by Davide Pavani
Recognize a secure website
One of the biggest challenges for those who surf the internet and are not very familiar with information technology is recognizing the authenticity and security of a website.
Whether the goal is to browse, search, or make a purchase, even normal usage patterns risk exposure to vulnerabilities on sensitive data such as passwords, credit card information, and personal data.
One must be especially wary of a practice called “spoofing,” where cybercriminals create a malicious web page designed to closely resemble a well-known site. At first glance these fake sites seem identical to the ones we use every day, but in reality they take advantage of the fact that the visual part of a website is easily reproducible to trick potential victims into dangerous situations. So how to distinguish “spoofed” sites from safe ones?
Fortunately, though it may not seem like it, the process is rather simple: just check the protocol used for the connection between the PC and the server that hosts the website.
First, some context. Your PC and the web server communicate via a protocol called HTTP (hypertext transfer protocol), but this does not guarantee a secure connection: HTTP only exists to facilitate traffic between two machines; it does not verify the authenticity of the server with which it is communicating. In addition, our data may have to follow a long and indirect path before arriving at the server, increasing the risk of interception by programs called “packet sniffers” that allow the user to read the contents of network traffic directly.
The solution to this problem is the HTTPS protocol (HTTP + SSL/TLS), which encapsulates HTTP traffic in an encrypted layer and imposes certain rules to ensure a secure connection with the server.
This encryption – which protects not just the data within the HTTP packet, but also the information about the packet itself – keeps the connection private, and the rules added by the SSL/TLS protocol require the server to be authenticated before sending any data.
While complex in theory, checking the security of a website is much easier in practice. As an example we take a famous site which almost everyone is familiar with, whether they used it to make a purchase or just to browse: Amazon.
Below is the evidence it follows the protocol just described:
But is it enough?
Let’s take a closer look
By clicking on the padlock you can see that the server has a valid “digital certificate” that authenticates it.
It is possible to go into even more detail by checking the body that issued the certificate and the type of encryption used:
; in fact, clicking on “Certificate (Valid)” will open a window with even more information:
Regarding authentication, you can see all the information on the digital certificate and who granted it.
For security, however, in the ‘details’ section of the open window you can see two important pieces of information:
In the selected part (highlighted in blue) it is possible to see the encryption algorithm used and the length of the key used.
Each encryption algorithm (for example RSA) uses different methods and each has a key of a specific length; in our case, keys are considered to be secure from 2048 to 4096 bits in length because they have not been broken, or “cracked,” by hackers.
In other words, by knowing which encryption algorithm is used by the site, you will also know which keys are considered ‘safe’ based on that algorithm, and can consequently verify the key provided if you have suspicions.
Particularly when dealing with major websites run by large corporations such as Amazon or Facebook, being sure you are on the real site should be easy. Such large companies have a vested interest in making it as simple as possible to prove their authenticity, since they can’t afford to offer unsafe services. If your connection isn’t secure (HTTP instead of HTTPS) or especially if the website’s digital certificate is missing or invalid, these are huge red flags that you are viewing a spoofed site!