HTTP:// and HTTPS:/
We have all typed http://…. to get to a website. While we may also have typed https://- more often, when we typed http:// we were automatically redirected to https://. Odd- - so what’s up with all of this?
HTTP is an acronym for Hypertext Transport Protocol, HTTPS is the same but with a Secure at the end (Hypertext Transport Protocol Secure.) Both are protocols which lay out rules for web servers and web browsers to follow so that web pages are correctly displayed when a person browses to a site.
So what’s the difference?
HTTP:// transmits data in clear text. Anyone with a packet sniffer can intercept packets and see in clear text what site the person went to and what the person typed at that site. (Imagine if it were a username and password for a banking site.)
HTTPS:// provides the same rules as HTTP:// except it encrypts all traffic between a browser and web server. This protects all data sent in both directions. Anyone looking in on the packets won’t see anything but jumbled text.
How do you know if a site is secure?
All sites that use HTTPS:// and have a valid SSL certificate (the certificate is a way that website proves who it is) will display with a lock at the beginning of the url in the browser address bar. For example click here to see examples of valid SSL sites. (The exact representation depends on the browser being used.)
When a secure page is loaded, the web browser will check the certificate. If the certificate is not valid, it will display a warning in the address bar. (Click here to view an example of the warning.)
Along with this indication, a web page will open about risks associated with visiting the site- it could have been compromised- and will suggest you not visit. Heed this advice!
What to do about sites that should be secure but aren't.
If you contact the service provider- your bank for example- you may be told that the site is safe, that the certificate expired and is being updated. I suggest not visiting any site with the above warning- or any warning- about the site possibly being compromised. While it may be fine to visit- maybe the certificate did expire- it is better to be in the habit of never visiting sites with a warning than to take a chance one time that the site is OK- and have it be compromised. The outcome for such a visit will not be good for you.
It is perfectly reasonable to expect any web host to maintain their certificates. If a certificate is expired, it is best not to proceed and ask the provider to fix the issue as quickly as possible.
One more note.
This summer Google started identifying any site that uses HTTP:// as Not Secure. When you visit such a site, a notation indicating this will appear at the start of the address bar. (Click here to see an example of the notation.)
It means that, while the site has not been compromised, anyone is able to view in clear text all information from a browser to the site and back. For sites like these, it OK to visit but it is best not to enter any personal identifiable information (name, password, credit card info) at these sites. An example of a site that would be OK to visit is Safeschools.
Thanks for reading! --Mike
May 21, 2018- Fishing for Information through Phishing Email
This month’s topic is Phishing: not to be confused with fishing- where you haul fish out of the water and Phish- the band; phishing is when people with less than good intentions (we’ll call them attackers) try to get you to click on a link in a email and unleashing a threat to the network or they plant malware on your device and record and receive every keystroke or they cause you to enter a username and password on a link for them to collect.
The problem is that attackers who engage in phishing are good- they are very good- at getting people to click on the links in email messages which cause all sorts of bad things to happen. By some estimates, more than 90% of data breaches start with a successful phishing email. No matter the person- highly skilled in technology or not comfortable with technology- attackers successfully launch phishing attacks and collect personal information or launch cyberattacks against organizations. Atlanta schools have had employee personal data systems impacted by a phishing attack. Most recently, the City of Atlanta had to shutdown its network because of a Ransomware attack- possibly started by a phishing email.
It is difficult to know what is real and what is not in an email. Here are some tips-
- If you receive an unexpected message and it contains a link- whether you know the person or not - don’t click on the link. It may be legitimate or it may be a phishing attempt. The best thing to do is call the person and check on it. Don’t reply back; the person may not be in control of his/her account and the response you receive could be from the attacker.
- If you click on a link in an email, never enter your username and password. When a Google Doc has been shared with you and you click on a link to it from email, you will automatically be authenticated to view the doc, you will never be prompted to enter your username and password. If the link goes to a site such as your bank, credit card or health care organization, it is better to type the website’s URL into a browser rather than clicking a link which can be easily spoofed.
- Trust your Spidey sense! A common reaction to people who have clicked on a link in a phishing email is that they feel something is off about the message even if they know the sender. They click anyway because they know the person or have received shared information from the sender previously. Listen to the little voice if it warns about an email.
Practice- one thing that helps people to recognize Phishing attempts is practice. Many organizations have begun to send practice Phishing messages to see how people respond and to follow up with information about the exercise including pointing out clues that the message was a Phishing message. The US Department of Education has issued a warning about schools being a target of hackers and an article in a recent Free Press edition pointed out that schools- both colleges and k-12 -are conducting practice Phishing exercises to help staff identify phishing attempts.
Between now and the end of the school year, we will conduct a practice Phishing exercise. An email will be sent that appears legitimate but is actually a phishing attempt. After the exercise is complete, the results of the exercise will be shared.
Learning to identify phishing attempts is important for both school mail and personal mail. Hackers have been more sophisticated with their attempts. The Phishing attempts look real- they are very difficult to identify. With practice, we all can refine our skills in identify sketchy messages, keeping sensitive data safe.
February 21, 2018- Two Factor Authentication- Backup Codes
First, thank you adults for turning on Two Factor Authentication for your school email account. It is the single most effective way to protect your school email account after setting a complex password. When you set up Two Factor Authentication you used a phone or a security key as the second factor to authenticate you to your account after your username and password. Without your key or your phone, you can’t access your email account- unless you have printed backup codes.
A backup code can be used in place of your security key or a code received on your phone. It is suggested that you print backup codes and carry them with you- just in case.
Here’s how to obtain backup codes.
- Log into your email, click on the Google Account button in the upper right hand corner of your Inbox. (It will be either the first letter of your name or your picture.)
- Browse to this link -https://www.google.com/accounts/SmsAuthConfig
- Click on the Get Started Button, enter your password in the next screen so Google knows you are you.
- Once Google is satisfied that you are you, the 2_Step Verification page is display.
- Scroll down the page the Backup Codes sections and click on the Generate Codes button.
- Print the codes that appear in the popup window. . Keep these codes with you and safe. They can be used as the second verification for your email account after your username and password.
- If you lose the codes or need more, go back to the Backup code section, click the Show Codes choice which appears once you have create a set of codes and click the New Codes button.
Here’s how to use the backup codes.
- Go to the sign-in page for email- https://gmail.com
- Enter your username and password.
- When asked for your verification code, click More options.
- Click Enter one of your 8-digit backup codes.
- Enter your backup code. You can elect to have the device remember you for 30 days. If you are on a public computer,make sure that the “remember me” box is not checked.
- **Note- if you use a security key and want to add your email to a smartphone/tablet, you will need to use one of your backups on the device as described above.
A word of caution.
While increasing the security of your school email account substantially, Two Factor Authentication does not make your account 100% safe- unfortunately in today’s world, that is not possible. Two-factor authentication can be compromised in several ways. For example:
- A person could gain access to your security key or phone.
- Malware that you unintentionally install on your device steals your two factor data.
- Phishing might prompt you to give up a backup code or even code from your phone in real time.
- Phishers pretending to be technical support tricking you into disabling your 2FA.
The watchword is vigilance. Be ever mindful of phone calls you receive from “tech support” (Google will never call you and ask for your password or two factor code. For that matter, Microsoft won’t either.) and of links in email you receive. If you question a message you receive from someone you know, call the person and ask about it- don’t email them! If their account has been compromised, it may be the hacker in control of the account.
Thank you for reading!