Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

What makes a site secure?

//
Once, I read that secure websites should begin with https. Well, yours just starts with http. I figure it’s safe but apparently missed the distinction between safe and unsafe computer addresses.

“Secure” has a very specific meaning when it comes to the internet. It’s about technology. And you are correct, askleo.com is not a secure website. It is, however, a safe website.

Let’s review what all that means.

Become a Patron of Ask Leo! and go ad-free!

Secure implies https

A secure website (i.e. a website that you visit using https) means exactly and only two things:

  1. It is who it claims to be.
  2. The information you exchange with that site is encrypted.

That’s it. That’s all that https really means, and that’s all that a secure connection means.

Here’s why those things are critically important and why we refer to them as secure.

I’m going to use PayPal as my example secure site, but it could be your bank, your credit card company, your online medical records, your webmail service, or any number of different things that might contain sensitive information.

Identity

HTTPSIt is who it claims to be. This prevents people from setting up websites that for example, respond to PayPal.com but are not related to PayPal at all. In order for an individual or organization to be able to set up a secure website, they must go through a level of confirmation that they are who they claim to be, and that they have the right to ask for the security setup for a particular domain.

So, assuming you are going to the proper address, like https://www.paypal.com/, you can be assured that you are indeed reaching the real PayPal.com and not some faker trying to hack your account information.

Privacy

The second layer of security is encryption. Https connections to secure websites exchange data by encrypting it first. What that means is that no one can listen in on your conversations. That’s important because when you’re exchanging sensitive information with a site (like your login or personal financial information with a site like PayPal) you don’t want anybody to be able to see what it is you’re saying.

Encryption ensures that only you and the site you’re connecting to can actually see the data.

The way the internet is constructed, anyone who takes part in getting the data from your computer to PayPal’s could potentially see the data. Encryption ensures that they see only noise.

So, a secure website technically only means that:

  • it is who it says it is, the domain’s not been hijacked somehow
  • and that no one can listen in on the information that you exchange.

That’s quite different than safety.

Safety is all about trust & reputation

A scam artist could certainly set up an https secure site and try to scam people out of their life savings. Calling something a secure website only means that the technology being used meets the secure criteria I mentioned above. It has absolutely nothing to do with the safety of actually using that website.

Now, Ask Leo! doesn’t need to be a secure website, because you’re not giving me any sensitive information. There’s no money or confidential information being exchanged. Similarly, there’s no need to encrypt the communications. The questions people send me are not sensitive and the articles that I post most certainly aren’t something that I want to be hidden from someone’s view. There’s no reason I would need to jump through the hoops and the expense of setting this up as a secure website with https.

And again, remember, calling something a secure website is only about a bit of technology – nothing else.

On the other hand, I of course, hope that you consider Ask Leo! to be a safe website. Safety is more about reputation than technology, and hopefully my reputation is such is that you feel very safe visiting my site, asking me questions and reading my answers.

1 thought on “What makes a site secure?”

  1. It is possible to establish an encrypted connection to an HTTPS site that has an invalid certificate. In this case the connection will be encrypted, but the endpoint is unverified. Unless you have very good reason not to (for example you’re connecting over HTTPS to your own server with a self-signed or otherwise invalid certificate), consider this as not-secure, even though the communication is encrypted.

    Leo has a linked article that explains some more on the subject:
    http://ask-leo.com/why_is_there_a_slash_through_the_https_in_my_browsers_address_bar.html

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.