Tips to Stay Safe while Surfing the Web, Part 2: Accessing Websites Securely
Description
The Bottom Line
- Do not use websites that begin with http://.
- Only use websites that begin with https://.
- In your browser settings, change your preference to only allow HTTPS connections.
- To avoid potential phishing attempts, check website URLs for slight misspellings or incorrect domain extensions (e.g., cisa.com instead of cisa.gov).
- Select the padlock next to a website’s URL to verify that the website’s certificate is not expired and is issued by a legitimate certificate authority to the person or organization that owns the website.
The Problem
If your URL doesn’t include https://, then anyone with the technical know-how can see what data you share with a website.
All major websites have one thing in common: they start with https://. That wasn’t always the case. As recently as the early 2010s, many websites began with http://. While this might seem like a minor distinction, using a website with HTTPS instead of HTTP is the difference between securing the information that you send over the web and allowing anyone with the technical know-how to see it. (The “S” in HTTPS stands for “secure.”)
This is important because people share a lot of sensitive data with websites. Common examples include providing credit card information for online purchases or inputting information about your medical history into an online medical form.
The Solution
Websites beginning with https:// use encryption to secure the information that you share with them. Websites that use HTTPS are vetted by certificate authorities, which are third parties that vet the website’s encryption to ensure that any information a user exchanges with that website is actually secure. The website’s owner receives a certificate as proof. Users can view the website certificate by selecting on the padlock icon next to the URL.
To ensure that your connection with a website is secure and that the website itself is authentic, follow these three steps.
1) Only access websites that use HTTPS. To help avoid accidental connections to HTTP websites, change your preference to only allow HTTPS connections in your browser settings.
This setting will prevent your browser from connecting to a website with an unsecure HTTP connection. It will then give you a warning and ask if you want to proceed to that website.
2) Verify the website’s URL.
Phishing campaigns often involve fake websites with URLs that closely mirror the URL of a legitimate website but contain slight misspellings. For example, CISA’s website is www.cisa.gov. A cyber threat actor attempting to spoof CISA’s website might use cesa.gov or a different domain extension, such as .com instead of .gov.
Final note: While the information that you exchange with an HTTPS website is secure, anyone with access to your network traffic can still see what websites you are accessing online. For example, if you access a medical website with an HTTPS connection, a threat actor with access to your network traffic could see that you accessed that website but would not be able to see any information that you shared with it.
Takeaways
Do
- Use websites with URLs that begin with https://.
- Modify your browser settings to only allow HTTPS connections.
- Verify the URL before navigating to a website. Check for misspellings or slight variations on the URLs of popular websites.
- Especially for websites that you’re not sure about, click the padlock icon next to the website URL to verify that the website’s certificate is still valid and is issued by a legitimate certificate authority to the person or organization that owns the website.
- Use a website checker, such as Google Safe Browsing, if you cannot verify a certificate yourself.
Do Not
- Connect to websites beginning with http://.
- Override browser warnings that discourage you from navigating to a website with an HTTP connection.
Project Upskill is a product of the Joint Cyber Defense Collaborative.
Prerequisites
- Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
- Module 2: Protecting Your Accounts from Compromise
- Module 3: Protecting Data Stored on Your Devices
- Module 4: Protecting Your Data in Transit
- Topic 4.0: How to Communicate Securely on Your Mobile Device
- Topic 4.1: Tips to Stay Safe while Surfing the Web, Part 1: Web Browser Settings