Note: You won’t usually see the magic little (s) while shopping on the product pages, but only on pages where you input sensitive information, such as the credit card form page.

There may be further indications that you are on a secure page, depending on your browser of choice and the options selected. Look for a small lock symbol, either in the address bar and/or in the status bar at the bottom of the browser window. Also, all or part of the address window may change color.

Editorial Comment: For some reason browsers are quite timid when it comes to informing the user if the page they are visiting is secure. IE is pretty poor at this, and Firefox and Opera are better, but not great. They all use tiny little symbols, and perhaps with some meaningless color coding thrown in. We think browsers should clearly and explicitly inform the user in plain language when they are on a secure web page… No color codes, no tiny little symbols. We would like to see a clear notice in plain language.

OK, that’s it for our rant. We’re about to tell you specifically what obscure little indications to look for on each of the major browsers, but first we’ll pause for this important non-commercial message:

• No matter what operating system you use. No matter what browser you use. It is essential to have the latest updates. The purpose of many, if not most, updates is to plug security holes. It is not safe to browse the Internet with a system that is full of unpatched security holes, period. So begin with ensuring that your operating system, your browser, and your anti-virus program is fully up-to-date. 
• If you use any version of Windows, go to Windows Update and download and install all “Critical” updates at the very least. It is very important to install all the latest updates, including those for Internet Explorer. This is true no matter what browser you prefer to use.
• And we would be seriously remiss if we didn’t add that it is also essential to employ a firewall and anti-spyware protection.

OK, here is what to look for:

• Internet Explorer gives further indication of a secure connection by displaying a lock symbol on the status bar on the lower edge of the browser window. (But to see this you must have the “Status Bar” enabled, which is under the View menu.) IE also tells you its installed Cipher strength under the HELP and ABOUT INTERNET EXPLORER menu. If it does not say “Cipher strength: 128-bit ” , you should update IE to the latest version.
• Firefox changes the color of the background in the address window. In our test it turned yellow. You should see the https: at the start of the web address with a colored background. You should also see a lock symbol to the right of the web address. And if the Status Bar is enabled, you will see a lock symbol on the lower right corner.
• Opera indicates a secure site by displaying a lock symbol to the right of the web address, on a colored background.

In all these browsers, if you click on the lock symbol, you can view more details about the security certificate of the site or page you are visiting.

You can check your browser for basic security at this site: http://Verisign.com/advisor/check.html

You can use this page to check your browsers SSL security and see how it is indicated on your browser.

http://browsertest.ccra-adrc.gc.ca/rc.genr.tierp/BrowserSecurity-e.jsp

• CAUTION: The little image symbol that appears to the LEFT of the web address is absolutely NOT a reliable indicator of a secure page. This little image, called a favicon, can be anything the web site designer wants it to be. It could be any number of images that look like locks, and it has no relation whatsoever to the security of the site.
• ALSO: If a web page tells you that it is secure, that is absolutely NOT a reliable indicator that it is. Remember: No ‘https’, no security.
• Please note: As we have pointed out, you can easily determine if your browser has a secure connection with the web page you are visiting. And you can determine if that web site has a security certificate. But this is not a guarantee that the site you are visiting is reputable. This is up to your own good sense and due diligence. Determining this is easier if the site you are visiting is well known and/or has received good ratings. Store ratings and reviews are often available through a number of price comparison sites.

If you are interested, here is a little more information about how secure web sites work:

Secure sites use something called SSL ‘Secure Sockets Layer’ or TLS ‘Transport Layer Security’. In order to have a secure connection, the page you are visiting must have a Security Certificate, and the browser you are using must support SSL and/or TLS authentication and encryption, so it can ‘read’ the Security Certificate and complete a secure connection.

Note: Your Browser must have SSL enabled in Security Options for this to function. We also recommend that you verify the settings that are enabled in your browser, and while you are at it, enable TLS so that your browser will use this very high level of security if available.

Security Certificates are issued by a variety of certificate authorities. The major ones include Verisign, Thawte, InstantSSL, Entrust, Baltimore and Geotrust. If the required certificate is installed in your browser, the certification process happens seamlessly in the background. If not, a pop-up may ask you if you wish to accept a new site certificate, or warn you that there is a problem with the site’s certificate. Be cautious if the certificate is not from a trusted authority and/or if it is expired or has other problems. You will have the option of accepting or rejecting the certificate. You may also save it in your browsers certificate bank, if you wish to trust it for future access. Internet Explorers certificates can be viewed under the Internet Options, Content tab.

As noted above, when you are on a secure site, you can get further information about the Security Certificate of the site you are visiting, by clicking on the Lock Symbols.

Our goal at Internet-Insecurity.com is to reduce the inherent insecurity of the Internet through knowledge and information.

To be safe on the Internet, it is very important to understand how to determine whether or not a secure connection has been established. Not only is this important for safeguarding your credit card info, this knowledge, when applied, can also greatly limit the success of phishing and pharming scams. It is quite unlikely (but not impossible) that fake sites will have Security Certificates.

We hope you will find this information useful, if not for yourself, perhaps for someone you know. Frankly, we wrote this because we have been surprised how few people we know had a good enough understanding of secure sites to tell a phony from the real thing.

- Practice Safe Computing -

Posted on Monday, May 2nd, 2005 at 11:59 AM and filed under All Posts, General. You can follow any responses to this post through the RSS 2.0 feed. You can leave a comment, or you may trackback from your own site.