OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Security Issue

What is a Secure Internet Connection?

What does it mean when you do a secure logon to your bank, or email? What does that padlock (or https) really mean? A secure connection provides two benefits:


  • It provides assurance that those on both ends of the connection are who they say they are. The Bank or merchant provides a certificate that has been signed certifying that they are who they say they are.  You provide a username and password assuring that you are who the merchant or bank thinks you are.
  • It encrypts the information on your end, and decrypts it at the other end, so even if it gets intercepted between the two, it cannot be deciphered.



The Problem

The problem occurs if, you present your password BEFORE getting a secure connection. Many sites allow you to logon to an insecure page and they then pass that information on to the secure server to process. That secure server then establishes a secure connection and processes your email, Facebook page, or merchant transaction.

Someone could jump into the middle of your connection. They could grab your logon, and then step between you and your email or bank. This is most likely to happen at a hotel or WiFi hotspot where you cannot verify the lines between you and the router. They provide the secure logon to the merchant, get back the information and pass it along to you. Their connection is secure, yours is not.

If you were completely vigilant, then you would notice that your connection was not HTTPS, but only HTTP. However, they could use a trick to actually show a padlock icon in the address bar. A researcher recently used this technique at a single hotspot for 24 hours. He got 16 credit cards including name, number, security number and expiration dates. He got 9 Paypal account logins, over 200 Email accounts, 42 Ticket Master accounts, and a dozen social networking accounts.

Those of you who are very young might believe you are vigilant enough to always check that you have HTTPS, but those of us who are older, know we screw up regularly.


Two Solutions

I was surprised as I checked this out, because as this problem is becoming known, more and more sites are beginning to force HTTPS. In fact, two of the sites I checked had changed between the first time I wrote this article and when I was ready to publish it!

1. Never login to Email, banking, a merchant, or a social networking account while away from home or office. or 2. Make sure your login for your username and password is already HTTPS, not insecure http:⁄⁄ access, which then sends to a secure server. If you already have a secure connection when you enter your username and password, then it will be encrypted and even if someone steps in between, it won't do them any good. This can often be done by merely changing your bookmark from http: to https:

In fact, if any transaction anywhere should be secure, then that security should be in place before entering a username and password. It should not be the mere promise that they will forward your secure information to a secure server.


Results from checking out some places


So you see, that of the banks, investment firms and credit card companies I checked, only USBank doesn't do it right.


  • Yahoo Email: Forced secure login
  • Gmail: Has an option under Settings⁄General to force https. Otherwise, you should insert the https.
  • Hostmonster: Allows you to use either http: or Https: Use https.
  • Integra: For Virtual Mail, they force https
  • XO Email: XO webmail uses HTTPS

So, check your connections to sites you log into and see if you can change your bookmarks to use HTTPS instead of http. Any site that should be secure, should provide a secure login.


Date: November 2009

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster