We have all heard the stories of a bank account being cleared out because a hacker convinced the owner to enter personal and account information in a fraudulent website. Ransomware, where a hacker encrypts the files on your computer and then demands money to release them, gets more and more publicity. We are justifiably wary when our browser, whether it be Chrome, Firefox, Safari, Opera, Internet Explorer, or Edge, pops up a message that the web page we are visiting is not secure. But just what does that “not secure” message mean and what action should we take when we get it?
Let’s take a step back and talk about how your computer connects to the Internet. We are not talking about your service provider (such as Atlantic Broadband) or whether you connect with a cable or wi-fi. We are talking about the procedure or protocol your browser uses to exchange information between your computer and a computer on the Internet.
When the World Wide Web (WWW) was invented in 1989 there was only one protocol, HyperText Transport Protocol or HTTP. Under this protocol, information—both the text and images a web page sends you and text and images you might send to a web page—is sent in its raw, unencrypted form. For example, when you enter your password to sign in to an HTTP site, your browser sends it to the web page in plain text (even if your browser covers it with dots as you type it). Consequently, anyone “watching” your communication, that is, a hacker, can read your password.
It was not long before web site owners realized that they needed an additional protocol to transmit confidential information securely, that is, encrypted or put into code. Thus Secure HTTP, better known as HTTPS, was invented. HTTPS uses additional steps in the communications between computers, called a secure socket layer or SSL. These extra steps do two things: encrypts the information sent between your computer and one on the Internet and requires that the web site have a certificate that verifies that the site is who it says it is. The certificates are issued by companies that have established that they can be trusted. You can imagine that it would not take but one incident of a hacker getting around a given company’s certificate to eliminate that company from being considered by other web sites.
Many web sites still use HTTP, as indicated by the site’s address beginning with http:// in the address bar at the top of your browser window. Banks, credit card companies, financial companies, pharmacies, and any other site that wants the information exchanged to be confidential use HTTPS, as indicated by https:// at the beginning of the address. An https:// site also has an image of a padlock in the address bar indicating it is secure.
Because incidents of identity theft and other hacker-related crimes are increasing, the major browsers (Chrome, Safari, etc.) began last year to display a “not secure” message if you were asked to enter information, such as a password or credit card number, on an HTTP web page. It has always been good practice before sending confidential information to a web page to be sure that the page address begins with https:// and that the padlock image is displayed. The browser makers just started doing this for you by displaying a “not secure” message when the input form is on a page with an http:// address.
So if HTTPS is more secure, why don’t all web sites use it? Two reasons: those extra steps of encrypting the communication and money. The extra steps take time and thus an HTTPS web page loads a little slower than an HTTP page. The SSL certificates must be purchased from one of the trusted certificate authorities by the site owner, so an HTTPS site costs more to operate.
There are, however, companies, such as Google, that want to see all web sites use HTTPS. So this month, Google is changing the latest version of its Chrome web browser to display a “not secure” message for any web page that uses HTTP. The other major browser makers will likely follow suit in the future.
What should you do if you get a message from your browser that a web page is “not secure”? Ask yourself whether you care if a hacker could read the information you are sending or receiving from the web page. If the information is not confidential and you do not care, ignore the “not secure” message. If the information is confidential and you do care, close that web page. And if it’s your bank’s page, call them and tell them about it.