When you visit a webpage these days it’s not uncommon for it to require some personal details. You might be checking your bank balance, buying something by Credit Card or authorizing a payment to your electric company. All these examples require sensitive details that you certainly wouldn’t want falling into the wrong hands. So how confident can you be that you’re talking in a secure manner with the right people? The answer should be simple, but of course it isn’t.
When you visit a secure webpage, it generally has a prefix of https. If all goes well, you’ll get no warnings and a little padlock appears at the bottom of the browser window. The padlock confirms that you are talking over an encrypted link to a party that has identified itself in some manner. The quality of this encryption is likely to be superb. Modern encryption ciphers are free and incredibly strong so your electronic conversation with the other party is probably very secure. But who is that other party? At this point things start to fall apart.
In order to get the little padlock symbol without any scary warnings, the website you’re talking to must have a security certificate that’s been signed (in effect authenticated) by a third party that you trust. You almost certainly aren’t aware that you trust that third party but to keep life simple, Microsoft (or whoever your browser supplier is) incorparate a list of trusted parties. These trusted parties are companies like Verisign. Most browsers will have a huge list of these trusted third parties, located all over the world and you need to be aware that you have granted trust in them all.
So I go to an https webpage, my browser retrieves its certificate and checks that Verisign (or whoever) has digitally signed it. So far so good, but does this ensure that I’m now talking with the company I think I’m talking to? No it doesn’t! All it confirms is that I’m talking to the company that is the owner of that website. For example, I could register www.natwestbank.co (it’s available as I type this) and get a quite legitimate certificate for it from Verisign. Visitors to my website would see no warnings and could be safe in the knowledge that their connection is secure. It is indeed secure but the party at the other end isn’t who they are probably thinking it is.
So how do consumers protect themselves against this problem? Well for starters they should know the webpage for their bank. Using my NatWest example, it’s http://www.natwest.com. It’s printed on their official correspondence so you can be fairly confident that natwest.com is owned by the company you think it is. Problem solved? Not by a long way.
Lets try it out in an example:
I point my browser at www.natwest.com and click their “Online Banking Login” button. Immediately my browser is redirected to https://www.nwolb.com. Huh? That website isn’t printed on any of their official correspondence! It’s a secure site, so a third party I’m trusting says I’m actually at the website I’ve tried to reach but that grants me no confidence that it belongs to Nat West, the company I bank with. This is slightly untrue as I can examine the actual security certificate and see it’s owned by The Royal Bank of Scotland Group Plc but whilst that’s good to know, it requires the visitor to understand how to view the security certificate the website is using to authenticate itself. Also, if a visitor to that site checks the ownership (Haha, yeah we all do that right?) then will they back out and not enter their security data if the Ownership doesn’t match? Not in my experience. But “hang on” you say! Surely I can trust the redirect because I’ve been redirected there from the webpage I trust (www.natwest.com). Sadly, no, because that website isn’t secure. You can’t trust the redirect on it because you have no means to trust the source at all.
Sorry NatWest, I’m using you as an example but in reality many companies are adopting this practice. Why? I have no idea. Things get even worse with online shopping as you are likely to get redirected all over the place. Many online retailers don’t use their own pay services, instead sub-contracting it out to companies like Worldpay. When you make those payments, your browser redirects you to their site. You get no warnings at all and happily type in your card details and the answers to any security questions they may ask. No problem if it’s a genuine service like RBS Worldpay, but what if it’s the bad guy with his own domain and fully authentic certificate? You lose.
So what’s the answer? Well life would certainly be a lot easier without the redirects. It would help if my browser warned me when I’m being redirected to another domain. There are plugins for Firefox that will do this, such as RequestPolicy but they tend to be annoying and sometimes break things, (excellent for the geeks though). The best solution in my humble (and frequently incorrect) opinion is to stop the redirects. If I start on www.natwest.com and remained there until my transactions were completed then I could be reasonably confident that I’m interacting with the genuine company and not handing over my bank account details to somebody in Nigeria.