This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
A lot of us use secure websites for communication. Let it for social networking , sending and receiving mails Gmail, or for e-commerce, we depend on the secure mode of the webpage to keep our information safe under the assumption that these sites are safe. Some of the unseen risks when using a "secure" website include:
CA Trust issues
If A digitally signs his/her message with their private key, and sends the receiver a copy of the certificate, the receiver can know for sure that the message was sent byÂ A. This is known as authentication. In internet domain, authentication can be done using digital certificates.
AÂ certification authority (CA) is a body that issuesÂ digital certificates. Digital certificate is a confirmation that the public key contained in the certificate belongs to the person or organization or group mentioned in the certificate issued. It could be said that CA is a third partyÂ who is trusted by the owner of the certificate and the user depending on the issued certificate. SSL works on this trust.
Now, the CA that signs the certificate needs to be trusted. One must decide by himself whether a CA could be trusted or not. Browsers generally maintain and update a list of trusted CAs (and a list of blocked CAs), which includes the certificates of those CAs that are trusted. Which CAs should make the list becomes a matter of judgement for the user. Some CAs are well known that they are included by default in many browsers. Many web browsers like IE, Chrome and Firefox usually include VeriSign and a few other 'trusted' CA's certificates, because many websites use certificates issued by these companies. A user can also add other CAs to the 'trusted list'.
If the CA, who is trusted by a user, can be manipulated, then the security of the entire system for each and every user (who uses the certificate signed by the CA) is lost. Hacking or coercion of a CA would lead to a person with malicious intent producing a certificate that many devices on the Internet will trust, allowing interception and eavesdropping of otherwise secure communication. In such cases, we are forced to blindly trust a single CA's opinion regarding the validity of a website.
A content delivery network (CDN) is an accumulation of web servers spread across multiple locations. CDNs generally use a large number of servers distributed across the Internet. The server singled out to deliver content to a particular user is based on its closeness to that particular user.
Also, many sites use encrypted connections for authentication and sensitive information and to avoid transmitting passwords in plaintext, but they generally don't use SSL connections for the other pages. The absence of website-wide support of SSL is usually because of the bandwidth overhead of encrypting every connection.
Third Party Content Issues
Filling up a website with third-party content is a good way for a company to make their website more interesting or maybe even to get additional revenue. But adding third-party content to a website also brings a way in which attackers can distribute malicious content to visitors.Â It is generally easy to compromise someone that already has traffic.
It is easy to sneak malicious content into advertisements so that they can compromise visitors to legitimate and secure sites. The malicious content can be put on a site (i.e. hosted) when CDNs are tricked into believing the criminals represent a legitimate company. Sometimes, attackers compromise a network's server and replace legitimate advertisements with versions that have malicious content. This could lead to the visitors of the site, who assume the site to be safe and secure, to be deceived and maybe some valuable information being stolen. Notable example includes London Stock Exchange , whose secure website has been compromised.
Sites like Gmail and Facebook, serve a lot of ads to add to their revenue. They could be a potential source of threat to users.