Secure Shopping: A Peek Behind
The Padlock

Most of us have heard the standard spiel on shopping online safely: Look for the browser's locked padlock and the "https" prefix on the site URL to verify that a transactional Web site is secure. But do you know what happens behind the scenes to guarantee that your data isn't compromised during your purchase? What else should you look for to get a clear picture of a Web site's security?

There's no question that the locked padlock and the "https" are important. They signal that two critical actions have occurred:

• The site has provided your browser a verified SSL Certificate of authenticity-more about that in a moment-which attests that the site is the site it says it is
• The acceptance of the SSL Certificate has triggered your browser and the site to encrypt the data they exchange using one of the two standard protocols: SSL (Secure Sockets Layer) or TLS (Transport Layer Security).

In other words, the presence of the padlock and "https" tell you that the site has a SSL Certificate. Great! But if you look beyond these simple visual cues, you can get an even better picture of a site's transactional security.

Think of the SSL Certificate, also known as a digital certificate, as the equivalent of a company ID card. Such certificates are issued only by companies recognized as trusted security authorities, who check each purchaser's credentials against several types of data - Dun & Bradstreet reports, business licenses, and so on - to verify legitimacy. All major browsers maintain a list of these certificate-issuing authorities, or "CA's", and each time you navigate to a secure site, your browser checks the site's digital certificate to make sure it was issued by a company on the list. If it wasn't, the browser displays an error message. Your browser also alerts you if the certificate has expired; it's rare but not unheard of for a legitimate site to let its certificate lapse.

You can view a site's digital certificate and more security information by double-clicking on the padlock icon while you're on the site. How much more depends on your browser.

All three major PC browsers - Microsoft Internet Explorer®, Firefox®, and Opera® - display details about the certificate when you double-click the padlock (actually, Opera requires only a single click): issuer, expiration date, type of encryption, and so on. Opera, however, goes a couple of steps further: It rates the site's level of security and alerts you if the site uses what it considers an outdated encryption method. It also distinguishes low-assurance certificates (those issued by companies who checked only that the certificate applicant matched the domain name registrant) from high-assurance certificates, which require that the certificate authority check both the domain name registration and the aforementioned list of business resources to verify the applicant's credentials.

Not content to rely on the browser to assure customers of their security, some online stores elect to display their security credentials on the site itself, usually via a seal or logo supplied by the digital-certificate issuer. This, too, offers a chance to double-click, look behind the scenes, and learn more about the company with which you're doing business.

The Bottom Line: Look behind the padlock icon to get a more complete picture of the security precautions of a transactional site. Carefully examine any error messages from your browser regarding the site's digital certificate, particularly its authenticity and expiration date, before deciding whether to proceed with your purchase.