‘https’ and green padlock: safe ... or not?
on 18 Dec, 2017
“One of the main ways you can protect yourself when shopping, banking, making payments or entering other confidential information online is to ensure the page’s address begins with ‘https’ and features a green padlock”.
This is one of the key pieces of online safety advice which has been bandied about for years, and continues to do so.
But it’s WRONG!
Well, not actually wrong, more like incomplete.
It’s complicated, but I’ll try to explain it.
Sure, the green padlock symbol means that the website owner has been granted verification by a third party that the connection between your device and their website is encrypted. Meaning that people such as cybercriminals attempting to access the information being exchanged won’t be able to do so, unless they have the encryption key (that’s another tricky thing to explain to the uninitiated, but we’ve tried to do so on our encryption advice page).
So far, so good, the site you’re on has ‘https’ (‘s’ stands for ‘secure’) and a green padlock so the connection to the site is secure.
Wait, the connection to WHAT site, exactly?
It’s a busy time of year (isn’t it always?) and you’re keen to get your hands on the latest gizmo, those hard-to-find gig tickets or a holiday in the sun … anything you buy online. Back to the gizmo, so you google, say, notonthehighstreet.com Click on the link, and up pops notonhehighstreet.com – and there’s your gizmo right on the home page. Click ‘buy’, click ‘pay’ … job done, and it’s next-day delivery.
But actually, there’s no delivery, because you didn’t check the address you were sent to, and the ‘t’ was missing from ‘the’. Check it out for yourself in the previous paragraph. And this isn’t by chance, but because the criminal gang that owns the site left the ‘t out to mislead and then defraud you.
The payment page address began with ‘https’ and had a green padlock, so it was secure. But the secure payment page didn’t belong to the authentic retailer but a fraudster, and it was the fraudster you connected to securely.
How was the fraudulent website so high up the rankings in the search engine, I hear you ask? Because like authentic organisations, many fraudsters use sophisticated SEO (search engine optimisation) techniques to make their sites even more convincing.
What’s the answer?
The first rule is, however much of a rush you’re in, or how distracted you are, always take time to check the spelling of the website address. As you can see from the example I’ve quoted, even a missing or replaced letter can be misleading.
Second: it’s still essential that you make sure that there’s an ‘https’ and green padlock.
Both of these checks mean you have a pretty good chance of establishing a secure link with an authentic site. Happy shopping!