A padlock *inside* a web page? Ignore it!
Date: Dec 7, 2015
Guest Post: Paul Ducklin, Sophos.
You no doubt know the difference between HTTP and HTTPS.
Many web addresses start with http://, which is short for HyperText Transfer Protocol, the “language” that browsers and web servers use when they talk to each other.
These days, however, an increasing number of website start with https://, which means HTTP with added Security.
HTTPS isn’t perfect – crooks can register to use it, after all, albeit with more difficulty than most legitimate sites – but it helps a lot.
When you make an HTTPS connection, a padlock appears in your browser’s address bar, and you can click on the padlock to find out more about who’s at the other end.
That’s using cryptography to help with authenticity.
Additionally, when you use HTTPS, the data you send back and forth is encrypted, so that other people round about – in the same coffee shop as you, for example – can’t eavesdrop on your network connection and see what you’re saying to your bank.
Better yet, they can’t intercept and change what your and your bank are discussing.
That’s known in data security language as integrity.
If a site where you would expect security doesn’t use HTTPS, stop at once – you’re probably on a fake site that’s phishing for your password!
But be careful: ALWAYS look for the HTTPS padlock and associated security information in your browser’s address bar.
NEVER rely on anything that’s inside a web page to convince you that the page is secure, because the content of the page is controlled by the web server at the other end.
A picture of a padlock inside a web page is just that: a picture of a padlock.