Security Tip Series: Check the Web Address and Lock Icon (Guest Post)


lock on doorOnline Security Tips

A big thank you to  Dave Raffensperger and Andrew Chi for this series of security tips! I’ll add links at the bottom of each post to the other posts in the series as they’re published. Here’s the second of several tips to keep your digital life secure.

Security tip: Check the web address and lock icon

Phishing is a cyber-attack which tries to trick you to enter your password at a faked login page. Attackers will often set up a website that looks just like your bank’s site, for example, but it is actually run by hackers to steal your password.

So, how can you tell if a site is really your bank’s website or put up by someone faking it? The most important way is to look at the web address (URL) of the site. It should be 1) spelled correctly and 2) use a verified secure connection.

1. Make sure the web address is correct

A mailing address, like “100 Lake Hart Dr., Orlando, FL, USA,” has different parts and a web address, like “https://accounts.google.com/ServiceLogin,” has different parts, too. This chart compares web address parts to a mailing address:

Web Address Part Google Mail Login Meaning
Protocol, i.e., whether the connection is secured https:// “https://” means “HTTP Secure”; blank or just plain “http://” means a non-secured web connection
Subdomain (think city) accounts. The “accounts” part of the “Google” site
Domain (think state) google The main site name. The entity that controls “Google.com,” for example, also controls all subdomains like “calendar.google.com,” etc.
Top-level domain (think country) .com The ending for website domains can be “.com” (commercial), “.org” (organization) or something for a country like “.de” (Deutschland, i.e. Germany).
Web page (think street address) /ServiceLogin This tells you the page of the website you’re visiting.

Attackers will exploit people’s confusion about these different parts to make fraudulent sites look real. To see a harmless example of this difference in addresses, go to both calendar.google.com (the official calendar application from Google) and google.calendar.com (the “google” part of calendar.com).

Here’s an example of what a fraudulent website could look like that’s trying to capture your Google login and password. It would look exactly like a Google login site except that the website address is actually a part of “example.com” not a part of “Google.com” so you shouldn’t trust this site because it doesn’t really come from Google.  In this hypothetical case, the people at “example.com” could steal your password.

phishing site example

Basically, it’s important to check that the web address (domain) is correct, like “cru.org” or “Google.com” before you enter your password.

2. Make sure the website uses a secure connection

Going back to the parts of a web address, the first part, “https://” means “HTTP Secure” which contrasts with regular “http://”. For regular, non-secured websites, the “http://” does not show in the web address bar and means the data is not specifically secured when it’s sent to you. This is normal for sites with no passwords and/or financial transactions.

You can tell a website is using a secure connection because it will show a lock icon next to it. Here’s an example in Chrome of the Google Login screen with the lock icon.

Lock icon scrnshot

On Safari on an iPad, the “https://” is left out, but you know it’s a secure connection because of the lock icon next to the web address.

You should only enter your password in a web page that uses a secure connection, because it’s possible that someone is intercepting your password if the login page uses only “http://” in the URL.

In addition, if your browser can’t verify the secure connection, don’t enter your password. Your web browser partners with security companies to verify each secure website that you visit. Your browser will warn you if the verification of the website failed.

Here’s what that looks like in Chrome when a sites’s secure connection doesn’t check out.

Chrome security

Here’s what that warning looks like in Safari on an iPad:

iPad security

Don’t enter your password if your web browser gives a warning that the site’s secure connection can’t be verified.

parents_and_babyGuest Post by: Dave and Andrew

Dave Raffensperger is on Cru staff in Boston. He and his wife, Erin, are brand-new parents to a sweet little girl. Congratulations, Dave and Erin!

Follow Dave at @draffensperger or check out his blog at davidraff.com.

Andrew Chi is a Ph.D. candidate in Computer Science at UNC-Chapel Hill.

NOTES: The Security Series:

public domain symbolSource: The photo of the lock on the door is in the public domain.

3 thoughts on “Security Tip Series: Check the Web Address and Lock Icon (Guest Post)

What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s