Course

Tips to Stay Safe while Surfing the Web, Part 2: Accessing Websites Securely

Training Code
Topic 4.2
Format
Document
Delivery
On Demand
Location type
Virtual/Online
Related topics:
Cybersecurity Best Practices, Partnerships and Collaboration

Description

The Bottom Line

  • Do not use websites that begin with http://.  
  • Only use websites that begin with https://.
  • In your browser settings, change your preference to only allow HTTPS connections.
  • To avoid potential phishing attempts, check website URLs for slight misspellings or incorrect domain extensions (e.g., cisa.com instead of cisa.gov).
  • Select the padlock next to a website’s URL to verify that the website’s certificate is not expired and is issued by a legitimate certificate authority to the person or organization that owns the website.  

The Problem

If your URL doesn’t include https://, then anyone with the technical know-how can see what data you share with a website.

All major websites have one thing in common: they start with https://.  That wasn’t always the case. As recently as the early 2010s, many websites began with http://.  While this might seem like a minor distinction, using a website with HTTPS instead of HTTP is the difference between securing the information that you send over the web and allowing anyone with the technical know-how to see it. (The “S” in HTTPS stands for “secure.”)

This is important because people share a lot of sensitive data with websites. Common examples include providing credit card information for online purchases or inputting information about your medical history into an online medical form.

The Solution

Websites beginning with https:// use encryption to secure the information that you share with them. Websites that use HTTPS are vetted by certificate authorities, which are third parties that vet the website’s encryption to ensure that any information a user exchanges with that website is actually secure. The website’s owner receives a certificate as proof. Users can view the website certificate by selecting on the padlock icon next to the URL.

To ensure that your connection with a website is secure and that the website itself is authentic, follow these three steps.

1) Only access websites that use HTTPS. To help avoid accidental connections to HTTP websites, change your preference to only allow HTTPS connections in your browser settings.

This setting will prevent your browser from connecting to a website with an unsecure HTTP connection. It will then give you a warning and ask if you want to proceed to that website.

2) Verify the website’s URL.

Phishing campaigns often involve fake websites with URLs that closely mirror the URL of a legitimate website but contain slight misspellings. For example, CISA’s website is www.cisa.gov. A cyber threat actor attempting to spoof CISA’s website might use cesa.gov or a different domain extension, such as .com instead of .gov.

3) Check for a padlock icon near the website’s URL.

This icon should be present on most browsers when HTTPS is being used. Most browsers will also display a dialog box when you click on the padlock icon that will allow you to see the website’s certificate information, including:

  • Who was the certificate issued to? Make sure that the certificate is issued to the same person or organization that owns the website.
  • Who is the certificate issued by? The certificate should be issued by a legitimate, trusted organization like Verisign or Entrust.
  • Is the certificate still valid? Most certificates are only valid for 1 to 2 years. You should be cautious of a website if the certificate is expired or valid for more than two years.

If you are unable to verify the information in the certificate, you can also try running the URL through a safe website checker, such as Google’s Safe Browsing checker.

While checking the veracity of every website you visit may be overly burdensome, you should prioritize checking the certificates for websites if you question their legitimacy.

Final note: While the information that you exchange with an HTTPS website is secure, anyone with access to your network traffic can still see what websites you are accessing online. For example, if you access a medical website with an HTTPS connection, a threat actor with access to your network traffic could see that you accessed that website but would not be able to see any information that you shared with it.

Takeaways

Do

  • Use websites with URLs that begin with https://.
  • Modify your browser settings to only allow HTTPS connections.
  • Verify the URL before navigating to a website. Check for misspellings or slight variations on the URLs of popular websites.
  • Especially for websites that you’re not sure about, click the padlock icon next to the website URL to verify that the website’s certificate is still valid and is issued by a legitimate certificate authority to the person or organization that owns the website.  
  • Use a website checker, such as Google Safe Browsing, if you cannot verify a certificate yourself.

Do Not

  • Connect to websites beginning with http://.
  • Override browser warnings that discourage you from navigating to a website with an HTTP connection.  

 

Project Upskill is a product of the Joint Cyber Defense Collaborative.

Prerequisites

  • Module 1: Basic Cybersecurity for Personal Computers and Mobile Devices
  • Module 2: Protecting Your Accounts from Compromise
  • Module 3: Protecting Data Stored on Your Devices
  • Module 4: Protecting Your Data in Transit
    • Topic 4.0: How to Communicate Securely on Your Mobile Device
    • Topic 4.1: Tips to Stay Safe while Surfing the Web, Part 1: Web Browser Settings

Tags

Topics
Cybersecurity Best Practices, Partnerships and Collaboration
Audience
High-Risk Communities

Related Training

Course | Virtual/Online

Manage your Online Presence

In addition to being aware of information you share online, manage the settings on your social media accounts to better increase your privacy and security.