Is this site secure

PC Pro logo Posted: 1st May 2000 | Filed under: Press Articles, Technical
Author: Paul Ockenden
First Appeared in PC Pro 2000

As you might have read in the news a few months back, some credit card companies are amending their terms and conditions to insist that their cards may only be used on the Internet to make purchases from 'secure' sites. This is an interesting development, especially since it's difficult for a user to tell whether they're actually connected to a secure site or not.

Most people think that the little padlock or key symbol that lights up on the status bar of their browser establishes that a site is secure. They know this, of course, because their 'Janet and John learn the Internet in 2.1 nanoseconds (for dummies)' book told them so.

Unfortunately, Janet and John are wrong on this occasion, as that little padlock or key can be misleading. It might be to site security what ISO-9000 certification is to quality; that is, showing that a token effort has been made but in no way guaranteeing that things are being done properly. Consider the following scenarios:

On a site that is built using frames, the outer frameset might be served via https, thus illuminating that little padlock symbol, but the content frames could arrive via vanilla http. Some browsers will give a warning in such circumstances, but most users will have switched this warning off because so many secure sites have certain non-secure content items contained within them.

Consider the case where a site takes your order via a secure server, everything is done via SSL (Secure Socket Layer) and your details pass, fully encrypted, over the Internet. But what happens next? If the vendor's server is sitting on-site and connected directly into their order processing system, you'll be fine. However, in many cases, their server will be running at an off-site hosting facility. Often, either a clear text file or database of orders will be written to disk on the server, to be collected at a later date - or even worse, the order may be sent to the fulfilment department as a clear text email. All that hard work securing the browser session was just smoke and mirrors.

This final case shows more than any other how the yellow padlock is a totally misleading indication of site security. Many people think that it means that their details will be sent fully encrypted to the remote server, but in fact it merely means that the page that is being displayed was sent securely. This page will normally contain a <FORM> of some description, and what's really important to secure your data isn't that the form page itself be secure, but that the form action - the code that processes your form - is accessed via a secure connection. There's no way a user can check that a form will be processed securely other than by doing a 'view source' and examining the <FORM> tag within the HTML code.

In our opinion, browsers should only display that padlock if the current page, all displayed frames, and all forms displayed have actions leading to secure servers. Unfortunately, the default facilities provided by many ISPs lead naive developers into creating sites that suffer from one or more of these problems.