Monday, June 1, 2009

Log in over TLS / HTTPS Only

This is just a note for the security conscious. Always log into websites and services using TLS -Transport Layer Security, formally known as SSL (secure sockets layer). Using one of these services means you have a secure, encrypted connection between your computer and the web site in question.

How do you know you are on a secure connection? You can normally tell from the web browser address bar. If the address starts with 'https://' instead of 'http://' (an additional 's' character) your browser has a secured connection. Modern browser often highlight this fact with icons of padlocks and green shading.

Getting a secure connection means that only the holder of SSL certificate used to create the connection can read the contents of your traffic at the far end. The holder of the certificate is therefore certified.

It is very important that users take the time to ensure their sensitive informaiton is protected by TLS. Otherwise your internet traffic can be sniffed at any number of places between your computer and the servers you think you are talking to. Many sites only use TLS security for the purpose of users logging into their accounts to protect their username and password information. The rest of the information is sent in plain text, and can be intercepted.

Be wary of sites that provide login from an unsecured home page. The form element might post your login credentials to a secure https connection, but without examining the HTML, you can not be sure. Their dedicated login page (normally reachable by providing incorrect credentials on the home page) will normally be secured by TLS. If a dedicated login screen is not secured by TLS, do not use the service.

Other sites providing very sensitive information - such as internet banking services, should maintiain a secure conneciton for the entire session, ensuring all parts of the conversation - your bank balances, account numbers, etc, remain private.

Be aware of when you are and are not using a secure transport layer for your internet use. Always ask yourself whether you would mind a third-party eavesdropping on your conversations. Without TLS security, they might be.

No comments:

Post a Comment