The Browser Padlock and Verifying Your Online Safety

That unfailing icon that conscientious web surfers look for in their browser, the padlock, may not be so secure anymore. Like many copied and bogus websites, the padlock may not mean the level of security surfers and shoppers expect. In theory, the padlock represents that Transport Layer Security (TLS) is in effect. According to SANS, the primary goal of the TLS protocol is to provide a secure way for client-server applications to communicate. We’ve been told websites bearing the padlock are legitimate and worthy of our trust when sending sensitive information. That being said, what is happening to our beloved padlock that we should question its authenticity?

Certificate Authorities, or CA’s, are responsible for granting certificates and the use of the padlock to domains that apply for them. In granting those certificates, CA’s have the responsibility of verifying those applicants. Consumers invest their faith in the process and the padlock is the ultimate sign the domain is safe, trustworthy, and open for our business. What many consumers don’t realize is there are different levels of encryption offered by the CA that are available. The three levels below all receive the padlock icon. Some indicate more thorough checking than others. It isn’t sufficient to just look for the padlock anymore.

1 - DA (Domain Validated): CA’s are only responsible for verifying the name of the domain is the same name listed on the application. There are some groups planning to issue free DA’s to their customers in the near future.

2 - OV (Organization Validated): Once the domain name is verified, the OV goes a step further by validating the identity of the person or group initiating the certificate is legitimate.

3 - EV (Extended Verification): Taking the DA and OV into account, the means of legitimizing the applicant’s information is more stringent, taking a harder look into applicant information. In addition to seeing the green padlock, the name of the company also appears in green next to the padlock.

What you can do

• Click on the padlock icon. Information about the domain is given and when the certificate expires. It's up to you to decide if the information is legitimate and appears safe. Use your judgment before moving forward and if you have any doubts, leave the site right away.

• Set security levels on your browser. Many internet surfers aren’t aware of the different level of security their browsers offer. Set the level of restriction and notification you feel most comfortable using. Keep in mind that the minimum or low level is generally not secure enough and medium or higher is recommended.

• Make sure the site begins with https://. Without the “s” is fine for browsing, but not for sending secure data. If a website asks for private information, but only has “http,” don’t enter your information. If you want to take it a step further, contact the company and make sure they’re aware of it.

• Check spellings of websites where you plan to enter sensitive data, then check them again. Bookmark the ones that you know are safe. Make sure you’ve typed the name correctly as opposed to a typo knock-off site. It can save a lot of heartache. There’s a phenomenon called “typosquatting” for those internet surfers who accidentally type domain names incorrectly. It may seem an innocuous threat typing one incorrect letter into a browser, but that’s just the beginning.

A typo like adding an “s” in the name “banksofamerica” sets cyber thieves on high alert. These thieves of opportunity know that people typing domain names are bound to type incorrectly. Many “typo websites” are created as a result and are granted validation and padlocks. It's up to the thieves to decide what to do with the bogus sites. They can try to duplicate the intended site, or use it to launch malware, adware, or phishing sites.

The opportunity to steal is out there and it’s often mistakenly verified as legitimate. It’s up to the consumer to take some extra precautions and look at other identifiers on the site to ensure they are entering secure data with confidence.

© Copyright 2016 Stickley on Security