I am in the process of moving my web content to a new hosting service because my previous host was pretty far behind in their security configurations. They still allow MD5 encryption as an option for SSL communication! Anyway, this isn’t about them or the new service but it’s about what I’ve learned recently about security on the web and how to keep your information secure.
I was watching a video from a Black Hat Hacker conference (filmed in 2009) so this is old news to some people but the speaker was describing how to intercept traffic over wi-fi and even how to defeat SSL communications in the process. For most of you that would be the ‘secure’ communication that your browser uses when you visit the HTTPS version of a website instead of the HTTP version. You will most likely see that little lock icon somewhere on the browser that is more of a ‘feel good’ indicator than an actual indication that the connection is secure.
Not to worry you too much but the speaker did mention that his attack was successful mostly because people typically just type ‘ourbigadventure.com’ into the browser and let it figure out the HTTP or HTTPS part. Because the browser tries the HTTP version first the intercepted traffic that the hacker (this is called a Man In The Middle attack) sees is not encrypted so they can easily capture the data. If instead you were to type the HTTPS:// in front of every address the data would initially be sent as encrypted and it would be much tougher for the hacker to work with.
So don’t for get to type the HTTPS:// part of your bank’s URL every time you access it, or any other URL for that matter. Never go directly to a site that might require your personal details or logins without it if you want to keep your details safe.