HomeCyber SecurityIs That Web Site Secure?

Is That Web Site Secure?

Date:

To see if a web site is secure, we have been trained to look for the padlock in the browser.  Sadly, not all padlocks are the same… 

Take a look at the following two web sites in Internet explorer, both have padlocks… 

- Advertisement -

On Google Chrome… 

Why is one highlighted green, but the other one not?

Both are using HTTPS. Both are using TLS. Both have padlocks on display.

The answer lies in the type of certificate used by the underlying TLS protocol.

The first certificate has been Domain Validated (Cyber Matters), whereas the green one has Extended Validation (Symantec).

- Advertisement -

Domain Validation

A Domain Validated certificate simply says the web site owner has demonstrated they own the associated DNS; i.e. in the example above, whoever is running the web site https://cybermatters.info has demonstrated they have control of the DNS for cybermatters.info.

Given we know the frailties of DNS, is this sufficient to conclude this site is trustworthy? No, it’s not intended to. The intent is to say the communication between your browser and the site is secured, that’s all.

There is a second type that can simply display a padlock, called Organisation Validated, in which the certificate provider has undertaken some checking the requesting company has some rights to use the domain name.  I’d argue this does not add a great deal of additional security.

(I’ve not seen browsers treat Organisation Verified any differently to Domain Verified certificates.  Have you?)

Extended Validation

Extended Validated certificates are different. The organisation has been through a thorough vetting process, defined by the CA Browser Forum. The vetting is undertaken by the Certificate Authority operator, using a process that is audited at least annually. It’s only by agreeing to this audit, will your web browser recognise the Certificate Authority and display the padlock in green.

The Google and Microsoft browsers choose to show slightly different information in the respective address bars, Google the verified company name, whereas Microsoft show who verified the information.

All in all, it’s a much more trustworthy process, that means you can have greater confidence in the security the site provides. In fact, if you know your way around a Certificate, you can find out exactly what assurance is provided (more on this in a future blog).

Conclusion

This is a serious point. Since Google changed their search policy to give sites that use HTTPS by default a higher ranking, there has been a rush to get certificates on websites. In many cases, they are domain verified certificates, provided for free (as in the Cyber Matters case).

Over the years we’ve come to accept free internet applications and accepted the loss of privacy as a trade-off. Are we now accepting free security, and thus risking a false sense of security?

The moral is, don’t just look for the padlock, look for the entire address bar going “green” if you are to trust a site with your personal data.

- Advertisement -

Related articles:

Understanding Non-Repudiation in Cyber Security

Discover the importance of non-repudiation in cyber security. Learn how it safeguards digital transactions, mitigates cyber threats, and promotes trust. Read more now!

Understanding Fuzzing in Cyber Security

Gain a comprehensive understanding of fuzzing in cyber security and its significance in identifying vulnerabilities and enhancing system resilience. Dive into this fascinating topic!

Understanding HSM in Cyber Security

Looking to understand the significance of HSM in cyber security? This post explains the functions and contributions of HSMs in protecting sensitive information and maintaining a secure digital environment. It covers the basics of HSM, types of HSMs, their importance in cyber security, applications, standards, integration challenges, case studies, and future trends. Explore HSM vendors and solutions to enhance your knowledge in this field.

What is MSSP? A Comprehensive Guide

Looking for comprehensive information on MSSP and its role in cyber security? This guide breaks down the concept and significance of MSSP in protecting organizations from cyber threats. Enhance your knowledge and gain valuable insights into the world of Managed Security Services Providers.

Understanding Baiting Techniques in Cyber Security

Learn about baiting techniques in cyber security and how to protect yourself from falling victim to these deceptive tactics. Understand the relationship between baiting and social engineering, identify common baiting incidents, and discover preventative measures to safeguard your information.

8 COMMENTS

    • I used to think the same way until I realized those “green highlight thingies” are actually useful for navigating through content quickly. Maybe you should give it a try instead of dismissing it. You might find it more helpful than you expect.

    • I totally get what you’re saying! The overuse of different colored highlights can definitely be overwhelming and make it harder to focus on the content. Maybe web designers should stick to more subtle and cohesive color schemes to avoid confusing readers like us.

LEAVE A REPLY

Please enter your comment!
Please enter your name here