Safer shopping with website certificates

All web browsers include tools to help keep you safe online.

If you are doing your Christmas shopping on the internet there’s more to watch out for than just viruses.

Two techniques that help prevent fraud online are secure connections and certificates.

The former ensures credit card details aren’t intercepted when you pay for things, while the latter tells you that the website is what it says it is.

It’s not always clear how safe a site is, though.

The first way to check in your browser that the site you are accessing is secure is to look for a padlock symbol somewhere in the browser window.

In Internet Explorer this appears in the address bar while in Firefox 3 it appears at the bottom-right of the main window.

This shows the site has some kind of security.

To find out more, right-click a blank area of the web page and in Internet Explorer select Properties or in Firefox click View Page Info.

This will show whether the page is encrypted and whether it has a certificate, which, in essence, tells you that the site is what it says it is.

The security technology is called SSL (Secure Sockets Layer), and there is a more advanced version, EV SSL (Extended Validation). If a website is using EV SSL, all or part of the web browser’s address bar will turn green.

It will work in the newest editions of all the most popular web browsers: Internet Explorer 7 and 8, Firefox 3 and 3.5, Opera 9.5, Apple Safari 3.2 and 4 and Google Chrome.

To find out whether your web browser is capable of using EV SSL, try visiting your online banking website.

When you get to the secure area the address bar will go green in Internet Explorer or in Firefox the left-hand side will turn green.

You will also see the registered name of the website you are accessing. For example, www.nwolb.com is the site of Nawest’s online service. Go to it in one of the above browsers and you will see the behaviour described.

The name ‘The Royal Bank of Scotland Group Plc [GB]’, which is Natwest’s parent company, will be shown. This is a secondary indication that the site is what it claims to be.

In each case, click the company name to see more information ­ here the certificate is signed by Verisign.

Along with such companies as Network Solutions and Thawte, Verisign is one of the biggest names in internet security.

If a site is certified by one of these names, you can be sure it is what it says it is. That’s a good way to combat phishing, but it’s no guarantee against other kinds of fraud.

It can cost as little as £20 to get a site certified for a year and the certifying authorities do not necessarily confirm that the business in question is operating legally or is above board; all the certificate does is confirm that the website is linked to a particular business.

What does this mean for consumers?

It does offer one level of protection ­ if you have clicked on a link in an email or a search engine result, you can check the certificate to see whether the website on which you’re shopping is the one you think it is.

For instance, back in 2008, Computeractive investigated a firm called Zavvi Direct, which was passing itself off as the high-street retailer Zavvi.

Consumers who used the Zavvi Direct site would have been able to check its security certificates in their browsers, and seen that things didn’t add up.

If there is no certificate, or if your browser warns you of a problem with the certificate, contact the site owner or its customer support and see if they can explain or fix the problem.

If not, don’t buy there.

We expect to see similar scams operating in future, and with Christmas around the corner it’s a ripe time.

If the site you are using looks unfamiliar, check the certification to find out whether it’s linked to the real company. If it’s a new site and not linked to an existing brand, the certificate won’t help you.

A site may have a certificate and be legitimate or it could be part of a scam and still have a legitimately issued certificate. In that case, you would need to rely on other cues to check whether or not there is any danger.

Our verdict
Shopping online is usually safe, and you needn’t stick to the big names. Many small businesses and sole traders now have websites on which people can buy products or services.

It’s important to understand about certificates, however: while they provide a useful service in checking the legitimacy of websites, they can’t provide a one-stop guarantee against fraud.

Unless you have used the site before or someone you know has, don’t rely on a secure connection and a certificate to keep you safe.