When it comes to website security, many believe that when you enter your private info, the only way to be reasonably assured that it really is the actual website — and not a spoof — is to look for https. We have all come to understand that’s how you can make sure a website is legitimate. Well, that’s what I thought too – but I was wrong and so are you if that’s what you think.

What does it really mean?

The https in the address correctly means that you are communicating with the website securely. It DOES NOT mean that the website is legitimate! Let me explain. The “S” in https stands for secure and what it means is that the data from your computer to the website is encrypted, that’s it.

To add the ‘s’ to the end of your website, the site’s owner just needs to obtain a certificate that enables them to encrypt personal data. Most of us have ASSUMED that the registration of this certificate would weed out any bad actors out there. However, that isn’t the case.

There are criminals and hackers out there

Cybercriminals and hackers have figured out that they just need to get unsuspecting victims to trust their website. People incorrectly think that the certificate is only given to legitimate, trusted sites.

What you don’t know is that there are actually three types of certificates that can be used: DV, OV, and EV. The DV certificate stands for domain validated, meaning that the receiver has control of the domain, period. The OV certificate indicates that the organization has been validated, meaning the actual entity requesting this certificate has been reviewed. The EV certificate offers proof of extended validation. It is the most demanding type of certificate and requires the most documentation about the entity that is being issued the certificate.

Anybody can get a DV certificate and convert their website into a secured site. You just need to learn how to identify what type of website you are looking at. Hackers can be very clever at tricking you into thinking the website is legitimate, so just because it says https and has the lock symbol, does not ensure you are safe on that site.

To identify harmful sites, look at the address bar where the URL is and see where the first slash is. For example, when you look at the two websites below, you’ll notice a difference between the placement of the first single slash is.

https://www.paypal.com.imabadwebsite.ru/make-a-payment/

https://www.paypal.com/make-a-payment/

The first link is a bad one, and not just because of the words in the URL. In the first link, the actual domain name, which is immediately followed by the “/” is “imabadwebsite.ru”. Every section separated by a “.” before the domain name is called a sub domain.

As long as I have control of the domain “imabadwebsite.ru” I can get a DV certificate and start impersonating legitimate websites. Since the OV and EV type certificates require an examination of the actual organization, it is highly unlikely that a website with this type of certificate will be issued to a malicious organization.

The moral of the story?

Just because it says “S” does not mean that it is legitimate, it only means that it is encrypted. Don’t take for granted that your customers understand the complexities of technology or that they aren’t vulnerable to any of today’s security threats – be sure to get proactive about explaining details like this, that they might overlook, today.

Photo:  Jonathan Schoeps / Shutterstock

Brent Fairbanks

Posted by Brent Fairbanks

Brent Fairbanks is the President of Electronic and Computer Specialties, Inc., which he founded in 1986. Brent has worked in the computer and electronics industry since 1979 and has many degrees and IT industry certifications.

One Comment

  1. Avatar

    Well written article with lots of information.

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *