All you really need to enjoy a safe relationship with the web is your humble (and usually free) browser, coupled with a bit of knowledge about how things work online.
A matter of trust
A normal connection between a browser and a website takes place completely in the clear, with all the information crossing the internet unchanged and unprotected. Obviously, this is no way to conduct a transaction that involves any sort of private information, be it your credit card number, tax data, or even just the password to your Twitter account.
For those purposes, websites rely instead on a secure connection, which establishes trust between your browser and the server to which it talks. Secure connections, which are identified by the use of the https prefix in a website’s address, involve two components: privacy and identification.
Is it the right site? If you see a lock icon at the top right of a Safari window, click on it to display a digital certificate, which is intended to prove that the site is legit. Some sites, such as Apple.com, use an Extended Validation Certificate, which has more stringent validation criteria
Privacy is guaranteed by means of encryption: browser and server agree on a way to transfer data that will make the data look like gibberish to everyone else. Still, a private conversation is not safe unless you also know who you’re talking to.
Browsers rely on a tool known as a digital certificate to determine that the website’s address is being used by its rightful owner. Digital certificates are issued by certificate authorities that validate aspects of a business, such as its legal status, incorporation papers, domain ownership, and so on.
Owning a digital certificate doesn’t make a website safe. It just means that the web address you’re visiting is being operated by the entity that owns it. This distinction is crucial, because the browser’s ability to provide a secure environment is strictly technological; for obvious reasons, it can’t make judgment calls.
How browsers can help
Typically, the browser will only actively complain about a connection under very specific circumstances – for example, if the digital certificate used by a website is invalid or has expired. Under normal conditions, the visual cues that distinguish secure and insecure connections are much subtler.
It’s best to learn when you should expect a secure connection – for example, when you’re banking online, or when you’re on the payment page of an e-commerce store.
Most browsers let you know if a connection is secure. Safari, for example, displays a lock in the upper-right corner of the browser’s window. If you click on the lock, a dialog box pops open, revealing the owner of the digital certificate.
Scammers have become adept at tricking users by choosing addresses that are subtly different from the real thing. Nobody would believe a banking site with the address joesfishmart.com, but many can be tricked with a domain like yourb4nk.com, or your-bank.com. And while checking the information attached to the digital certificate will tell you who you’re dealing with, doing so isn’t always practical.
To overcome this problem, some websites use what is known as an Extended Validation Certificate (or EV certificate), which is issued only if a stringent set of validation criteria are met. When they encounter one of these certificates, most browsers will offer additional visual cues – in Safari’s case, you’ll see the name of the site’s owner appear in green inside the address bar.
As you can see, a little awareness and some simple tricks can go a long way toward providing a safer browsing experience.