Online security is a subject about which many more people are now aware even though most internet users lack much understanding in this area. That is not a criticism; after all, one does not have to understand computerized electronic fuel-injection systems in order to drive an automobile. There are a couple of changes coming to online security in 2015, and I hope that everyone reading this will benefit from a little more understanding of what these changes really mean.
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser, such as between your bank and your personal computer. SSL ensures that all data passed over the connection remain private. For a web site to be able to create a secure SSL connection it must have an SSL Certificate or “cert” for short. The technology behind the SSL protocol is complex, and SSL certs are quite expensive. Fortunately for internet users, the cost of implementing SSL on a web site is borne by the web site owner, such as your bank.
SSL certs are sold by Certificate Authorities (CA), organizations that for a price will verify that a web domain is valid, check the legitimacy, credit rating of the owner, verify names, addresses and phone numbers, etc. in order to ensure that the domain owner is on the up and up. There are different levels of certs, enough to discuss in a future column. CAs have for years charged steep prices to obtain certs, but this is about to change.
Starting this year, Mozilla, Cisco, Akamai, the Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan are working through the Internet Security Research Group to create a new CA to offer basic Domain Validation (DV) certs for free. The “Let’s Encrypt” initiative will allow anybody who owns a web domain (even crooks) to get a basic SSL cert.
What is important to understand is that anyone may obtain a basic SSL cert. Because the bad guys can use SSL too, just the fact that you are using a secure connection does not automatically protect you from communicating with bad guys. A distinction needs to be made between NON-secure sites and INsecure sites.
And not all web sites need to be secure. If a public web site such as the New York Times news site is non-secure, what does it matter? People visit that site to read the news, not to transact business. However, if you enter the accounts section of that web site to enter your name and credit card information to buy a subscription, well you do want that web site to be secure.
A non-secure site is one that does not really need to be secure. An insecure site could be some crook’s scam site that is cryptographically secure, but a place you should avoid visiting.
Google has plans this year for their Chrome browser that if implemented according to plan will likely cause mass panic among uninformed users (those not reading this column). Google plans to have Chrome pop up ominous warning messages any time users enter a non-secure or insecure web site while surfing the web. Some users who fail to understand the distinction between non-secure and insecure are going to be frightened off the web.
Google has recently been throwing its weight around with regard to online security, bullying the internet community to move up previously agreed deadlines for security upgrades and now scaring Chrome users with warning messages many will not understand. It is not necessarily a bad thing for Google to push for more security online, but I for one am bracing myself for a deluge of phone calls from alarmed Chrome users who do not understand the warnings about insecure versus non-secure web sites.
Charles Miller is a freelance computer consultant with more than 20 years IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted through his web site at SMAguru.com.