Get Safe Online

Phish or No Phish?

Can you spot the differences between a real site and a phishing site?

Test your skills and improve your knowledge by taking this short quiz brought to you by Verisign.

 
Home   Knowledgebase   Protect your PC   Browse the internet safely   Learn about secure web pages

Learn about secure web pages

Digital signatures can be used to sign email and protect ecommerce

Digital signatures are used to prove you are who you say you are online. They are also used to make sure that secure websites, for example ecommerce sites, are secure from eavesdroppers.

How to prove you are who you say you are

There are three basic methods of proving your identity:

  • Something you have such as a credit card, a key or an electronic token or unique encryption key.
  • Something you know, such as a password, pin number or your mother’s maiden name.
  • Something you are, such as a fingerprint or iris scan.

Using one of these factors, typically a password, provides a reasonable level of confidence in your identity. Using two or three factors is more secure because it makes it much harder for someone to impersonate you.

A bank, online shop or other organisation trying to prove its identity to you may rely on the same factors but with different methods:

  • Something they have such as a unique website address or a unique encryption key which is authenticated by a trusted third party.
  • Something they know. For example, they might have information about your past transactions that would not be available to an impersonator.
  • Something they are. For example, they might use an internet domain name that is carefully controlled such as those ending .gov.uk.

Behind the padlock

One of the most common ways for a business to prove its identity is to use the SSL protocol on its website. When this is active, you will see the letters ‘https’ in front of the web address, the ‘s’ standing for secure, and somewhere in the web browser frame a yellow padlock.

This signifies several things:

  • That the website owners have a digital certificate that has been issued by a trusted third party, such as Verisign or Thawte who have checked that they are who they say they are.
  • That the digital certificate has been used to create a one-off encryption code and that all communication between your browser and the owner of the certificate will be secure from eavesdroppers as long as the padlock is displayed.

However, the padlock has some limitations:

  • It doesn’t say anything about the merchant’s business ethics or IT security.
  • Only valid certificates issued by approved authorities are trustworthy. Anybody can create a certificate and your browser will warn you if one doesn’t come from the handful of approved issuers.
  • It’s a good idea to double click on the padlock and check the certificate for yourself, especially if the site you are visiting is less well-known or if you have any concerns about security. Does the name on the certificate match the name of the company behind the website? Is it current or out of date? Has it been issued by a Certificate Authority that you trust?
  • Don’t be fooled by a padlock that appears on the web page itself. It’s easy for conmen to copy the image of a padlock. You need to look for one that is in the window frame of Internet Explorer itself.

Get your own certificate

You can use a digital certificate to encrypt, sign and authenticate your own email messages using the same public key encryption technology that underlies the SSL protocol. Secure email has several benefits:

  • Encryption means that you can control who reads the email.
  • Signing means that recipients can be sure that you actually wrote the email, not an impostor pretending to be you.
  • Authentication (or more accurately non-repudiation) means that they can also be sure that it hasn’t been tampered with since you wrote it.

Businesses can also use certificates to create SSL-protected websites of their own.

Certificate authorities include:

An alternative to paying for a certificate from one of these Certificate Authorities (CAs) is to create your own and rely on a web of trust to validate certificates. This means that you transfer your public key in a way that the recipient can establish that it really comes from you, either directly off-line or via some other already trusted person with their own certificate.

Extended Validation SSL certificates

An Extended Validation SSL certificate is an enhanced version of a standard SSL Certificates. Companies undergo more stringent checks before they can get an Extended Validation certificate.

If you are using the latest browser technology, such as Microsoft Internet Explorer 8 or Mozilla Firefox 3, you are set up to see the latest Extended Validation SSL Certificates. If the site has one, the address bar will turn green and the name of the company and the issuing CA are clearly visible right next to it.

See Microsoft's website for more information.

Identifying yourself to government

Digital signatures are increasingly used by government to allow citizens to identify themselves to government departments online. For more information visit the Government Gateway.

Previous article
Avoid criminal websites
Next article
Use Internet Explorer safely
 
 
Bookmark | Print | Email | Embed page
 
| | Digg | Slashdot | StumbleUpon | Delicious | Jumptags
 
 
Copyright (c) 2010 Get Safe Online. All rights reserved.
Powered by NQcontent