Monday, August 4, 2008

Web Surfing and Security

So you sit down at your web browser and and head to some site on the web, and instead of getting the web site you get this warning from your browser:

What should you do? Well, that depends. The absolutely safe answer is to close the website and go on to something else.

But the goal of this post is to try and educate you so you can make an informed decision. That is decide what your risk is and make an informed decision.

First, what is this certificate thing? What does this error even mean? To answer that I have to explain a little bit about what a secure web site is. A secure web site is one that uses encryption between your web browser and the web site. You can tell a web site by the fact the URL starts with "https" instead of "http".

That encryption does two things. First it provides for confidentiality. If it's working right no one else on the network can eavesdrop on (or modify) the traffic between your browser and the web site. The second thing it does is authenticate the web site, that is, it allows the web site to prove it is who it says it is to your browser. This works the same way you use your driver's license to prove you are who you say you are, except in the case of the web site it's called a certificate instead of a driver's license.

So the web site shows its certificate to your web browser and your web browser looks at it and most of the times it thinks it looks good and all goes smoothly (it's actually a complicated cryptographic process, but you get the gist). Now the problem is sometimes the web browser looks at the certificate and something doesn't look right. For example, some equivalents would your driver's license saying you are 5'10" when you are actually 5'8", or it says you are 300 lbs when you look a lot closer to 150 lbs, or the driver license was issued by some state from which you've never seen a license from before and have no idea what it's supposed to look like, or it expired 1 week ago.

These could all be simple mistakes, or it could be something trying to impersonate the web site (in other words, steal its identity). For the purpose of this post, I'm not going to worry about the specific error - all of the above have equivalents in the web world, but understanding the error is advanced material. I'm just going to lump them all together. I'm also not going to get into how someone might be doing this as that's also rather technical.

So, what should you do? Well there are some factors to consider:

Have you visited the site before?

How did you end up at the web site? Did you click on a link in an email message? Did you type in the URL yourself? Did you select it from your bookmarks? Did you get there from another site?

Where are you? Are you sitting on your home network or at work? Or are you on a network at a public place?

What are you going to the web site to do? Is it your online bank or some other site you are going to type an important password into? Or is it just a site you are planning to read?

Let's take these factors one at a time.

Have you visited the site before? Did you see the certificate error then? If the answers are "yes" and "no", danger! This means something has changed and generally that is not a good thing. If this were the case and the web site was at all important to me, I would stop and try again at a later time and/or different place. It's possible it's some mistake the site is not aware of, and you could call their support number to let them know. If you constantly see errors from an important site, it might be time to consider finding a different web site.

How did you get to the site? If you ended up at the web site from anything but your bookmarks, your could easily be the victim of a link designed to mislead you to a malicious site. Or if you typed in the url, you could of entered a typo and would up at a look-alike web site. Assuming you have been to the site before and bookmarked it (always a good idea for important sites), go back and load it from your bookmarks and see if it goes away. If you are loading it from a bookmark, then presumably you've probably been then before and it goes back to the question in the previous paragraph - a error in this case is a cause for concern.

Where are you? Or, in other words, what sort of network are you on. If you are sitting in a public place using a public network, be very wary. It's easy for someone sitting nearby (or on the other side of a wall) to be misdirecting your traffic and trying to gather your password (the Symantec web site has a nice discussion of this for more information). Unfortunately, home and work networks are less secure than they used to be thanks to an issue with DNS security (sorry, I won't explain DNS here, just know it's one of the key services to how the Internet works). This means beings on a home or work network would make me a little more comfortable, but not much, it would depend on how confident I was that the administrator was keeping up with these vulnerabilities. If I know the administrator and they tell me they are on top of the DNS problems, I'm comfortable. If you are sitting in a home, it's a question on home much you are trusting that home's internet service provider (ISP), to which I my general answer is "not much" unless I've checked things out myself.

Finally, what are you going to the web site to do? If I'm going to my online bank and my answer to any of the above questions leads me to be cautious, I'm not going to do it. Just too dangerous. If I'm going to a site that isn't that sensitive, I'm not going to be typing any important passwords or looking at any information that's sensitive (remember the same security that allows you to authenticate the web site also provides for confidentiality, if the first is broken, so is the second), I might go ahead. It's a risk and I have to balance that risk with how badly I need to get what ever it I'm doing done and how serious the threat is based on the answers to the questions above.

I can't really answer that question for you as there are too many factors, but hopefully this post gives you some understanding about the risks to come to your own answer.

1 comment:

  1. First it provides for confidentiality. If it's working right no one else on the network can eavesdrop on (or modify) the traffic between your browser and the web site.