What Makes a Site Secure?

Q   I’ve done some shopping on the Internet,
and I’m careful to only use my credit card
on secure sites. But a friend of mine told me that not
all sites claiming to be secure really are. What makes
a site secure, and how do I tell if it really is secure?

—D.E.

A  The main obstacle to the growth of Internet
commerce has always been, and continues
to be, consumer fear of credit card fraud. Many
people refuse to make online credit card purchases on
general principle. Unfortunately, some of this fear is
well founded. Using your card to make a purchase
over the World Wide Web is just as risky as using it
over the phone or at your local retail store, but not
particularly more so. In each case the bottom line is
this: do you trust the vendor to use your credit card
information responsibly? If you can’t answer
yes, then consider using another means of payment.

One reason for the perception that the Internet
is more risky is that people hear about how
unscrupulous hackers can intercept and read
transmissions. That is where Secured Sockets Layer (SSL)
comes in. The primary purpose of SSL is to encrypt any
information sent between your browser and the vendor’s server. Although hackers can still
intercept the transmission, it is extremely difficult for them
to decode the encrypted contents.

A Web site that asks you to enter a user name, password, credit card number, or any other piece
of sensitive data should use SSL to transmit the
infor- mation securely. So how can you tell if your data
is protected from prying eyes? One way is to just look
at the address line (assuming you haven’t turned it
off) at the top of your browser and see if the path to
the Web page you are using has https instead of
http at the beginning. Your browser may also show a lock
in its status bar to indicate a secured page. These
indicators are not always reliable though because
some sites use frames to break up the browser window,
and the information you see is for the frame page, not
the input page. If that is the case, you can right-click
over the frame containing the input page and select
Properties (Internet Explorer) or View Frame Info (Netscape) from the pop-up menu. The browser
displays the properties of that page, including its
address. Again, you are looking for https.

Some browsers have the ability to warn you when you switch between secure mode and
unsecure mode. If you turn the feature on, the browser
displays a message whenever you switch modes. This warning can provide a measure of confidence
when you are about to be presented with a log-in page or
a credit card payment page.

You will find that most sites only secure
sensitive pages with SSL and leave the remaining pages
unprotected. That is because the encryption
process adds a significant burden to the server’s limited
resources. And because the entire message must be
encrypted (not just the sensitive parts), secured
pages frequently have a very simple design.

The next time you enter information that you don’t want the world to see into a Web form, be
sure that page is protected with SSL. Regardless
of whether you buy over the Internet, by phone, or
in person, you have to trust the vendor to protect
your information and use it properly.