Freigeben über


Search Engines and Privacy

The recent AOL scandal had one and only one learning lesson for any software company. Think 10x, 100x, 1000x about customer privacy. There is a large amount of discussions, opinions, passion on the blogosphere, but I don't think that anyone disagrees with the point above.

However, there is an alternate learning lesson that applies to you, or anyone browsing the internet. It is easy to forget how insecure the internet actually is. There is a simple rule:
1) Any URL that starts with https://xxxx is insecure. Never type private data like credit card numbers, etc in this URL. The data that you type is accessible to the target server but also to any intermediaries on the way (your ISP for example), etc.
2) Any URL that starts with https://xxxx is somewhat secure. (Note the S at the end of the URL moniker  I wish we had a different URL moniker for secure HTTP because the two are so similar). By "somewhat secure" I mean that the data that you provide is obviously accessible to the target server, but innaccessible to intermediaries.

You might be worried by the word "somewhat". Well, HTTPS is still not 100% secure as there can be loopholes as well, for example, if the HTTPS link uses a bad/invalid/untrusted/expired certificate. To make sure, just look at the lock icon on the bottom of your browser and make sure that the certificate is valid and trusted by you. IE7 will also display a big, separate warning page if the target certificate is invalid, so you are better protected in this case.

Also, even if you have a valid certificate, the target service itself might do something stupid and release your private data. That's what hapened with AOL. So, to stay on the safe side, don't even assume that the Internet is a safe place to play.

Some might think that Internet anonymizers can be a good workaround. However, not even internet anonymizers can be trusted. Who knows if some internet anonimyzer (used by you) doesn't track all your activity to sell it for profit?

The conclusion? The internet is not a safe place. Nothing new, after all. A public road is not a safe place either. Just make sure you look around when you walk or drive. At least, that's what they are teaching us in the Defense Driving school  :-)

Comments

  • Anonymous
    August 09, 2006
    I think that all decent browsers have been warning users about expired certificates for a long time now. The problem is that users just want to get their job done, and click through the warnings. Even big companies get it wrong: https://mail.yahoo.com/ displays a security warning (certificate belongs to login.yahoo.com). Oh well...