Security Issue

What is a Secure Internet Connection?

What does it mean when you do a secure logon to your bank, or email? What does that padlock (or https) really mean? A secure connection provides two benefits:

It provides assurance that those on both ends of the connection are who they say they are. The Bank or merchant provides a certificate that has been signed certifying that they are who they say they are. You provide a username and password assuring that you are who the merchant or bank thinks you are.
It encrypts the information on your end, and decrypts it at the other end, so even if it gets intercepted between the two, it cannot be deciphered.

The Problem

The problem occurs if, you present your password BEFORE getting a secure connection. Many sites allow you to logon to an insecure page and they then pass that information on to the secure server to process. That secure server then establishes a secure connection and processes your email, Facebook page, or merchant transaction.

Someone could jump into the middle of your connection. They could grab your logon, and then step between you and your email or bank. This is most likely to happen at a hotel or WiFi hotspot where you cannot verify the lines between you and the router. They provide the secure logon to the merchant, get back the information and pass it along to you. Their connection is secure, yours is not.

If you were completely vigilant, then you would notice that your connection was not HTTPS, but only HTTP. However, they could use a trick to actually show a padlock icon in the address bar. A researcher recently used this technique at a single hotspot for 24 hours. He got 16 credit cards including name, number, security number and expiration dates. He got 9 Paypal account logins, over 200 Email accounts, 42 Ticket Master accounts, and a dozen social networking accounts.

Those of you who are very young might believe you are vigilant enough to always check that you have HTTPS, but those of us who are older, know we screw up regularly.

Two Solutions

I was surprised as I checked this out, because as this problem is becoming known, more and more sites are beginning to force HTTPS. In fact, two of the sites I checked had changed between the first time I wrote this article and when I was ready to publish it!

1. Never login to Email, banking, a merchant, or a social networking account while away from home or office. or 2. Make sure your login for your username and password is already HTTPS, not insecure http:⁄⁄ access, which then sends to a secure server. If you already have a secure connection when you enter your username and password, then it will be encrypted and even if someone steps in between, it won't do them any good. This can often be done by merely changing your bookmark from http: to https:

In fact, if any transaction anywhere should be secure, then that security should be in place before entering a username and password. It should not be the mere promise that they will forward your secure information to a secure server.

Results from checking out some places

Paypal: They force https. Here is a link to insecure paypal: http://www.paypal.com Notice that when you click it, you end up at https:// instead. This is done right! They don't allow you to screw up.
USBank: They let you do either one. So, http://usbank.com sends you to an insecure login page. But, if you change your bookmark to https://www.usbank.com then it will work the same, but be secure. Notice I had to use the WWW. That is because USBank didn't purchase a certificate for usbank.com, but for www.usbank.com and were too dumb to understand they should buy two certificates. If you have a USBank bookmark, then change it to https and make sure the WWW is in there.
Chase Credit cards: If you put in http://www.chase.com⁄creditcards you will be redirected to https like you should. It redirects you to: https://www.chase.com/ChaseCreditCard.html
CapitalOne: http://www.capitalone.com - Makes you login on another page that is secure.
Vanguard: http://www.vanguard.com - Makes you go to a secure page to login.
IngDirect: http://ingdirect.com - Makes you go to a secure page to login.
Bank of America: http://www.bankofamerica.com forces https
CitiBank: http://www.citibank.com Makes you go to a secure page to login.
Citicards: www.citicards.com also forces secure login.

So you see, that of the banks, investment firms and credit card companies I checked, only USBank doesn't do it right.

Yahoo Email: Forced secure login
Gmail: Has an option under Settings⁄General to force https. Otherwise, you should insert the https.
Hostmonster: Allows you to use either http: or Https: Use https.
Integra: For Virtual Mail, they force https
XO Email: XO webmail uses HTTPS

So, check your connections to sites you log into and see if you can change your bookmarks to use HTTPS instead of http. Any site that should be secure, should provide a secure login.

