Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

.
5 Star Support Home
Computer Help Forums
Computer Tutorials
Tips, Tricks & Tweaks
Troubleshooting FAQ
 
Google

 

Am I Secure - Really?

Posted by Dave
5 Star Support Security Specialist

4.03.06
I have been asked many times about whether or not there is any way of telling if a certain Web site is secure. These questions come mostly from people who like to pay bills and do banking on-line, as well as shopping on-line. The answer is yes there is, but you need to be both observant and careful. I have some recommendations for you that have proven to be successful for me over the years.

First, be sure exactly what Web site you are really on. With all the Pfishing, Pharming and scams taking place on the Internet, some of the fake sites are looking more and more legitimate all the time. There is a little browser add-on that I highly recommend for helping you with this. It is actually a tool bar add on for your browser called SpoofStick that is available in versions for either Internet Explorer or Firefox. It works by reading the server you are connecting to and displaying its identity so you will always know what site you are really connecting to. To get SpoofStick, go to:
http://www.spoofstick.com/

Second, and this is more difficult, you need to check the security of the Web site. Before getting to that, I recommend you check your Internet Explorer settings. Under Tools | Internet Options|, click on the advanced tab, and scroll down to ‘Security’. You want to check to boxes for ‘Use SSL 2.0’, ‘Use SSL 3.0’, and ‘Use TLS 1.0’ and be sure all three boxes are checked. TLS 1.0 is more secure than SSL, but the setting is never turned on by default in Internet Explorer. If you check the box for it, IE will use TLS whenever it is available, which is quite often. In Firefox, select | Tools | Options | Advanced | Security and be sure to check all three boxes under ‘Protocols’ for SSL 2.0, SSL 3.0 and TLS 1.0 and you’re done.

Most Web surfers think that as long as the Web site they are on displays the little locked padlock icon on the toolbar they are secure. Nothing could be further from the truth. The locked padlock icon merely means the Web page is encrypted.

Still other people feel they are truly secure as long as the Web page URL begins with https:// and that this guarantees a secure transaction, or secure information. Unfortunately this does not guarantee security either. Regarding HTTPS sites, secure servers do not actually serve many of them. This means any actual data may not be going where you think.

The only way to tell for sure is to view the source code for the Web page you are on. I don’t expect everyone to become a programmer or code expert, but determining this is much easier than you think. This may seem confusing at first, but if you read through it a few times, and use the view button like I instruct you to when you visit a few sites, you’ll get the hang of it pretty quickly. In IE, left click on the ‘View” button in the top toolbar, and from the drop-down menu, select ‘Source’ and the source code will be displayed. In Firefox, you left click on ‘View’ on the top toolbar and from the drop-down menu select ‘Page Source’.

Lets say you are about to enter credit card data into a form on a Web page.
If you look at the source code, you should see something like this:

<form method=”POST” action=”/order.cgi”>

or perhaps

<form method=”POST” action=https://www.shop.com/cgi-bin/order.cgi”>

These both mean the data is posted to a server on the site you are on. If the form POST’s to an IP address or address of another site, stop what you intend to do and go elsewhere. It means your data will be posted to another site entirely. A Web site should only send sensitive data to a registered site. Also, beware of sites that POST to an address with @----.com or @----.net which means that the site is probably run by a small company that is using a Web hosting service, and the data will be sent to them via e-mail. This is not secure at all either. Anyone with access to the email can read the sensitive information, and don’t count on it being encrypted.

To put things in perspective, you want to be sure you are on a site where the sensitive data you enter in any form is transmitted to the same site and that the action taken goes to an https page on that same site.

You want to see that the form action part of the code looks something like this if you are on an http site:

Form page http://www.shop.com/form.html
<form action=https://www.shop.com/cgi-bin/login.cgi method=get>

in which case you are on a http site and the form is submitted to a secure https Web page on the site.

Or if you are on a https page:

Form page https://domain.com/form.html
<form action=cgi.bin/login.cgi method=get>

in which case you are on a secure https site and the data is submitted to another Web page within that same secure https site. The key to being on the same site would be the domain name. Either of these examples is secure. If the form action listed either an http site, or another site entirely, the data would not be secure.

To sum things up, get in the habit of checking the source code now and then on the pages of sites you visit on the Web. You’ll probably learn a lot in a much shorter time than you think, and you’ll become a much safer and happier Web surfer at the same time. You will certainly become safer and more secure.

Until next time here on 5 Star Support, regards to all.

Dave

[Top]

 
 

 

 
 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2014  5 Star Support All rights reserved.