Security on the Web

The Web has become indespensible to the campus community for everything from conducting research to performing one's day-to-day job duties. Surfing the Web is not without risks, however. Below are some tips on keeping your computer and your private information secure.

Never use credit cards or divulge personal information (such as Social Security numbers) on sites that are not secure

When you connect to a website, the information sent from your web browser to the web server is most often not encrypted, which means that it is possible for information that you enter to be intercepted by people with malicious intent. In some cases, a lack of encryption does not present a problem, but it does if you are providing private, personal information, such as your Social Security number, a credit number, etc. To keep private information from being stolen, modern web browsers allow you to connect to web servers via a secure (encrypted) connection. Not all web servers support secure connections, but all legitimate e-commerce sites (e.g., banking sites, stores, etc.) and other sites that provide contain or provide access to restricted information (e.g., human resources sites) should. The way to tell whether you are connected via an encrypted connection varies depending on what browser you are using and how it is configured, but with all browsers the URL will begin with "https://" instead of "http://"; the "s" indicates a "secure" connection. With most browsers, you will also see a closed padlock in the right-hand corner of the browser window. See Figure 1.

Figure 1: When you connect to a secure website, a padlock should appear in the status bar at the bottom of the window.

You should never divulge private, personal information on a site that is not secure. Note that in some cases, a site may be unencrypted until you reach the point at which you need to enter personal information. For example, many online stores allow you to place items into an electronic shopping cart via an unencrypted connection, but when you are ready to "check out" you are redirected to a secure site.

A certificate, in the context of web browsing, is an electronic credential that it used to verify that a website is the site that it claims to be. Certificates are issued by organizations known as certificate authorities, which are generally private companies. The job of the certificate authority is the verify that that the certificate belongs to the organization noted in the certificate. Web browsers require that a valid certificate be installed on the web server to be able to connect to a site via an encrypted (secure) connection. All current web browsers automatically recognize certificates issued by the major certificate authorities. If you visit a website and get a message asking you to accept a certificate, this means that the certificate was not issued by one of the major certificate authorities and you should not accept it unless you can verify independently that the site is legitimate. For example, some departments on campus may issue their own certificates, but that is generally a poor practice. Likewise, you should not access a site if you receive a warning that a certificate has expired. See Figure 2 for examples of messages you may see if you connect to a site with an issue with its security certificate.

Figure 2: If you visit a site where there is a problem with the certificate, you may see a message similar to one of those above.

Do not download software from pop-up windows

Although in many cases your computer can be configured to prevent the appearance of most pop-up windows, you should be suspicious of any window that pops ups requesting to install software on your computer. Such software may be spyware, or a virus or Trojan horse.

Be aware of privacy issues

There are two general areas of concern regarding privacy and web usage:

• When you visit a site, it is likely that the site is gathering information about you, such what pages you visit, when you visit, what browser you are using, etc. Often the information can be considered anonymous, but it is possible that the information can be used to track you as an individual. In some cases, it is clear that a site knows who you are (e.g., you log into a site with a user name and password), but in other other cases it may not be so clear. The most common way to for sites to track users is through cookies, which are bits of information sent from the web server that are stored on the user's computer. Cookies allow a site to "remember" a user when he or she returns to a site. See http://www.cookiecentral.com/faq/ for more information. If you are concerned about what information a site is tracking about you, be sure to read the site's privacy policy.
• Information about your web usage is saved on your computer when you browse the web. In addition to to cookies discussed above, your browser stores web pages you have visited recently on your computer in an area called the cache, which is what enables the Back button in your browser to work. In addition, most browsers keep track of a history of sites you have visited and may also "remember" information (including passwords) that you have entered into forms. If you are the only person who uses your computer, you may not be concerned about the information that your browser stores, but having your browser remember passwords is a security risk and should be avoided.

If you are concerned about these privacy issues, feel free to contact your LSCR consultant for assistance. It is possible remove information that your browser stores about the sites you have visited and to configure you browser to store less information.