|Photo by amagill|
How often have you been browsing the web when you suddenly see a little padlock symbol appear in the corner of your web browser? Well, this symbol indicates that you have entered a secure web page, but how secure is it and how does it all work?
Security is a big issue on-line. We’re constantly being bombarded by the media about on-line fraud, spam and all sorts of other nasties that we could encounter while surfing the web, almost to the point of becoming so paranoid that we won’t go on-line any more.
However, there are technologies in place to try and make things a little safer. For example, whenever you enter your credit card details on-line, you have probably entered a special secure type of web page without realising. So what is this special type of web page, how do you know if you’re on one and how secure is it anyway?
HTTP and HTTPS
Whenever you’re surfing the web on normal web pages, you will be using a special web protocol called HTTP (HyperText Transfer Protocol).
This is just something that makes the web as we know it work. If you look at any web address or URL in your browser’s address bar, you will see that it always begins with http://, signifying that you’re using the Hypertext transfer protocol.
To help improve security on the web, the standard HTTP protocol was enhanced with an additional security layer called the Secure Socket Layer (SSL) to produce a new protocol called HTTPS (HTTP over a Secure socket layer).
Spotting a Secure Web Page
So how do you know when you’re on a web page using this secure web system?
The first method of telling if the web page you’re looking at is secure, is to look at the URL in your browser’s address bar. If the URL begins with https:// instead of http:// then you’re on a secure web page.
This is quite subtle and not many people will be aware of this difference, so most web browsers will also display a small padlock symbol somewhere to indicate that you’re on a secure web page:
Unfortunately, you can’t choose whether or not to use this secure format to view web pages, as this is decided for you by the web site you’re visiting. This secure connection is normally reserved for web pages that transmit or retrieve sensitive data, for example credit card details, and will happen automatically.
Any Port in a Storm
The internet, including web pages, sends and receives its data through things called ports. Conventional unsecured HTTP normally uses port 80. However, whenever a secure web page is used, port 443 is used instead, ensuring all secure data is processed through a completely different channel.
How it Works
Whenever you view a web page, data from the web server is sent to your browser in plain text over the internet. Likewise, if you fill in a form on that web page and click submit, your data from the form is sent back to the web server in plain text.
When you enter a secure web page, the data sent from the web server to your computer, and more importantly, any form data (such as your credit card details) sent back to the web server is encrypted.
The upshot of this is that if anyone managed to intercept your communications over a secured web connection, then they wouldn’t be able to gain access to your information, all they’d see is gobbledygook.
How Secure is Secure
So, you now know how to spot when you’re on a secure web page, and that your data is transmitted securely, but exactly how secure is secure?
According to one computer security expert, Professor Gene Spafford (guess what, he has a beard!), the level of security on secure web page communications is analogous to:
“Using an armoured truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box.”
What this means is that while in transit, your sensitive data is pretty secure. However, if your PC gets compromised by some internet virus or trojan, then your sensitive data could be hijacked before it even reaches the secure web connection, and you’d probably be none the wiser until you get your next credit card bill!
Likewise, the other potential source for compromise is the receiving computer or web server. There’s really not much you can do about this other than trust that a reputable on-line credit card processor should have taken all reasonable precautions to secure their servers.
Any security system is only as secure as the weakest link in the chain. So it’s vitally important to make sure that your PC isn’t a weak link by installing and regularly updating anti-virus, anti-spam and firewall software.
Certificates of Trust
To help gain your trust in secure websites, website owners have an SSL certificate that is used as part of the encryption process. A reputable website will have this certificate signed by a third party, such as Verisign, to prove that they are who they say they are.
By clicking (or double clicking, depending on your web browser) the little padlock symbol in your browser on a secure web page, you can view the details of the website’s SSL certificate to confirm its authenticity and validity.
To help with your piece of mind while surfing the web, newer versions of web browsers will warn you if a certificate is not registered, or is out of date when you visit secure web pages. This is another reason for you to keep your computer updated with it’s latest security patches, so that you can benefit from these latest safety features.
So, in summary, to give you a little extra confidence when making on-line purchases always check for the following before entering your credit card details:
- Look for https:// at the beginning of the URL
- Look for a small padlock icon in your browser
- Click the padlock icon to check the certificate’s authentication