Home » Blog
■ HTTPS demands your attention to safeguard online security
The recent push to secure https
protocols has made it harder for the average Joe hacker to sniff your browsing habits, credit cards and online banking passwords. When you browse a website through https, a "trusted" digital certificate "proves" that you are communicating with the intended website and there are no people eavesdropping along the way. But with computers and security, there are no 100% guarantees, promises are feeble like last year's clouds. That's why your bank or email provider want you to setup two factor authentication
, using your mobile phone as an extra barrier — because they know that https is not impregnable.
Dodgy dealers can insert themselves between you and the website you are trying to reach, what is known as man in the middle attack. This is likely in public wifi hotspots (airports, hotels, cafeterias etc) but lately even your own house can be KRACKed. Do you think that https will secure you? Have you heard of sslstrip? Your secure website looks exactly the same but you communicate with it in plain text via an intermediate node that steals all your login details and passwords.
How do you make sure your secure channel is not compromised? When using https you must pay close attention to your browser's address bar. If there's something wrong, it will show up in the website URL and status icons. Attackers get more sophisticated so the change may be very subtle and hard to spot. Here's what to watch out for:
- Confirm HTTPS is on. Is the all important little s present? Browsers have various methods of indicating a secure channel like a green background color for the entire URL (address).
- Is the address the same? Did the URL of the website you typed change? Instead of www.paypal.com did you reach www.paypai.com or some other similarly looking but malicious destination? (so called homograph attacks). Smart men in the middle can have an SSL cert and appear secure!
- Check the extended validation. Simple secure connections show a plain padlock icon but banks and other important websites have an extended validation GeoTrust certificate that shows the company information after the URL. Is the EV information there and does it match your intended destination?
- Take heed of warning messages. If your browser complains about the digital certificate of the website, steer away. Sadly crafty attackers will seldom make such obvious mistakes.
- Bonus tip. Don't use the same password everywhere. If one gets pawned at least your other accounts will stay safe
I usually go the extra mile with really important websites and turn on the browser's inprivate (or incognito) mode, which blocks all addons from the session. How certain are you that your adblocker doesn't have a back door somewhere? No point fending off barbarians at bay when they might have infiltrated the fortress already!
All the above safeguards will not help you if the eavesdropper has a fake certificate belonging to the site you are trying to connect, but those types are usually government agencies that aren't after your credit card and passwords :)
Post a comment on this topic »