You have entered a secure web site
By Charles Miller
If you take time to look at the address bar in your internet browser, from time to time you may see that the address beginning with “http” sometimes changes to “https” indicating you have entered a secure web site. Secure Socket Layer (SSL) along with Transport Layer Security (TLS) is the most widely deployed security protocol used today. Banks and other institutions use this to insure the privacy of your online transactions while using their site. SSL is essentially a communications protocol that provides a secure channel between two machines operating over the inherently insecure internet. Once your computer negotiates a secure channel through which to communicate with your bank, no “man in the middle” can listen in on that conversation.
End users can take comfort in the fact that SSL is a transparent protocol which usually requires no interaction at all from you when establishing a secure session. Usually the only indication the user sees, if they even bother to look, is the presence of a padlock in the address bar or a change of color to green. About the only requirement for all users is that they keep their internet browsers up to date with the latest security patches, and this process is made easy by Apple and Microsoft when they provide automatic updates. These updates make good online security an incredibly simple experience for end users.
Unfortunately though while implementing SSL is painless for the end user, the opposite is true for web site owners. Banks and other institutions are learning that good security is hard to do and thus is also expensive to do correctly. In their efforts to economize, a number of companies cut corners on maintenance or simply do not fix known security vulnerabilities until they are absolutely forced to do so.
The security firm Qualys SSL Labs has a web site anyone can use to run several common security tests on any web site such as your bank, email provider, or places you shop online. This site shows a list of the most recent test results, both passing and failing. When this test went online many companies got an “F” or failing grade for having dangerously insecure web sites.
When I learned of this test I promptly used it to check out the web site security of a number of Mexican banks. The results were, err, let us just say the results could have been a whole lot worse. Far worse than the mediocre security grades of some Mexican banks are the actions allegedly attributed to some Canadian financial institutions.
TD Canada Trust (td.com), and the Canadian Imperial Bank of Commerce (cibc.com) did not like the fact they got failing grades for their lack of attention to website security; some of their customers noticed and some were starting to complain. So rather than addressing the security needs of their customers, it appears they simply blocked Qualys SSL Labs from being able to test the bank’s sites any more. No more tests, no more failing grades, no more customer complaints!
It is fortunate that the owners and operators of many other web sites have taken a more responsible approach and have responded positively to finding out their SSL security is second-rate. It has been gratifying to see how many of these companies responded promptly and positively; and there are many stories of local credit unions and banks that had a flunking grade reported to them by their customers and then upgraded their servers to improve their test results to a “B” or even “A+” grade.
Please feel free to visit https://www.ssllabs.com/ssltest/ to check out the security of your bank’s web site or your email provider. If a site you frequent gets a failing grade for security, you might want to consider letting them know you know their security is lacking.
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now practically a full-time resident. He may be contacted at 044-415-101-8528 or email FAQ8 (at) SMAguru.com.