Have you ever typed something confidential into a field on a web page? Like a password for example. And have you ever typed information that is intended for a single recipient only, and nobody else? How did you verify that the web page really belonged to the company that you thought? Or did you just assume that it was the right place because it had the right logo in the top corner? What if someone made a fake login page to your webmail and asked you to log in. Would you be able to tell it from the real one?
The developers of our web standards have thought about these issues. Web browsers and server contain technology for authenticating the server and encrypting the traffic. This is handled automatically and no actions are needed from the user. But this system can provide even better security if the user knows what’s going on and can pay attention to certain things. I’m not going into technical details here, instead I’m going to focus on what the end user need to know to gain maximal benefit from this system.
But we need to cover some basic concepts first. The protocol that makes this possible is called https, which stands for Hypertext Transfer Protocol Secure. This is really just a combination of the Hypertext Transfer Protocol (http), which is used to bring web pages from a server to your browser, and an encryption protocol named SSL/TLS. This protocol sets up a secure encrypted “tunnel” between the server and the browser. It also makes it possible to verify the identity of the server.
Identifying the server is done with a cryptographic certificate. There are certificate authorities and your browser knows them. A server using https must have a certificate issued by such an authority. Your browser verifies the certificate it gets from an https-protected server and warns you if something seems to be wrong with it. This is based on cryptography that is reliable and can’t be fabricated.
Ok, so what about this in practice? What should I know and do?
Learn to recognize an https-protected site. This varies a bit depending on what browser you use, see the screenshots below. Most browsers show a lock symbol next to the web address field when you are connected to a site using https. You can click the lock to learn more about the site or to check its certificate. The name of the site may also be shown next to the lock and green color is often used to indicate that it is safe. The web page address starts with “https://” instead of the ordinary “http://”.
When using a site that process important information, like your bank or mail account, pay attention to if the site is https-protected or not. If one of these sites suddenly appear to be unprotected, then it’s a pretty sure sign that you are at a fake site. Do not input any important data, like a password, in this case.
Click the lock symbol and view the security information that your browser displays. Look for the “View certificate” function and open it. Check the Common Name (CN) –field. This should be identical to the server name in the URL that you have connected to. The Organization (O) –field is the company or organization that the certificate has been issued to. If you have any doubt about an https-protected site, you can open this dialog and check that the certificate really belongs to the company that claims to run the site.
All the big players on the cloud service market are already using https, at least for the login function. But you may run into smaller companies that aren’t. You should think twice before using sites like this if you have to enter sensitive information. You can use another site instead, or proceed and take a calculated risk. You could also complain to the company and point out that they should use https. If you keep using the site, remember how important it is to never reuse the same passwords on different sites. One poorly protected site could otherwise create a lot of damage by revealing a password that you use elsewhere too.
What can go wrong? You have probably already seen some errors that arise from the use of https. Let’s take a look at the most common ones and what they mean. (Note that the exact wording of these messages may vary in different browsers.)
Certificate is not trusted. This means that the server is using a certificate that isn’t related to any of the trusted root certificates that the browser has. This should not happen for any company operating at a decent security level. Do not input any sensitive information at a site giving this error.
Name mismatch. Each certificate is issued to a certain server- or domain name. This error means that someone tries to use it for something else. It may be harmless if the names are close, for example you are going to ebay.com and the certificate is for http://www.ebay.com. It’s usually safe to proceed if the two last fields (ebay.com in this example) match. Trying to access the site using the address shown in the certificate may also solve the problem.
Certificate expired or not valid yet. All certificates are valid during a defined period of time. The most common reason for this error is sloppy maintenance of the site, ie. someone has forgot to renew the certificate. This situation is usually harmless if everything else is in order.
A familiar site that has been using https suddenly appears to be unprotected. There is no error or warning about this so detecting it depends fully on your own vigilance. The most common case for this is that someone is trying to phish you with a faked site. Do NOT use the site, do NOT enter any sensitive information! Check the link you used and reopen the site from a known good link, like a bookmark. Not from a link in a mail or other external source.