Originally created 06/05/06

What can browsers tell me about how safe an e-commerce site is?



Q. What can browsers tell me about how safe an e-commerce site is?

A. Security experts have long recommended that you look for the closed padlock at the bottom of the browser window to make sure your transactions are safe.

Unfortunately, the presence of a padlock is no longer enough.

Sites wishing to enable the padlock must obtain a digital certificate from any number of private companies known as certificate authorities.

In the early days, the certificate authority performed a series of checks to make sure sites were really who they said they were. The authority may have asked for ID or a copy of a business license, or it may have checked information a site submitted against state business databases.

Older authorities still do that, but some newer ones try to cut costs and corners by checking only that the site owns the domain name - not the business said to run on that domain, said Johannes Ullrich, chief technology officer with the SANS Institute's Internet Storm Center.

The difference in cost can be significant: Ullrich said a site may spend $20 for the domain-only check, compared with $100 or more for a traditional certificate. Consumers have no easy way to tell the difference.

That doesn't mean the cheaper certificates are all suspect - Ullrich's group even has one. But the variation opens the door for scammers known as phishers to easily obtain one and create a site that mimics a real bank's. Customers can then be tricked into revealing passwords and other sensitive details.

Scammers "realize that as awareness of phishing increases, one thing customers are doing is looking for a lock," said Tim Callan, group product marketing manager for VeriSign Inc., one of the old-style certificate authorities. "As an anti-phishing measure, the padlock has become increasingly unimportant."

Melih Abdulhayoglu, chief executive of Comodo, another issuer of traditional certificates, said the padlock is still a good sign that a site is encrypted so sensitive information won't be leaked in transit, but "you could be encrypting for the fraudsters for all you know."

So all certificates - those with and without thorough checks - are being put into question, because a customer is not likely to know what went on behind the scenes.

Fortunately, change is on the way.

Later this year, the certificate authorities that undergo thorough checks will mark their certificates differently. Browsers could then highlight sites with such high-assurance certificates. The address bar might turn green, for instance, when visiting such sites, distinguishing them from ones that carry only a padlock.

Until then, still look for the closed padlock.

If it's missing, or if a warning appears about a missing or expired certificate, that's a sign that something could be wrong. Newer browsers are trying to make the padlock easier to see - in Firefox and Opera, for instance, the padlock is moved up top, next to the address bar.

"Just because you see the padlock, it doesn't mean it's meaningful, but it's not meaningless," said Greg Hughes, chief security executive at Corillian Corp., a provider of online banking technology.

Comodo, meanwhile, has a free tool at http://www.vengine.com to help identify legitimate sites.

But ultimately, it comes down to common sense.

Ask yourself, is it a site you've done business with before? Is it a big operation located in the United States? Did you type in the Web address directly into the browser rather than click on an e-mail link? Is the address a familiar one, one that appears in a bank's brochure?

Beau Brendler, director of Consumer Reports WebWatch, suggests that people also look for "https" - the "s" for secure - instead of just "http" in the address bar.

"If you see the padlock and more importantly the https, you've got a fairly good indication that the page is secure," he said. "They are one element of several things to possibly look for."

But of course, he said, "you're never necessarily guaranteed anything. There's a certain amount of risk in any transaction."