Why no padlocks? Is your online connection secure?

InfoSec Advisory with Del Aden:

Security on the web is more important than ever. With new vulnerabilities and data breaches being reported on a daily basis, it is crucial for us to do a better job of securing the stuff that we make so that we can protect users from various attacks.

Every year technology gets better, and every year hackers find a way around the newest forms of security. So, security gets updated and continues to work until it’s hacked again, and the cycle continues. That’s why it’s so important to keep your website up to date and reduce the chances of it being compromised.

Why No Padlock? – What does it mean if a website doesn’t have a padlock?

If the address-bar of a website does not show a padlock, you may not be communicating with the intended website and your data isn’t safe against eavesdropping!  Warning: You should never send any sensitive information (such as bank information, credit card data or social security numbers) to a website if the address-bar does not show a grey or green padlock. In such cases, you may not be communicating with the intended website and your data isn’t safe against eavesdropping!

Why am I seeing a ‘Not Secure’ warning?

The reason you are seeing the ‘Not Secure’ warning is because the web page or website you are visiting is not providing a secure connection. When your browser connects to a website it can either use the HTTP (insecure) or HTTPS (secure). Any page providing an HTTP connection will cause the ‘Not Secure’ warning to show.

Browsers (such as Chrome and Firefox) are warning users not to use insecure webpages. These Browsers are actively discouraging users from using webpages served insecurely. For example, Chrome (v62 and later) shows a security warning when users try to enter data on a webpage that is loaded over plain HTTP.

What does the green/grey padlock mean?

In contrast, when a webpage is loaded properly over HTTPS you will see a green padlock in the address-bar. This indicates to users that any information received or sent to the website will not be compromised by a Man In The Middle – even if such exists on the network.

So, what is HTTPS?

HTTPS is a secure version of HTTP. The ‘S’ stands for Secure. It protects the authenticity and integrity of the exchanged data over a network by encrypting and decrypting the requests and responses between clients and servers. HTTPS ensures that the communications between a client (such as a web browser) and a server is encrypted and cannot be intercepted by a Man In The Middle (MITM) attack.

This encryption is done over TLS (Transport Layer Security) or SSL (Secure Sockets Layer).  You need to be aware that SSL and TLS are often used interchangeably, but when people say SSL what they really mean is TLS. So keep that in mind.

Why HTTPS matters for every website

A common misconception about HTTPS is that it’s only important for websites that handle sensitive data such as e-commerce websites, social media sites or any website with user logins. This is because, in the past, HTTPS was primarily used for payment transactions or other sensitive communications.

However, that mind-set has changed and we’re beginning to see its use on all types of websites. But many still think implementing HTTPS for their site is optional because it’s “just a blog”, or because they don’t collect any data from users.  In my opinion, this is no longer an era wherein you can get away with just sticking to plain HTTP on your website. Aside from the fact that you’re obliged to provide security to your users, the web is moving a period when HTTPS becomes non-negotiable for all websites.

What are the risks of accessing insecure websites?

Insecure websites aren’t only bad for your business, they’re bad for your customers as well. If a customer fills out a form, someone at the same coffee shop or in the same airport could easily intercept the form. The website may never even receive the form submission.

But does a padlock mean a website is safe?

Well, strictly speaking, the browser padlock doesn’t actually mean a website is safe. Instead, it means that the data being transferred between you and the site is encrypted. This stops it being read by third-parties; however, it does not actually mean the site you’re using is legitimate or safe in any way.

In conclusion

The fact of the matter is that HTTPS is no longer a ‘nice to have’ feature for all websites; it is now a ‘Must Have’ feature.  As such, if you’re starting a new website, any type of website, you need to start with HTTPS from day-one. And for existing websites, it is important to switch over to HTTPS as soon as possible.

In this regard, Delta3 International stands ready to help your organisation achieve a more secure online environment, thus ensuring your customers will be able to interact with you safely and securely. At the end of the day our mission is the safety of your people, and the security of your data!

On the other hand, if you are a user trying to access a website, you should never send any sensitive information (such as bank information, credit card data or social security numbers) to a website if the address-bar does not show a grey or green padlock. If doubt, please contact Delta3 International in your country or region.

>>>Del Aden is a UK-based Enterprise Solution and Information Security Architect. He is an Industry-recognised Information Security Expert with over 20 years of hands-on experience in Consulting, Training, Public speaking, and Expert witness testimony. With expertise in Digital Transformation, Cyber Security, Data Governance and Business Continuity, Del Aden focuses on helping customers prevent security breaches, implement Digital Transformation and advice on Business Continuity Strategies and Exercises.

Contact: Deleaden@delta3.co |  WhatsApp:+44 7973 623 624  |  Web: www.delta3.co