Date: November 2009

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Security Issue What is a Secure Internet Connection? What does it mean when you do a secure logon to your bank, or email? What does that padlock (or https) really mean? A secure connection provides two benefits: It provides assurance that those on both ends of the connection are who they say they are. The Bank or merchant provides a certificate that has been signed certifying that they are who they say they are. You provide a username and password assuring that you are who the merchant or bank thinks you are. It encrypts the information on your end, and decrypts it at the other end, so even if it gets intercepted between the two, it cannot be deciphered. The Problem The problem occurs if, you present your password BEFORE getting a secure connection. Many sites allow you to logon to an insecure page and they then pass that information on to the secure server to process. That secure server then establishes a secure connection and processes your email, Facebook page, or merchant transaction. Someone could jump into the middle of your connection. They could grab your logon, and then step between you and your email or bank. This is most likely to happen at a hotel or WiFi hotspot where you cannot verify the lines between you and the router. They provide the secure logon to the merchant, get back the information and pass it along to you. Their connection is secure, yours is not. If you were completely vigilant, then you would notice that your connection was not HTTPS, but only HTTP. However, they could use a trick to actually show a padlock icon in the address bar. A researcher recently used this technique at a single hotspot for 24 hours. He got 16 credit cards including name, number, security number and expiration dates. He got 9 Paypal account logins, over 200 Email accounts, 42 Ticket Master accounts, and a dozen social networking accounts. Those of you who are very young might believe you are vigilant enough to always check that you have HTTPS, but those of us who are older, know we screw up regularly. Two Solutions I was surprised as I checked this out, because as this problem is becoming known, more and more sites are beginning to force HTTPS. In fact, two of the sites I checked had changed between the first time I wrote this article and when I was ready to publish it! 1. Never login to Email, banking, a merchant, or a social networking account while away from home or office. or 2. Make sure your login for your username and password is already HTTPS, not insecure http:⁄⁄ access, which then sends to a secure server. If you already have a secure connection when you enter your username and password, then it will be encrypted and even if someone steps in between, it won't do them any good. This can often be done by merely changing your bookmark from http: to https: In fact, if any transaction anywhere should be secure, then that security should be in place before entering a username and password. It should not be the mere promise that they will forward your secure information to a secure server. Results from checking out some places Paypal: They force https. Here is a link to insecure paypal: http://www.paypal.com Notice that when you click it, you end up at https:// instead. This is done right! They don't allow you to screw up. USBank: They let you do either one. So, http://usbank.com sends you to an insecure login page. But, if you change your bookmark to https://www.usbank.com then it will work the same, but be secure. Notice I had to use the WWW. That is because USBank didn't purchase a certificate for usbank.com, but for www.usbank.com and were too dumb to understand they should buy two certificates. If you have a USBank bookmark, then change it to https and make sure the WWW is in there. Chase Credit cards: If you put in http://www.chase.com⁄creditcards you will be redirected to https like you should. It redirects you to: https://www.chase.com/ChaseCreditCard.html CapitalOne: http://www.capitalone.com - Makes you login on another page that is secure. Vanguard: http://www.vanguard.com - Makes you go to a secure page to login. IngDirect: http://ingdirect.com - Makes you go to a secure page to login. Bank of America: http://www.bankofamerica.com forces https CitiBank: http://www.citibank.com Makes you go to a secure page to login. Citicards: www.citicards.com also forces secure login. So you see, that of the banks, investment firms and credit card companies I checked, only USBank doesn't do it right. Yahoo Email: Forced secure login Gmail: Has an option under Settings⁄General to force https. Otherwise, you should insert the https. Hostmonster: Allows you to use either http: or Https: Use https. Integra: For Virtual Mail, they force https XO Email: XO webmail uses HTTPS So, check your connections to sites you log into and see if you can change your bookmarks to use HTTPS instead of http. Any site that should be secure, should provide a secure login. Date: November 2009 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk