Stupid question - online secure transactions

[RingDing]

Back in the old days, before Internet Explorer updated itself to this tabbed browsing thing, I knew when I had a secure connection for in putting credit card and bank information as a little padlock icon would appear.

Since the upgrade that little padlock has disappeared. Does that mean my connections are no longer secure or has IE changed so it doesn't show secure connections?

Thank you!



P.

[TSM]

In IE7 the top bar will have the Padlock symbol next to the address bar, if its a phishing site etc the bar will go red.

[fizzwheel]

or it says "HTTPS" instead of "HTTP" at the start of the URL.

Remember your details could still be at risk even on a secure site. Don't enter in your credit card details unless you absoloutly trust the website you are typing them into.

Is this your area Fizz? Because I have long wondered about the debate of whether it is or isn't safe to do online transactions. Personally I have being doing it for years with companies I feel are genuine enough but its always seems to be a gamble.

Do you know what the pro's and cons (if any) are in laymans terms?

[RingDing]

Quote:

Originally Posted by TSM

In IE7 the top bar will have the Padlock symbol next to the address bar, if its a phishing site etc the bar will go red.

Ah ha! Now I see it!

Thank you TSM!

[fizzwheel]

Quote:

Originally Posted by Fearg

Is this your area Fizz? Because I have long wondered about the debate of whether it is or isn't safe to do online transactions. Personally I have being doing it for years with companies I feel are genuine enough but its always seems to be a gamble.

Do you know what the pro's and cons (if any) are in laymans terms?

Not really, I have worked in I.T. since I left college. E-Commerce isnt really my field of expertise. I just know the basics thats all.

I think TBH its always a gamble. Like you say I only use websites I trust and I always use my credit card rather than my switch card. I've been scammed recently the bank picked it up and phoned me cancelled the fradulent transaction and sent me out a new credit card. I know which website it was I used that scammed my card and I wont be using them again.

Nothing is 100% secure if you have a human element in the system then your details are always going to be at risk.

Quote:

Originally Posted by rubberduckofdeath

I worked for an e-commerce solutions provider for 3 years. We developed e-commerce solutions for large mail order and high street brands like f**k, Thorntons, White Stuff, Fat Face etc. I think I'm in a relatively good position to comment on this: E-commerce is not and will never be totally secure. The larger retailers tend to have 'good' security. The smaller ones, well, sometimes it's not exactly up to scratch...

Agreed completely. But I'd like to go a little further & say that 'good' security in terms of HTTPS is actually, pretty pathetic.

Put it this way, you won't see government secrets being exchanged via HTTPS, probably ever!

A couple of years back I was earning money demonstrating to companies exactly how insecure their systems were, and where they could improve. Take computer security to an extreme (including physical), and it's still possible to breach.

Yes, I still do online banking, despite knowing the above. It's a risk assessment. My bank ask first for either my account number & sort code, or my card number (I always enter card number, easier to change card number in case of a comprimise). Then I also have to enter a security code that I have chosen (not my PIN). These are submitted all together (and would be pretty simple for someone to obtain if they knew what they were doing). Next, I'm asked a random question out of a possible 5 that I've already told the bank. Then that's submitted (which makes it harder to link that detail back to my account details, but not impossible). If I enter anything wrong, I get a flat "sorry, wrong details" type message, and NOT something that says which part I got wrong. I'm happy with that, relatively.

Cool. Thanks for your input guys.

Bit of a hijack but along the same lines, secure transactions etc

[timwilky]

All the padlock and https means is that you are using a protocol to transfer your data that implements encryption through the use of a X509 certificate. OK geeky.

The certificate is granted to the web site by a trusted authority, this certificate is bought from the trusted authority by who ever wants to operate the site. They have to prove who they are. The trusted authority pays microsoft to be included in their list of trusted authorities.

So firstly it is a trust thing. assuming you use Internet explorer Goto tools/options/content and press the publishers button. Select the trusted root certification authorities. All of these organisations are trusted by micosoft to validate requests from their customers for the purchase of a ssl certificate and can issue that 3rd party a certificate for their web site that you will automatically trust and be happy because you have a padlock.

Personally I would prefer to deal with organisations that used self signed certificates. You then get an alert that the site is not trusted. It is then upto yourself to decide whether YOU trust the site and not implicit trust because somebody has paid somebody who in turn has paid microsoft.

Now once you say you trust the certificate. That certificate will give your browser the public key to use to encrypt the data. Only the other end with its private key can decrypt that data. which is ********. Organisations with big computers can easily brute force decrypt this "secure" communications.

You then have the issue of who you give your information to. It is not just online shopping. How many time do you hear of people placing orders over the phone and quite happily reading out their credit card details. Do you trust who you are buying from to keep your card details secure. It would be ok if each time we used a credit card online we gave our supplier a one time code. But we don't. The spotty herbert responsible for processing the transaction could quite easily make a note of your details and pass it on to his mates.

The above is just food for thought. ensure your cards give a guarantee against on line fraud. If not don't use them or dump the provider. then do you trust the people you are buying from to keep your details safe.