How can you know if a website is secure? In the olden days of the internet—the ancient early 2010s—the common answer to this question was pretty simple: look for the little lock in the browser bar indicating the site has a security certificate. But times have changed.
“The green lock is just not enough,” said Maria Ojeda Adan, Software Developer at F-Secure.
Last year, Google Chrome removed the “secure” indicator on sites that use https. It replaced this with a “not secure” warning for sites that only use HTTP.
In one way, this is a sign of a huge success. The international movement to get as many sites as possible to use the HTTPS protocol that encrypts all the information passed on the page is working. Most of the world’s top 1 million websites now use HTTPS, according to security researcher Scott Helme. Unfortunately, this much-needed step does not eliminate all the security and privacy pitfalls web surfers now confront.
1. Yes, look for the little padlock, but that’s not nearly enough.
Checking for HTTPS is the minimum precaution you need to take to secure your data online.
“If there’s no lock icon at, there’s no HTTPS connection to the server is not encrypted,” said Sami Ruohonen, Threat Researcher at F-Secure Labs. ‘This means that anyone listening in on to the network you’re at is able to see all your discussions with the server.”
This can include your username and password or even more valuable personally identifiable data.
2. Double-check the URL.
Having an encrypted connection website is no help if you’re not on the site you meant to load. We recently told you about spam coming from .xyz and other new top-level domains that use a newer version of an old trick to draw you into a phishing trap.
Major search engines work hard to keep from sending you to infected sites, but you could easily end up on a bad site by clicking on a link, especially in a spam email.
So while you’re checking for the lock, make sure you’re actually on the site you mean to be on.
3. Do a little research.
If you’ve done these first two steps and you still don’t feel secure, trust your instincts—especially if you’re considering making an online purchase.
Before you click “buy”, you can do some basic research on the site.
“Now what I do to do is look at these webstores. I like to look at the information they’re giving you about contacting them,” said Janne Kauhanen, host of our Cyber Sauna podcast. “Is there a phone number? Is there a location?”
Janne will also use sites like Wayback Machine to determine how long the site has existed in its current form. If the site has only been around for a brief while and used to have another identity entirely, this should make your suspicious.
4. Make sure you are running endpoint protection software.
Having an encrypted connection website is also no help if you’re connected to a malicious website. Unfortunately, there’s no obvious sign that a site has been infected.
“So if you’re connected to a malicious website [with a green lock], your connection is going to be encrypted,” said Maria. “But it doesn’t mean a malicious website is suddenly going to be a safe website.”
New tricks like online skimmers can suck up your credit card details on official site that has a green lock and amazing reputation that has lasted decades. That happened to customers of Ticketmaster.com, Newegg.com and British Airways last year and there was no way they could have seen it coming.
That’s why using endpoint protection that blocks threats like Magecart, which deploys online skimmers, is essential.
5. For privacy, use a VPN.
Even if a site is encrypted by HTTPS, there’s someone who always knows which websites you’re searching—your internet security provider. And that provider could use or sell that data depending on the laws in the country where you’re located.
“This is where a VPN comes in because rather than entrusting a local ISP with snippets of information about your browsing habits, you now have the ability to encrypt the entire communication between your PC or mobile device and the VPN provider,” wrote Troy Hunt, the cyber security expert behind Have I been pwned? “What you’re doing is moving the trust away from that local organization that’s increasingly beholden to tracking your browsing habits to the provider of the VPN service.”