We teach our kids not to talk to strangers,
something we learned ourselves as children. Even as adults, we use caution and
common sense if approached by an unknown person on the street.
But what about on the internet? Are we
being equally careful with virtual strangers we meet there? At least initially,
every exchange and everything we do online should be considered a ‘stranger’
That’s because when we connect online, we
aren’t speaking face-to-face or stepping into an office, something that in the
real world allows us to know whether we are interacting with a stranger or not.
But how often, when conducting business
with a bank or some other entity’s website, do we confirm their identity by
making sure the website is using TLS?
A website that’s not secured using a TLS
certificate might as well be the stranger your child is taught to avoid on the
playground. It’s not okay in the real world, and it’s equally unsafe online.
That’s why, whenever we transact online, we
need to verify that the server we are communicating with has a certificate
issued by a trusted Certification Authority (CA). Similarly, if we are the organization,
we need to use TLS certificates to clearly identify ourselves and to protect
the data transmitted.
Luckily, internet industry players are
beginning to realize this and are pushing for more strict rules regarding such
trust services. For example, the next version of the Chrome browser (v.68 July
2018) will display a warning anytime you visit a site that does not use TLS
That’s good news because a recent study by
DarkMatter found a serious lack of web server security. We scanned 180 websites
across 11 industries in the UAE and found that almost 50% of these organizations’
main websites were not secured with TLS certificates.
Even in the regulated and high-target
banking and finance sector, only slightly more ie. 60% of main websites were
secured with TLS certificates.
The industry is also pushing for the use of
TLS certificates with high assurance levels, such as Extended Validation or Organization
Validated certificates, that also ensures the validation of the organization
operating the web server. Simple Domain Validated TLS certificates do not
suffice to identify the web server and organization.
So, I offer two suggestions:
individuals … don’t talk to strangers:
– Verify the identity of the website you’re
connecting with by checking its TLS certificate that identifies not just the
web server, but also the organization that you are communicating with.
– If you’re on a website without
certificates, be careful and never share sensitive information.
companies, governments and other entities … don’t be the stranger:
– Deploy a TLS certificate for your website
so users can confidently identify it and your organization.
– Make sure to enroll for TLS certificate
from a publicly trusted CA.
– Use Organization Validated or Extended
Validation TLS certificates.
– Use TLS to secure
your traffic against eavesdropping and to lower the likelihood of being