Security Awareness Post 3: Recognizing Your Surroundings (Virtual)

If you have ever taken a survival course you have probably heard the instructor talk about how you need to be aware of your surroundings. Much of survival is about recognizing where you are, what is safe, and what is not. The Internet is no different. By far the most important factor in safe use of the web is recognizing where you are, and making appropriate decisions about what is safe and what is not; what is to be expected, and what is extraordinary. Unfortunately, most people either do not know how to tell where they are, or do not do so on a regular basis.

In  the first post, we discussed fake e-mail and how to recognize them.There are similar cues to tell what web sites you are visiting. Consider this picture:

 First, look at the address bar, the part that says This part is called the Uniform Resource Locator (URL). You probably already know that this is the address of the server you are connected to. What you may not know are which parts of it are interesting when making a decision about whether to trust this site. The first part of the URL is the "protocol" used: http in this case. A "protocol" is essentially the "language" that defines the words a client, in this case your web browser, can use to ask the server, in this case the web site, to send it some information, in this case a web page. The protocol above, http, is the standard protocol used on the web. Unless the protocol is https it is useless in making a safety decision.

The second part you see is the name of the web server: It has three parts. From right to left, it defines ".com" which originally meant "commercial" to distinguish it from edu (educational), gov (government) and so on. These days, it really is just what is known as a "top level domain" or TLD used to denote many sites on the Internet. There are some generic TLDs, such as .org (typically used for non-profits), .com, .edu, and a lot of national ones, such as .uk (United Kingdom), .fr (France), .ru (Russia), .cn (China), and many others.  The TLD used in this case is not useful in making a safety decision.

The rest of the name of the web server, however:, is very useful. The "microsoft" part, in particular, identifies the organization or service that you are connected to. In other words, you are connected to a Microsoft server.

When you use the URL to make a decision about where you are, be careful with what you are looking for though. Criminals will often try to modify the name. For example, it may be “” (1 instead of ‘I’), “” (misspelled name), or “” (zeros instead of ‘o’). Any time you see a misspelled URL it is almost certainly a fake!.

There is only one secure way to determine whether you trust the URL, however, and that is if it uses https as the protocol. Consider this picture:

The protocol used now is https. https is actually another protocol (either Secure Sockets Layer – SSL – or Transport Layer Security – TLS) layered on top of http. It is not crucial right now to know the technical details of that; merely what features it provides, which is two things: First, https provides a way for the web browser and the web server to encrypt all traffic between them so it cannot be intercepted and read in between the two. http, on the other hand, is unencrypted. Second, and most importantly, https gives YOU a way to identify the web server you are connecting to. When you use https, you get the little padlock in the address bar. Most people ignore the padlock, but if you go to a URL that you do not recognize, such as perhaps “” it can give you the crucial information you need to make a decision.If you click on the padlock you get a screen like this:

This screen is the really important part. It tells you who issued the Digital Certificate, and the name of the entity it was issued to.In this case you can tell that VeriSign has issued a certificate to Microsoft Corporation. This is the conclusive information on which business you are connecting to. Of course, you can only trust that as far as you trust the issuer of the certificate. Generally, however, it is safe to trust any certificate that does not cause your browser to say the certificate should not be trusted. The browser vendor has already decided which issuers you should trust, and unless you have good reason to, there is usually no point in doubting that decision. If a certificate should get stolen, your web browser will throw a warning because it can only be used on the site it was originally issued for. In other words, while the criminals may be able to register "" and even get a certificate for it, they cannot use a certificate that says "" in it. The browser will complain if they do.

In the picture above, the address bar is green. It is not always green. That only happens if the site uses a special identifier (known as a “Digital Certificate”, which I will explain in a later post) called an Extended Validation Certificate (EV Cert). An EV Cert means that the business has paid a lot more for the certificate than a standard one, and in return, the issuer of the certificate has performed some additional validation, such as ensured that the business has a physical office somewhere. The color of the address bar actually provides little value to you when trying to determine which site you are on though. Some browsers, such as Internet Explorer, will show you information such as the business name in the little popup when the site uses an EV Certificate. However, the same information is typically available in the Details tab if you click the "View certificates" link in the pop-up. Click the "Subject" row and you will see it, as in this picture:

Using the padlock and evaluating which organization you are connected to is the only safe way to decide which site you are on. In many cases, you probably do not need that, but in some situations, such as when you are downloading software, and shopping or banking online, it is crucial.

Problems with Site Identification

Some sites use other techniques than https to help you identify them. For example, some banks have you type your username on a form that does not have a password field. Once you do it shows you a picture that you selected and the password field. The idea is that you selected the picture when you set up the account, and since the bank now shows you this picture you are supposed to trust that you are connected to the bank. Unfortunately, this system is not secure at all. Any attacker can probably guess your username (is it first initial+last name or last name+first initial?). If an attacker can guess your username, which is not really a secret, they can obtain your picture, steal it, and show it to you on his site. The criminals can even fake out the entire system by tricking you into going to their site and typing your username. They then submit your username to your bank, retrieve your picture, and show it to you on the attackers’ site. It is trivial to circumvent the system of using pictures to identify sites. The only trustworthy way to identify the site is to inspect the certificate.

Unfortunately, many sites, including some very large credit card issuers, do not use https to serve the login form. Using https for the form is strictly speaking not required to encrypt the password when you send it to them. However, it misses the second part of https: the part where the site identifies itself to you. If the site does not server the login form over https you cannot verify where you are sending your password because you do not yet have a certificate to verify it with. If a company does this, complain to them and request that they serve the login form over https. If they refuse, take your business elsewhere. For example, Discover Card not only refuses to serve the logon form over https, but even redirects you from https to http if you type https in the address bar. After repeated complaints I decided to just cancel my Discover Card and use American Express instead, which redirects you to https should you accidentally type http in the address bar. Discover Card does not care about my privacy and safety, while American Express actually helps protect me against my own typos.

Leave a Reply

Your email address will not be published. Required fields are marked *