How to detect insecure websites?
Practical guide to adopting good reflexes when browsing the internet.
Internet fraud and cyber attacks have increased in recent years, leading Internet users to communicate sensitive data or unknowingly open the door to malware. To limit these risks, it is essential to know how to identify whether a website is secure or not. Here are 5 diagnostic points to check before going any further in browsing a website.
Outdated design, buggy pages
A design that is too “old school” in the graphics or typographic choices, broken links or pages that refuse to display… You are most likely facing a site that has not been updated for some years and/or which is seriously lacking in maintenance.
These weaknesses initially lead to a poor user experience: you will definitely want to move on! Then be aware that they can also lead to security vulnerabilities. Security updates are important to resolve known vulnerabilities and improve overall website security. Additionally, buggy pages can be exploited by attackers to compromise the website or steal sensitive information. Some of them actually use flaws in the code to inject malicious scripts or access confidential data…
Using the HTTP protocol instead of HTTPS
The use of the http protocol is almost no longer possible today because modern browsers block access to these sites and display a security warning. But if you are browsing with an older browser or if you choose to bypass the blocking by forcing the display of the site, know that everyone can see everything you write on the site, including your passwords, payment details, etc.!
Conversely, the https protocol allows all communications between you and the site to be encrypted. It’s not a perfect security guarantee, but it’s really the bare minimum you can ask for from a site!
Technical note: several versions of https
Not all https connections are created equal. The protocol has evolved over time. The first versions of the procotol (SSLv2 then SSLv3) are no longer considered secure. The TLS protocol that succeeded them has also evolved: TLS 1.0 and TLS1.1 are now obsolete and only TLS 1.2 and TLS 1.3 are recommended today. However, old browsers are not compatible with these protocols.So remember to update your browsers to avoid using outdated security protocols.
Beware, https:// links can also be not secure if the associated certificated is not recognized. In that case, your browser will display a security warning and a barred padlock.
- Avoid clicking on links starting with http://, only click on links starting with https://
- Do not ignore your browser’s security warnings except if you really know what you are doing.
The composition of the URL of a website
Be careful, an https:// website without security alerts is not necessarily the website you really expected to visit. Let’s say you’re trying to contact your bank’s website. Its legitimate URL would be, for example, ma-banque.com.
Step 1: identify the domain name
In a URL, the domain name is everything after https:// and before the first character ‘/’ or ’#’ Or ’?’.
For example, in https://ma-banque.com/login, the domain name is ma-banque.com.
Likewise, in https://login.ma-banque.com/fr, the domain name is login.ma-banque.com.
Step 2: understand the notion of subdomain
In a domain name, you can add a subdomain by adding the name of the subdomain followed by a period BEFORE the main domain. For example, login.ma-banque.com is a subdomain of ma-banque.com and not the other way around. You can add as many sub(-sub)domains as you want.
Step 3: don’t confuse the domains
Hackers use several methods to trick you:
- use of a domain name with the wrong extension (.org instead of .com for example)
- using a similar domain name, for example by adding a period in the middle, replacing a special character with another, or changing an ’o’ to ’0’. This could result in:
- https://ma.banque.com
- https://mabanque.com
- https://mabaqnue.com
- use a subdomain of their domain corresponding to the one you are looking for, for example:
- https://ma-banque.login.com
- https://ma-banque.secure-login.com
Make no mistake! you are on the wrong site!
This point is crucial because it is the most common way for hackers to phish! Before entering your personal data, you should systematically check that you are on the official page of the organization you are looking for, and even more so if this link was sent to you by email or text message.
Resending a password by email
Websites are not supposed to store your passwords as is. They are supposed to only store a fingerprint of your password so that they are unable to read your password themselves and so that a hacker who has taken control of the site cannot recover user passwords either.
When you use the forgotten password procedure, the site must send you a link then let you chose a new password.
So if a site sends you your password by email when you use the forgotten password button, it is because it has absolutely not respected this basic principle. Run away and immediately change your password on your other sites if you had the bad idea of reusing the same one everywhere.
The presence of advertisements and pop-ups on the login page
If the site you are visiting displays advertisements on its login page, be very suspicious because this is a very bad practice and can cause critical security issues.