Surf smartly.
I'm sure many of you have had experience surfing secure websites (basically, whenever you see a picture of a closed padlock at the bottom of your browser). E-commerce websites are typically "secure". However, some of you probably don't know what the word "secure" means in this context and get a false sense of security when you see the little picture of a closed padlock. So I'll provide some clarifications here (particularly to those who have not taken an information system security course).
There are two major kinds of security on the Internet:
- Secure communication: this means that whatever conversation between you and the website is encrypted, making the conversation a secret that only you and the website know. It is thus extremely hard for a third party who eavesdrops on you to find out what the two of you said.
- Secure identity: also known as authentication; this means that you may trust the website to be the real one, and not some imposter.
The biggest problem is with the second kind of security, authentication. Authentication is typically done through digital certificates. Here's a metaphor of how it works. You talk to some person A. That person A claims to be Tom, and he shows you his ID card (which is the real-life counterpart of the digital certificate). Normally, the ID card is issued by a major authority (i.e. the government) whom you know will not fool you as far as identities are concerned. So you can ask the authority to verify the ID card and see if it's the real thing. Now imagine if, instead, "Tom" gives you an ID card issued by himself or by some Joe Blow that you don't know ("Hi, my name is Tom. And here's an ID card that proves I'm Tom. I issued it myself, but that's ok... Trust me."
). That ID card is probably quite meaningless, right? The same thing applies on the Internet. There are authorities in matters of identities, which are security companies like VeriSign, and your browser keeps a list of them. Normally, if a website needs to convince you that it is the real website, it gives you a certificate signed by, say, VeriSign, and so your browser can take that certificate and check with VeriSign. The doubtful case would be if a website gives you a certificate signed by the website itself or by a third-party website that the browser does not know about. In that case, your web browser will probably ask you whether or not you want to accept the certificate as real (hence also accepting the website as the real one), and you should take a good look at the certificate before deciding. Pay close attention to who is signing the certificate; if it is by the website itself, then it is probably not trustworthy. If it is by a third party website, see if the website is a major certificate authority like VeriSign. For a list of certificate authorities, click
here.
Now why does the little picture of a closed padlock create a false sense of security? It is because that little picture does not always mean secure identity. It may simply mean secure communication. In other words, it means that you may be having a conversation in secret with somebody, but you don't know if that somebody is the real person (good guy), or some imposter (bad guy). Imagine the disaster that ensues if you are giving out important information about your bank account or your credit card number this way.
Read more about it
here.
- SwordAngel
Recent Comments