol
used at the beginning is HTTPS:// instead
of HTTP://, and you notice the little
lock, that’s browsing securely. The website
that you’re browsing has registered their
domain and proved their ownership of
the domain. There is also an extended
validation where the organization has
to prove they exist at a physical address,
perform the business they say they do,
etc., but the difference doesn’t matter too
much from a look and feel in your browser
perspective.

I won’t go too far into exactly how
this works, just know that there are
organizations which issue certificates
that verify the public signatures of
organizations. Those organizations can be
queried about the certificate that your
browser just received and will verify if it
matches their records. This process uses
some fancy math to make it difficult to fake and the browser manufactures build
into your browser the trusted certificate
authorities. If a website uses certificates
from an unrecognized authority they won’t
work.

Think of it like your car’s catalytic converter. You don’t need to know how it works, just that you have one and it’s working.

What does it all mean? If a website can
convince you that you are somewhere
other than where you want to be all kinds
of nefarious opportunities arise. This is
why Google, Facebook, Twitter, etc. have
all moved to full time HTTPS. And also,
why Google is starting to punish websites
which don’t support HTTPS properly by
moving those that do support it up in the
page rankings.

The good news for you is that there are
some very powerful corporations working
to make browsing the web safer. The bad
news is that there is an onus on you to pay
attention.

If you’re online take a look at the URL
at the top of the page. That’s the one that
says something line www.ferniefix.com.
There should be a little lock, in the locked
position, next to the URL. Also, most
browsers will colour the lock, HTTPS, or
the entire URL green as an indication that
the SSL certificate matches and is valid. At
the higher levels of proof you may see the
name of the website in green next to the
lock as well. This won’t be present on all
websites, but should be on any where you
enter or store personal information.
Always check that this is in place before
entering any personal information on a
website!

With the current push you can expect to see most if not all of the websites you use move to HTTPS over the next couple of years. Welcome to a safer web.

Happy Computing.