How do you know if the website you’re using is safe/secure?
“Well,” you might say, “a technology inclined person I know specifically told me to always look for the green lock while entering login details or credit card information on a website. So that must mean it’s secure.”
This answer is almost correct, but there is another lesser known step you need to take to be safe online, which is to simply check if the domain is correct and below I’ll explain why in layman’s terms.
What does the green lock do?
To explain the green lock (from this point known as the HTTPS protocol), let’s create a fictitious scenario where Alice wants to send messages to Bob and receive any responses. Alice can’t give the message to Bob directly but must use intermediaries, one of which being Eve. This can be seen in the diagram below.
When Alice sends a message to Bob, and vice versa, insecurely (without the green lock) any intermediary can read the message and pass it along. So, Eve can read all the messages between Alice and Bob, which isn’t a problem in most cases, but when sending messages containing credit card info or any personal info this can cause a problem.
The solution to this problem is sending the messages with the HTTPS protocol (aka the green lock). When Alice sends a message with the HTTPS protocol, the message is encrypted in such a way that only Bob can decrypt the message, and when Bob replies it’s encrypted in such a way that only Alice can decrypt it. Thus, Eve will be able to see that there is traffic between Alice and Bob, but it’s impossible for her to read the message.
To put this back in computer terms, your computer is Alice, Bob is the website you’re viewing (for example fnb.co.za), and Eve can be any node in the vast network that forms the internet that is recording all the traffic flowing through it. When your web browser shows the green lock near the domain, it means your computer and the website are communicating securely and the eavesdropper is unable to obtain any useful information.
What’s a domain and why should I check it?
At this point you might be asking yourself why you’re reading this article in the first place, as you already knew about the green lock and to always check for it, but in this section, I’ll explain why this isn’t enough and why you should check the domain as well.
First things first, what’s a domain and what aspect of it should you be checking. A domain is in basic terms the address of the website, usually shown at the top of your web browser. The part of it you should check is the “top level” part of the domain, which I’ll bold in a few examples:
Now that you know what to check, let’s create a scenario to show why you should check it. Alice has received a mail from Bab (Bob’s evil twin) where he pretends to be Bob and asks her to urgently send him a message containing personal info. Alice, being green lock savvy, sends the message using the HTTPS protocol, but neglects to check where she’s sending the message to.
By using HTTPS Alice has once again prevented Eve from reading the message, but by not checking the destination she has securely send her personal info to the malicious person known as Bab.
Let’s bring this back to real terms, you receive an email stating that money has been withdrawn suspiciously from your account and you need to log in immediately to state whether it was fraudulent or not. Within the email a helpful link is provided to go straight to the website in question. When you click on the link you will be taken to a website that looks exactly like the expected one, with the green lock and everything, but on closer inspection of the domain you’ll notice a discrepancy in the name. If you don’t check the domain but only the green lock in this scenario, you’ll securely provide a malicious person with you banking login details.
Here are a few examples of domains not to trust, if we assume the top examples are trusted domains:
To sum up, checking for the green lock is important as it ensures that only the site you’re communicating with can read your messages, but you still should ensure that the site you’re communicating with is the expected site and not a closely named duplicate.
Another tip is to never login after clicking a link in an email, but to rather go to the site directly, but that sound like an interesting topic for another post…