Origins of Website Security
In the mid 90s when the Internet started to become mainstream, security was not a requirement, or even a consideration for that matter.
For websites and their visitors, security was prompted by information sharing origins. In the beginning, websites generally held only information for reading by anyone – comparable to news articles or library publications.
There was simply no use case considered that websites and users may need to send data securely between each other. Likewise, there was no expectation that a website could be harmful.
What is HTTP and HTTPS?
HTTP, the protocol for browsers to communicate with web servers, is a clear text protocol so anyone with access to the same network can see (or, with a bit more effort, alter) any data sent across.
The growth in online shopping and the need for users to have accounts on websites could not accept this limitation, and so HTTPS, the Secure HTTP, was created. HTTPS used an additional protocol called SSL (later, TLS) to add cryptography and ensure secret communication.
Users could now login to websites without worrying that their password or payment details could be seen when used. Additionally, this provided guarantees that the data was not altered in transmission.
Initially, only login pages and payment pages were secured, but eventually most sites switched to securing every page by default.
To the end user, the use of SSL was indicated by a golden padlock icon, typically at the bottom of the window.
Security vs Trust
The padlock icon was and still is promoted as a guarantee of website security.
In short, “padlock icon” = “site is secure”.
But, what is “secure”?
The important detail is that “secure” in this case means that your connection to the website cannot be snooped on, or altered by someone else. It ensures that the user’s browser and the website server are having a private communication.
There is no guarantee that the website you are communicating with is itself worthy of trust.
The presence of the padlock at the time also indicated that the site owner went to the effort of having a valid certificate issued for their website.
In the early days, this was relied on as a guarantee of legitimacy as getting a certificate was rather expensive (hundreds if not thousands of dollars) and it was assumed that an attacker would not be able to get a certificate issued, but this only an assumption that was true for a short time.
Website security today
Those assumptions are no longer true.
The continued reliance on and growth of online resources has brought costs down dramatically.
Running a website is inexpensive, and certificates can be freely obtained.
Seeing a padlock icon still signals that your communication with the server are on a secret channel, so that it’s very unlikely that someone else can intercept your communications.
However, there is even less assurance of WHOM it is you are having a secret communication with.
Certificates can be easily obtained, and there is no proof that the site is trustworthy.
An attacker can easily get a valid certificate for “paypal.badguy.com” or “paypal-services.com” and it is entirely on the end user to pick up that something doesn’t look right – and even this assumes the attacker is going to be predictable enough to register a similar-looking name.
Looking for familiar Internet names as an indication of security is of no help either, as most large tech companies provide website hosting services to anyone, so anyone can have a website like somesite.dropbox.com or similar with Microsoft Azure, Google, or Amazon Web Services.
On the upside, all of this means that it’s easier and cheaper than ever to run a website or an online business and securing online communications is very cheap.
On the downside, while there is a guarantee of secrecy, there is no guarantee of trustworthiness.
Having assurance that the contents of your online communications are private is one thing.
Trust is another matter entirely, and you need to protect yourself online.
While there’s no 100% secure set up, you can get most of the way there by following a few essential steps:
- Keep your system up to date, especially the web browser and antivirus
- Don’t connect to unknown/free Wi-Fi
- Be wary of email attachments and links
Looking for ways to improve your Cyber Security?
Check out our five tips to keep your data secure here: