How to tell if a site is secure ?
Lets start with some basics things Like:
1)Encryption: What Is It?
What Is It?
Encryption is the process of scrambling a message so that only the intended audience has access to the information. As more people share confidential data and applications using the Internet, they have come to rely on commercially available Secure Sockets Layer (SSL) encryption.
When an SSL handshake occurs between a client and server, a level of encryption is determined by the Web server, the client browser, the client operating system, and the SSL Certificate. Low-level encryption, 40 or 56 bits, is acceptable for sites with low-value information. High-level encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. ThatвЂ™s over a trillion times a trillion times stronger.
(Now its by default is 128/256 bit… especial 256 on the big sites (cost a lot ) and 128 on the regular sites)
2) Web pages beginning with “https” instead of “http” enable secure information transmission via the protocol for secure http. Securing networks and applications is essential to secure online transactions. “Https” is one measure of security to look for when sending or sharing confidential information such as credit card numbers, private data records, or business partner data. However, it may not be enough.
Certificate Authorities use different authentication methods and levels to verify information provided by organizations requesting SSL Certificates. The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted.
Lets Start… :
1) If you are visiting the website with a secure connection, you will be able to identify the website through the site’s certificate. A secure or encrypted website address will begin with HTTPS rather than HTTP (*), and you will see a lock icon in the Address bar(*). Secure connections use certificates to identify the website and to encrypt your connection so that it will be more difficult for a hacker to view. You can also click the lock icon in the Address bar to see more information about the website and the CA with that gave that cert. to the web site.
When you click the lock icon in the Address bar, you can see the security report. Depending on the type of certificate the website has, you can see the website address or the company address that the certificate was issued to (*).
Extended Validation (EV) certificates will turn the Address bar green, and will contain a confirmed name and address for the website owner(*).
Non-EV certificates will display the website address or the domain of the site. If the security report only shows the website’s address, be sure it is the address you wanted to visit. Phishing or fraudulent websites will often use similar website names to trick visitors into believing they are visiting trusted sites.
2) If you are asked for personal information, such as credit card numbers or bank information, only provide it if there is a good reason to do so. Also, make sure there is a secure entry form for recording information. Look for a message stating that the information will be encrypted and check for the lock icon in the Security Status bar in the Internet Explorer Address bar (do not enter confidential information if there is no lock icon on the Address bar!!!). You should be confident that the site is using your information properly and in a secure manner before providing any information inc. credit card number , cellphone , address and etc….
3) Do they have a phone number that you can call if you have a problem, or that you can use to place an order? Does the website list a street address? Is there a posted return policy with acceptable terms? If the site doesn’t provide a phone number or physical address, try contacting the company by e‑mail to ask for that information.
P.S. (One of the none needed info for advanced users … and its only (maybe,not always) for a big comp. like: eBay,Amazon and etc… )
4) Different colors in the Security status bar and the explanation to them:
When you visit a website that uses a secure connection, the color of the Security Status bar tells you whether the certificate is valid or not, and it displays the level of validation that was performed by the certifying organization.
The following table describes what the Security Status bar colors mean:
* Red – The certificate is out of date, invalid, or has an error.
* Yellow – The authenticity of the certificate or certification authority that issued it cannot be verified. This might indicate a problem with the certification authority’s website.
* White -The certificate has normal validation. This means that communication between your browser and the website is encrypted. The certification authority makes no assertion about the business practices of the website.
* Green – The certificate uses extended validation. This means that communication between your browser and website is encrypted and that the certification authority has confirmed the website is owned or operated by a business that is legally organized under the jurisdiction shown in the certificate and on the Security Status bar. The certification authority makes no assertion about the business practices of the website.
5) Spoofed and fake website creators are becoming very innovative in making their sites look like commercial sites. Even fake sites can be encrypted, so having a “secure” connection is not any guarantee that the website is legitimate. In addition to checking the address and looking for icons, try clicking in links and other images on the websites to see where you go on the website. Also look carefully at the address line and make sure it is spelled correctly.
6) If possible, use a new high-security Web browser that recognizes Web sites using Extended Validation (EV). If youвЂ™re using a high-security browser, ensure that the address bar turns green before entering personal information.
P.S. High-security Web browsers are new browsers that offer enhanced protection against viruses and attacks. They also are Extended Validation (EV)вЂ“enabled and display the verisign green bar when you visit an EV-secured Web page. These new browsers include Microsoft Internet Explorer 7, Firefox 3, Safari 5 ,Opera 10 (10.61) and etc… .
7) If a Web site has obvious and abundant typographical errors, avoid it. Why? Many phishing and spoofing sites originate in foreign countries and are written and programmed practically overnight.
8) Look closely at a sites URL in the address bar. A genuine Web site should include the company name immediately before the suffix. For instance, http : // www.sadikhov.com is a valid site. However, http : // www.sadikhov.1234.com may be a fraudulent Web site spoofing site.
9) Many SSL Certificate vendors (Verisign, GeoTrust, SSL.com, etc.) also provide a “site seal” to the owners of these web sites (*).
These site seals should not necessarily be trusted on their own, but should serve as a reminder to “investigate further”… .
11) Return policy.
Don’t get caught by surprise by ordering a super cool t-shirt which washes away on the first visit to the laundry. Before finalizing any order, check the return and refund policy.
12) And the last thing you can do is Google the sites name and behind their companies name enter the word complaints. Here you may find blogs and other valuable information that may not necessarily be on the web site. Read what you can about the website before placing your order.
There is really no way to know ever if a site is 100% secure, but if you follow the few step’s provided here you will have a safer and more secure purchase.
The Basic things to be secure online are:
*AV is up to data
*OS is up to data
*Web Browser is up to data
A website might not be trustworthy if:
*ALL WEB PAGES ASKING YOU FOR SENSITIVE INFORMATION SHOULD BE SECURED USING SSL!!!
*THE LOCK ICON IS NOT JUST A PICTURE!
*The site is referred to you through an e‑mail message from someone you don’t know.
*The site offers objectionable content, such as pornography or illegal materials.
*The site makes offers that seem too good to be true, indicating a possible scam or the sale of illegal or pirated products.
*You are lured to the site by a bait and switch scheme, in which the product or service is not what you were expecting.
*You are asked for a credit card as a verification of identity or for personal information that does not seem necessary.
*You are asked to provide a credit card number without proof that the transaction is secure.
*When in doubt, do not enter personal information.
*Only use companies that you are familiar with because anyone can set up a secure server.
*If you get a warning window that the certificate has expired when you enter a secure server, do not enter your personal information.
Hackers break SSL encryption used by millions of sites
Beware of BEAST decrypting secret PayPal cookies
The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet’s foundation of trust. Although versions 1.1 and 1.2 of TLS aren’t susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he’s visiting.
I hope i helped
and be careful
Credits to: Microsoft Security Team (that gave me some good words) and me ( kamtec1 ).