How to Verify Security at a Website
There’s a great line from the movie Sneakers, when Robert Redford is in the limo with the Russian guy, and the Russian guy says, “You won’t know who to trust.” If you’re going to do any business online, you’ve got to trust someone, and knowing who the trusted trusters for trusting are is a great place to start.
Let’s start with Certificate Authorities, they’re the ones that verify who people are. For now, just know that not just anyone can be a Certificate Authority, there aren’t very many of them, and getting them to verify you is an arduous task. If it was an easy thing to do, having a CA verify you wouldn’t mean anything, would it?
So when you are at just any ol’ website where you aren’t collecting or giving out information like social security number or credit card information, you know, sites like this one, you see just a http://www. in front of the website name, and either their own favicon (a cutesly little icon that says something about them) or just a plain piece of paper with a turned-down corner, like this:
If you click on that little page icon, you’ll see this:
I don’t feel the need to encrypt any transmissions at this point, so I’m not doing any security between the computer and the server except when I perform my admin functions. Since you’re not giving me any information to protect, I don’t need to protect anything. Also, since I’m not doing those things, it’s not really all that important that I am who I say I am. As we go into the more secure stuff, you’ll see why.
At some sites you will see a padlock, like this:
and when you click on the padlock, you’ll see this:
Yes, that is a horrible picture, but it’s getting difficult to find a website that goes only this far. This indicates that the website has an SSL certificate. SSL stands for Secure Sockets Layer, and it’s a level of encryption that is used to secure transactions. An SSL certificate has to be obtained from a Certificate Authority. This CA is VeriSign, and VeriSign is telling you which site you are connected with, and that the connection is encrypted. That’s always something you want to see when you’re sending personal or financial information over the internet.
The super-duper thing you love to see is when there is something green in the left end of the address bar, like this:
At some websites, it may have the lock and the whole website name may be engulfed in green. The websites that have that are using an Extended Validation certificate, or EV Cert. That means that the Certificate Authority has not only verified that you are using SSL for an encrypted connection, and that you really are connecting to the site you think you are connecting to, but also who owns that website. If you click on that green lock, you see this:
The CA has verified that you are connected to facebook.com, using SSL, and that this particular facebook.com is owned by the person who genuinely owns facebook.com. In other words, the CA has verified the identity of this certificate holder as being the right website for that website address. Game, Set, Match.
Does this mean that nothing bad can ever happen with a green address? No, it doesn’t mean that; but if you only use internet connections you know have been well set up and are well and properly maintained and secured, and you only give your personal information to websites with at least the lock icon, you are making good use of industry-standard security tools. Just paying attention to these few things can mean the difference between being able to go on a cruise or spending your vacation chasing down an identity thief.