|
|
Posted by Dave
5 Star Support Security Specialist
4.03.06
I have been asked many times about whether or not there is any way of
telling if a certain Web site is secure. These questions come mostly
from people who like to pay bills and do banking on-line, as well as
shopping on-line. The answer is yes there is, but you need to be both
observant and careful. I have some recommendations for you that have
proven to be successful for me over the years.
First, be sure exactly what Web site you are really on. With all the
Pfishing, Pharming and scams taking place on the Internet, some of the
fake sites are looking more and more legitimate all the time. There is a
little browser add-on that I highly recommend for helping you with this.
It is actually a tool bar add on for your browser called SpoofStick that
is available in versions for either Internet Explorer or Firefox. It
works by reading the server you are connecting to and displaying its
identity so you will always know what site you are really connecting to.
To get SpoofStick, go to:
http://www.spoofstick.com/
Second, and this is more difficult, you need to check the security of
the Web site. Before getting to that, I recommend you check your
Internet Explorer settings. Under Tools | Internet Options|, click on
the advanced tab, and scroll down to ‘Security’. You want to check to
boxes for ‘Use SSL 2.0’, ‘Use SSL 3.0’, and ‘Use TLS 1.0’ and be sure
all three boxes are checked. TLS 1.0 is more secure than SSL, but the
setting is never turned on by default in Internet Explorer. If you check
the box for it, IE will use TLS whenever it is available, which is quite
often. In Firefox, select | Tools | Options | Advanced | Security and be
sure to check all three boxes under ‘Protocols’ for SSL 2.0, SSL 3.0 and
TLS 1.0 and you’re done.
Most Web surfers think that as long as the Web site they are on displays
the little locked padlock icon on the toolbar they are secure. Nothing
could be further from the truth. The locked padlock icon merely means
the Web page is encrypted.
Still other people feel they are truly secure as long as the Web page
URL begins with https:// and that this guarantees a secure transaction,
or secure information. Unfortunately this does not guarantee security
either. Regarding HTTPS sites, secure servers do not actually serve many
of them. This means any actual data may not be going where you think.
The only way to tell for sure is to view the source code for the Web
page you are on. I don’t expect everyone to become a programmer or code
expert, but determining this is much easier than you think. This may
seem confusing at first, but if you read through it a few times, and use
the view button like I instruct you to when you visit a few sites,
you’ll get the hang of it pretty quickly. In IE, left click on the
‘View” button in the top toolbar, and from the drop-down menu, select
‘Source’ and the source code will be displayed. In Firefox, you left
click on ‘View’ on the top toolbar and from the drop-down menu select
‘Page Source’.
Lets say you are about to enter credit card data into a form on a Web
page.
If you look at the source code, you should see something like this:
<form method=”POST” action=”/order.cgi”>
or perhaps
<form method=”POST” action=https://www.shop.com/cgi-bin/order.cgi”>
These both mean the data is posted to a server on the site you are on.
If the form POST’s to an IP address or address of another site, stop
what you intend to do and go elsewhere. It means your data will be
posted to another site entirely. A Web site should only send sensitive
data to a registered site. Also, beware of sites that POST to an address
with @----.com or @----.net which means that the site is probably run by
a small company that is using a Web hosting service, and the data will
be sent to them via e-mail. This is not secure at all either. Anyone
with access to the email can read the sensitive information, and don’t
count on it being encrypted.
To put things in perspective, you want to be sure you are on a site
where the sensitive data you enter in any form is transmitted to the
same site and that the action taken goes to an https page on that same
site.
You want to see that the form action part of the code looks something
like this if you are on an http site:
Form page http://www.shop.com/form.html
<form action=https://www.shop.com/cgi-bin/login.cgi method=get>
in which case you are on a http site and the form is submitted to a
secure https Web page on the site.
Or if you are on a https page:
Form page https://domain.com/form.html
<form action=cgi.bin/login.cgi method=get>
in which case you are on a secure https site and the data is submitted
to another Web page within that same secure https site. The key to being
on the same site would be the domain name. Either of these examples is
secure. If the form action listed either an http site, or another site
entirely, the data would not be secure.
To sum things up, get in the habit of checking the source code now and
then on the pages of sites you visit on the Web. You’ll probably learn a
lot in a much shorter time than you think, and you’ll become a much
safer and happier Web surfer at the same time. You will certainly become
safer and more secure.
Until next time here on 5 Star Support, regards to all.
Dave[Top] |
|
|
