In recent years, everyone has become more aware of, and concerned with privacy online. Recently, all the main web browser developers have begun highlighting ‘insecure’ websites to their users – what does this actually mean?
What is an insecure website?
When you browse a website, you are sending requests over the internet to a web server. The server processes that request and sends the results back. Your web browser then displays these results to you.
These requests and responses can take pretty much any route around the internet, and at any time, any server that they pass through could potentially read them.
In practice, this is unlikely to happen, as these servers are controlled by the companies that make the internet what it is, and it is in their interests to keep their customers happy.
However, cyber criminals are now beginning to attack these servers, with the sole purpose of stealing this information.
What is a secure website?
When a browser sends a request to a secure website page (for example, please can you send me the home page of Facebook?), the website will reply saying that it only handles secure requests and ask the browser if it can form a secure connection. The server provides its credentials to the browser and the browser then checks them with a security authority to confirm that they are valid.
Once both the browser and server are satisfied with each other’s identity, they create a secure communications channel between themselves. The requests and responses are then sent only via this secure channel. All communications are scrambled using an encryption key that is known only to the server and browser. The data is sent in exactly the same method as insecure data, but if anyone does intercept it, without the encryption key they cannot read it.
Why isn’t all of the web secured like this?
In a word, speed. Both the initial negotiations and the encryption and decryption of the information takes time.
During the early days of the internet, before fibre and even broadband, when all we had was dial up, this process took a long time. I remember a time when it was actually advised to host images on a separate server so they could be served unencrypted on web pages that collected financial information. These days a security certificate won’t even allow that to happen.
So, why is this changing now?
Historically, people only considered financial details and passwords to be important. So, websites would have security certificates on pages that collected financial details (credit card numbers etc…), and all other pages of the website would be served without a certificate.
In the modern world, with the increase of identity theft, our personal data as well as financial information has become increasingly more valuable to us. As such, the browser developers are pushing people to serve everything via a secure link.
Also, now that broadband is the norm, and fibre is quickly taking over, the issue of speed is just no longer an issue.
Should I avoid websites marked as insecure?
Well, that depends on what the website is doing. If it is asking for credit card or bank account numbers then it should absolutely be avoided.
If it is just showing you things (e.g. news.bbc.co.uk), then there is no need to avoid it at all.
If it is asking you for other information (for example your name and email address in order to add you to a mailing list) then it is purely a personal choice. If what they are asking for is something that you don’t mind anybody knowing then go ahead.
Remember, filling in a form on an insecure website is just like sending an email. If you wouldn’t put it in an email, don’t put it into an insecure website.