Danger lurks behind every corner on the Web: phishing, fake Websites, stolen digital identities—it’s all right there on the Internet, waiting for unwary users to lower their guard and be taken for a ride.
Despite the cottage industry that has sprouted up with the sole intent of protecting us from the evils of modern life, all it takes to enjoy a safe relationship with the Digital Age is nothing more than the lowly old browser, coupled with a bit of knowledge about the way the Web works. Let’s take a look at the basic security features used by most Web browsers. Understanding how these features work can make the Web a little safer.
A normal connection between a browser and a site takes place completely “in the clear,” with all the information crossing—unchanged and unprotected—the various nodes that make up the Internet, until the data reaches its intended recipient. Obviously, this is no way to conduct a transaction that involves any sort of private information—be it your credit card number, tax data, or even just the password to your Twitter account.
For these purposes, Websites rely instead on a secure connection, which establishes trust between your browser and the server to which it talks. Secure connections, which are identified by the use of the “https” prefix in the Website’s address, involve two components: privacy and identification.
Privacy is guaranteed by means of encryption: browser and server agree on a way to transfer data in a way that makes the data look like gibberish to everyone else. This way, there is no way for someone who happens upon the data exchange to gain access to any information that you do not want to share.
A private conversation, however, is not safe unless you also know who you’re talking to—and this is where identification comes into play. Browsers rely on a tool known as a digital certificate to determine that the Website’s address is being used by its rightful owner. Digital certificates, in turn, are issued by so-called certificate authorities, which typically do so after validating certain aspects of a business, like its legal status, incorporation papers, domain ownership, and so on.
It’s important to understand that owning a digital certificate doesn’t automatically make a Website safe. It just means that the Web address you’re visiting is being operated by the entity that owns it.
This distinction is crucial, because the browser’s ability to provide a secure environment is merely a technological one; for obvious reasons, it cannot make judgment calls—which means that you cannot depend entirely on your browser to determine whether a site that is secure is also safe.
How browsers help us
Nonetheless, the process of establishing a secure connection gives us several useful tools to make sure that we are not about to fall prey to an Internet scam. The first one is simply watching for warnings: if the browser complains about some possible security issue, it’s always a good idea to pay attention and try to figure out what has happened.
Typically, however, the browser will only actively complain under very specific circumstances—for example, if the digital certificate used by a Website is invalid, or has expired. Under normal conditions, the visual cues that distinguish secure and insecure connections are much subtler, which means that you must actively look for them.
Therefore, the single and most important thing that you can do to protect yourself from scammers is to learn when you should expect a secure connection; these include some obvious scenarios, such as when you’re doing your banking, or when you are on the payment page of an e-commerce store, but even other activities that one wouldn’t normally consider crucial, like accessing an online e-mail system such as GMail.
Most browsers have some other kind of visual indication that a connection is secure; Safari, for example, displays a lock in the top-right corner of its window. If you click on the lock, the browser pops open a dialog box that shows who the owner of the digital certificate is, giving you an additional opportunity to ensure that you are, indeed, visiting the right place.
Unfortunately, scammers have gotten quite adept at tricking even the most attentive users by choosing addresses that are only subtly different from the real thing. Nobody would believe a banking site whose address is “www.joesfishmart.com,” but even the best can be tricked into trusting a domain like “yourb4nk.com,” or “your-bank.com.” And, while checking the information attached to the digital certificate will tell you who you’re dealing with, it’s not always a practical thing to do.
To overcome this problem, some Websites use what is known as an Extended Validation Certificate, which is only issued if a stringent set of validation criteria are met. When they encounter one of these certificates, most browsers will offer additional visual cues—in Safari’s case, you will see name of the site’s owner appear in green inside the address bar.
As you can see, the security of Web pages is a complicated—and sometimes messy—affair. A little attention and some simple tricks, however, can go a long way towards providing a safer browsing experience without the need for any special (and often expensive) software—except, that is your old, faithful browser.
[Frequent Macworld contributor Marco Tabini is based in Toronto and can be found on Twitter as @mtabini.]