A cautionary tale: Surfing a secure web

web safety

Internet security is a serious matter. Last year alone, 23,000 Australian businesses experienced some form of cyber security incident¹, which is why all major browsers such as such Google Chrome, Mozilla Firefox, and Apple Safari all employ various security alerts so users can make informed choices on the sites they visit.

The risk of cybersecurity attacks is increasing, driven by global connectivity and usage of cloud services, to store sensitive data and personal information.

Gone are the days of simple firewalls and antivirus software being your sole security measures. Both the general public and business leaders can no longer leave information security to cybersecurity professionals, they need to be vigilant and aware of the sites they’re visiting.

This starts by frequenting sites starting with https and those that take other steps to verify their identity for you.

What’s behind the letter “s” in https

While the majority of websites are encrypted, occasionally, users end up on an unsecured site. To save your data and information being accessed by fraudsters, browsers have been built to give you an immediate heads-up that you are treading in potentially dangerous waters. This includes marking http only sites (missing the “s” in HTTPS) as “not secure.”

Thankfully, the majority of sites that store your data now employ HTTPS (the S stands for “Secure”). HTTPS includes a security protocol named TLS (for Transport Layer Security, more commonly referred to as SSL, or Secure Sockets Layer, the protocol’s predecessor), which adds the missing security features: encryption and server authentication.

Certificate Authorities (CA’s) are the other part of the equation. A Certificate Authority is a trusted third-party entity which issues digital certificates certifying ownership of a public “key” by the named subject of the certificate.

This allows users to understand that who they think they’re talking to is indeed who think they’re actually talking to – the best way to know for sure is to check the certificate and who it is issued to, if they don’t match, that could be just the warning sign you need.

Right now, browsers feature a “not secure” warning for sites not using a TLS certificate. In the future, browsers will likely take a harder stance on unsecure websites eventually not let consumers visit them at all, but until then, it’s more important than ever that we are heeding the warning signs.

Going beyond the padlock

Many internet users may recognise the padlock symbol – which traditionally has signified the site is authentic and encrypted. However, as browsers work towards a mode of encryption by default, where all sites will be required to adopt HTTPS, the padlock is no longer enough.

Threat actors have recognised that internet users are looking for this symbol and are obtaining low-touch Domain Validated (DV) certificates, which only require confirmation that a web owner have a domain but no further detail about that owner’s organizational identity.

For example, a cyber attacker purchases the domain “amaz0n.com” and sets up a website at that location that looks exactly like the amazon.com website. To do this, they may obtain a DV certificate for their website without any vetting of whether they are actually Amazon. They then may use the padlock associated with their certificate for that site to try to trick users (by using phishing emails or other methods) to purchase items or log into their accounts on the mimic phishing site.

In contrast, many leading issuers of these digital certificates will use trained validation agents to check official business registries for proof of an organisation applying for a certificate and will block certificate requests appearing to spoof popular brands. That’s why leading brands use high-assurance TLS certificates that require more stringent vetting of an organisation’s identity, known as Organisation Validation (OV) and Extended Validation (EV).

As more and more Australians choose to shop, share, bank, and view accounts online, the need for secure online browsing has become even more critical. Users can click on the padlock symbol to not only determine the origin of the certificate but if the organisation behind the certificate can be verified, i.e. whether is it Amaz0n or Amazon.com, Inc. If the website owner is using a high-assurance certificate, the company’s information will be visible to users, see below for a step-by-step instruction:

Step 1-2:

Step 3:

What you’ll see:

Consumers need to take on the responsibility of verifying their browsing to ensure they are keeping themselves safe while online. Verifying the “Certificate” behind the padlock can provide added assurance.

How you can help

You can start by taking the extra steps of clicking on the padlock and verifying the identity of the organisation behind the website that you are visiting. If nothing more than a web domain is present, the site operators are not giving you full authentication of their identity.

If a site you frequently use is displaying the “Not Secure” warning, you should contact them and ask them to start supporting HTTPS, which they can do by obtaining a TLS certificate. You can also try manually replacing HTTP with HTTPS in the URL, as some sites may have partial support for HTTPS but don’t offer it by default.

Even with basic browsing over HTTP—such as looking at recipes or reading news—what you are looking at can be monitored, modified, and recorded by entities, such as your ISP or government.

As a user, the only way to avoid using sites that aren’t secure is actually quite simple: Do not use those sites. Instead, pay attention to what your browsers are telling you, look for additional signs that the company operating the website is the one you intended to visit, and never trust your private information to a site that isn’t encrypted and authenticating its identity.

[1] CIO Australia – Australia’s lack of cyber security engagement remains a perplexing issue, 2019

  • Dean Coclin is the Senior Director of Business Development at DigiCert


About DigiCert: DigiCert is the world’s leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognised for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.